October 2013: seven Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published seven important vulnerability advisories:

• Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
• Cisco IOS XR Software Route Processor Denial of Service Vulnerability
• Multiple Vulnerabilities in Cisco Identity Services Engine
• Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
• Multiple Vulnerabilities in Cisco Firewall Services Module Software
• Multiple Vulnerabilities in Cisco ASA Software
• Cisco IOS XR Software Memory Exhaustion Vulnerability

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:

• Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
• Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
• Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability
• Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability

These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.

Vulnerable Products

• Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could cause an affected device to reload when processing malformed ICMP error packets that belong to a TCP or UDP connection that is inspected by a Zone-Based Firewall (ZBFW). The ZBFW is not enabled by default.
• Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Point-to-Point Tunneling Protocol (PPTP) packets that undergo Network Address Translation (NAT) and PPTP application layer gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a device that is configured for NAT.
• Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing segmented TCP packets that undergo Network Address Translation (NAT). An attacker could exploit this vulnerability by sending TCP packets that are large after the segment reassembly is complete when these packets traverse a device that is configured for NAT.
• Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing malformed IP version 4 (IPv4) or IP version 6 (IPv6) Ethernet over Generic Routing Encapsulation (EoGRE) packets on an interface configured with EoGRE. EoGRE is not enabled by default.

Details

• Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability: A vulnerability in the Zone-Based Firewall (ZBFW) TCP or UDP inspection feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of malformed ICMP error packets traversing a vulnerable device that belong to a TCP or UDP connection that is inspected by a ZBFW. An attacker could exploit this vulnerability by sending a number of malformed ICMP error packets that belong to an inspected TCP or UDP session. An exploit could allow the attacker to cause a reload of the affected device, resulting in DoS condition.
• Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability: A vulnerability in the PPTP ALG feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper handling of PPTP packets that are being inspected as part of the NAT feature on Cisco IOS XE Software. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a vulnerable system that is configured for NAT. A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
• Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability: A vulnerability in TCP segment reassembly of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of large TCP reassembled packets that are being processed by NAT and ALG features on the affected device. An attacker could exploit this vulnerability by sending a TCP packet that is large after the reassembly to traverse a vulnerable device. Only packets being handled by NAT and ALG features have a potential to cause an affected device to reload. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.
• Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability: A vulnerability in the EoGRE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of malformed EoGRE packets. An attacker could exploit this vulnerability by sending malformed IPv4 or IPv6 EoGRE packets to an affected device configured with an EoGRE interface; this vulnerability cannot be exploited by sending malformed EoGRE packets to traverse a vulnerable system. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.

Impact
Successful exploitation of any of the following vulnerabilities may allow a remote, unauthenticated attacker to reload the embedded services processors (ESP) card, causing service interruption:

• Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
• Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
• Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability

Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131030-asr1000

Cisco IOS XR Software Route Processor Denial of Service Vulnerability
Cisco IOS XR Software Releases 3.3.0 to 4.2.0 contain a vulnerability when handling fragmented packets that could result in a denial of service (DoS) condition of the Cisco CRS Route Processor cards listed in the “Affected Products” section of this advisory.

Vulnerable Products
This vulnerability affects Cisco IOS XR Software Releases 3.3.0 to 4.2.0 running one of the following Cisco CRS-1 Carrier Routing System (CRS) or Cisco CRS-3 route processor cards.

Details
Cisco IOS XR Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper processing of fragmented packets by the following:

• Cisco CRS 16-Slot Line Card Chassis Route Processor (RP-A)
• Cisco CRS 16-Slot Line Card Chassis Route Processor B (RP-B)
• Carrier Routing System (CRS) Performance Route Processor (PRP)
• Cisco CRS Distributed Route Processor (DRP-B)

An attacker could exploit this vulnerability by sending fragmented packets to a vulnerable system; this vulnerability cannot be triggered by IP traffic traversing a vulnerable device. An exploit could allow the attacker to cause the packets originating on the Route Processor CPU to stop transmitting to the fabric, resulting in a DoS condition.

This vulnerability can be triggered by both IPv4 and IPv6 traffic and does not require a TCP three-way handshake.

Impact
Successful exploitation of the vulnerability could cause the route processor on an affected device to stop transmitting packets from the route processor CPU to the fabric. As a result, the affected RP-A, RP-B, PRP, or DRP-A will experience a DoS, failing to transmit all of its route processor-based protocols (for example, Intermediate System-to-Intermediate System, Border Gateway Protocol, ICMP).

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-iosxr

Multiple Vulnerabilities in Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) contains the following vulnerabilities:

• Cisco ISE Authenticated Arbitrary Command Execution Vulnerability
• Cisco ISE Support Information Download Authentication Bypass Vulnerability

These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other.

Vulnerable Products
All versions of Cisco ISE Software running on supported appliances and virtual machine may affected by these vulnerabilities. Consult the “Software Versions and Fixes” section of this security advisory for more information about the affected versions.

Details
The Cisco Identity Services Engine provides an attribute-based access control solution that combines authentication, authorization, and accounting (AAA), posture, profiling, and guest management services on a single platform.

Cisco ISE Authenticated Arbitrary Command Execution Vulnerability: A vulnerability in the web framework of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands and execute the affected function. An exploit could allow the attacker to run arbitrary commands on the affected system with the privilege of the root user.

Cisco ISE Support Information Download Authentication Bypass Vulnerability: A vulnerability in the implementation of the authentication code that is used to validate requests to download a product support bundle could allow an unauthenticated, remote attacker to download a full product support bundle. The vulnerability is due to an error in the logic that is used to validate support bundle access requests. An attacker could exploit this vulnerability by sending a crafted request to the vulnerable system. An exploit could allow an attacker to obtain a full copy of the product configuration or other sensitive information including administrative credentials.

Impact
Successful exploitation of Cisco ISE Authenticated Arbitrary Command Execution Vulnerability may allow an authenticated remote attacker to execute arbitrary code on the underlying operating system.
Successful exploitation of Cisco ISE Support Information Download Authentication Bypass Vulnerability could allow an attacker to obtain sensitive information including administrative credentials.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-ise

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability.

Vulnerable Products
All software releases for the following Cisco products are affected by this vulnerability:

• Cisco Business Edition 3000
• Cisco Identity Services Engine (ISE)
• Cisco Media Experience Engine (MXE) 3500 Series
• Cisco Unified SIP Proxy (CUSP)

Details
The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions. An exploit could allow the attacker to execute arbitrary code on the targeted system. The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system. There is no authentication needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy. To exploit this vulnerability on Cisco Business Edition 3000, the attacker must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.

Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product.

Impact
The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system. There is no authentication needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy. To exploit this vulnerability on Cisco Business Edition 3000, the attacker must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.

Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

Multiple Vulnerabilities in Cisco Firewall Services Module Software
Cisco Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities:

• Cisco FWSM Command Authorization Vulnerability
• SQL*Net Inspection Engine Denial of Service Vulnerability

These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other.

Vulnerable Products

• Cisco FWSM Command Authorization Vulnerability: This vulnerability affects default configuration of Cisco FWSM Software configured in multiple context mode. To determine whether the Cisco FWSM Software is running in multiple context mode use the show mode command.
• SQL*Net Inspection Engine Denial of Service Vulnerability: Cisco FWSM Software is affected by this vulnerability if SQL*Net inspection is enabled. To determine whether SQL*Net inspection is enabled use the show service-policy | include sqlnet command.

Details
Cisco FWSM Command Authorization Vulnerability: The vulnerability is due to insufficient authorization safeguards of certain administrative commands in a user context when the affected system is configured for multiple context mode. An attacker could exploit this vulnerability by executing certain commands in any of the user contexts of the affected system.

SQL*Net Inspection Engine Denial of Service Vulnerability: A vulnerability in SQL*Net inspection engine code could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of segmented Transparent Network Substrate (TNS) packets. An attacker could exploit this vulnerability by sending a crafted sequence of segmented TNS packets through the affected system.

Impact
Successful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system. Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm

Multiple Vulnerabilities in Cisco ASA Software
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:

• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
• SQL*Net Inspection Engine Denial of Service Vulnerability
• Digital Certificate Authentication Bypass Vulnerability
• Remote Access VPN Authentication Bypass Vulnerability
• Digital Certificate HTTP Authentication Bypass Vulnerability
• HTTP Deep Packet Inspection Denial of Service Vulnerability
• DNS Inspection Denial of Service Vulnerability
• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
• Clientless SSL VPN Denial of Service Vulnerability
• Crafted ICMP Packet Denial of Service Vulnerability

These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Vulnerable Products

• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability: To be vulnerable, Cisco ASA Software must have at least one IPsec VPN tunnel with active traffic passing through the tunnel. This vulnerability cannot be exploited if offending packets are flowing through an SSL/TLS based VPN tunnel.
• SQL*Net Inspection Engine Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if SQL*Net inspection is enabled.
• Digital Certificate Authentication Bypass Vulnerability: Cisco ASA Software is affected by this vulnerability in either of the following cases:
  • Clientless or AnyConnect SSL VPN is configured to use digital certificate authentication
  • Cisco ASDM is configured to use digital certificate authentication
• Remote Access VPN Authentication Bypass Vulnerability: Cisco ASA Software is affected by this vulnerability if all of the following conditions apply:
  • It is configured for either Clientless or AnyConnect VPN, IKEv1 and IKEv2 Remote IPsec VPN and L2TP/IPsec VPN
  • The remote VPN is authenticated via a remote AAA server using LDAP
  • The override-account-disable option is configured under the tunnel-group general-attributes settings.
• Cisco ASA Software using any other remote AAA server or local AAA server for authentication of remote VPN is not affected by this vulnerability. Additionally, Cisco ASA Software configured for LAN-to-LAN IPsec VPN is not affected by this vulnerability.
• Digital Certificate HTTP Authentication Bypass Vulnerability: Cisco ASA Software is affected by this vulnerability if the digital certificate client authentication is enabled for Cisco ASDM.
• HTTP Deep Packet Inspection Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if HTTP Deep Packet Inspection (DPI) is configured with any of the following options:
  • The spoof-server parameters option is enabled
  • The mask option is enabled and is inspecting the HTTP response with active-x in the body
  • The mask option is enabled and is inspecting the HTTP response with java-applet in the body
• DNS Inspection Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability: Cisco ASA Software is vulnerable if AnyConnect SSL VPN is configured. Cisco ASA Software configured for Clientless SSL VPN, IKEv1/IKEv2 IPsec remote and LAN-to-LAN VPN, or L2TP/IPsec VPN is not affected by this vulnerability.
• Clientless SSL VPN Denial of Service Vulnerability: Cisco ASA Software is vulnerable if Clientless SSL VPN is configured. Cisco ASA Software configured for AnyConnect SSL VPN, IKEv1/IKEv2 IPsec remote and LAN-to-LAN VPN, or L2TP/IPsec VPN is not affected by this vulnerability.
• Crafted ICMP Packet Denial of Service Vulnerability: Cisco ASA Software is vulnerable if the ICMP inspection engine is configured to inspect ICMP packets that are traversing the firewall or if ICMP packets targeting firewall interfaces are allowed to be processed

Details

• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability: The vulnerability is due to an error in the code that decrypts packets transiting an active VPN tunnel. In particular the code is failing at properly handling crafted ICMP packets after a decryption operation. An attacker could exploit this vulnerability by sending crafted ICMP packets through an active VPN tunnel. An exploit could allow the attacker to cause a reload of the device that performs the decryption operation.
• SQL*Net Inspection Engine Denial of Service Vulnerability: The vulnerability is due to improper handling of segmented Transparent Network Substrate (TNS) packets. An attacker could exploit this vulnerability by sending a crafted sequence of segmented TNS packets through the affected system.
• Digital Certificate Authentication Bypass Vulnerability: The vulnerability is due to an error in handling a client crafted certificate during the authentication phase. An attacker could exploit this vulnerability by trying to authenticate to the affected system using a crafted certificate. An exploit could allow the attacker to bypass the certificate authentication. Depending on the Cisco ASA configuration, this may allow the attacker to authenticate and access the network via Clientless or Anyconnect SSL VPN or to get administrative management access via Cisco Adaptive Security Device Management (ASDM).
• Remote Access VPN Authentication Bypass Vulnerability: The vulnerability is due to improper parsing of the LDAP response packet received from a remote AAA LDAP server when the override-account-disable option is configured in the general-attributes of the tunnel-group. An attacker could exploit this vulnerability by attempting to authenticate via remote VPN to the affected system. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN. This vulnerability affects Cisco ASA Software configured for Clientless or AnyConnect SSL VPN, IKEv1 and IKEv2 Remote IPsec VPN and L2TP/IPsec VPN. Additionally an external AAA LDAP server should be in use for remote VPN authentication service. Cisco ASA Software using any other protocol for remote AAA service or local AAA server for authentication of remote VPN is not affected by this vulnerability. Cisco ASA Software configured for LAN-to-LAN VPN is not affected by this vulnerability.
• Digital Certificate HTTP Authentication Bypass Vulnerability: The vulnerability is due to an error in the implementation of the authentication-certificate option, which enables client-side digital certificate authentication. An attacker could exploit this vulnerability by trying to authenticate to an interface of the affected system where Cisco ASDM is enabled.
• HTTP Deep Packet Inspection Denial of Service Vulnerability: The vulnerability is due to improper handling of a race condition when the HTTP DPI engine is inspecting HTTP packets and either the spoof-server parameters option is enabled or the Cisco ASA Software is configured to inspect and mask the HTTP response including active-x or java-applet in the response body. An attacker could exploit this vulnerability by sending a crafted HTTP response through the affected system.
• DNS Inspection Denial of Service Vulnerability: The vulnerability is due to improper processing of unsupported DNS over TCP packets by the DNS inspection engine. An attacker could exploit this vulnerability by sending crafted DNS messages over TCP through an affected device.
• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability: The vulnerability is due to improperly clearing unused memory blocks after an AnyConnect SSL VPN client disconnects. An attacker could exploit this vulnerability by sending traffic to the IP address of the disconnected client. This vulnerability affects Cisco ASA Software configured for AnyConnect SSL VPN. Cisco ASA Software configured for Clientless SSL VPN, IKEv1 and IKEv2 remote IPsec VPN, LAN-to-LAN VPN or L2TP/IPSEC VPN is not affected by this vulnerability.
• Clientless SSL VPN Denial of Service Vulnerability: The vulnerability is due to improper handling of crafted HTTPS requests against the Cisco ASA Software configured for Clientless SSL VPN. An attacker could exploit this vulnerability by sending crafted HTTPS requests targeting the TCP port open for the Clientless SSL VPN feature. This vulnerability affects Cisco ASA Software configured for Clientless SSL VPN. Cisco ASA Software configured for Anyconnect SSL VPN, IKEv1 and IKEv2 remote IPsec VPN, LAN-to-LAN VPN or L2TP/IPSEC VPN is not affected by this vulnerability.
• Crafted ICMP Packet Denial of Service Vulnerability: The vulnerability is due to improper handling of crafted ICMP packets. An attacker could exploit this vulnerability by sending a number of crafted ICMP packets to or through an affected device. An exploit could allow the attacker to clear arbitrary connections on the firewall or cause a reload of the affected device, leading to a denial of service (DoS) condition.

Impact
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a DoS condition.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco ASDM.

Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Successful exploitation of the Crafted ICMP Packet Denial of Service Vulnerability may cause valid connections that are passing through the affected system to be dropped, or cause a reload of the system, leading to a DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

Cisco IOS XR Software Memory Exhaustion Vulnerability
Cisco IOS XR Software version 4.3.1 contains a vulnerability that could result in complete packet memory exhaustion. Successful exploitation could render critical services on the affected device unable to allocate packets resulting in a denial of service (DoS) condition.

Vulnerable Products
This vulnerability affects Cisco IOS XR Software version 4.3.1 installed on any supported hardware device.

Details
The vulnerability is due to the failure of the device to release memory of allocated UDP packets when the packet queues are full. An attacker could exploit this vulnerability by potentially sending traffic to listening UDP services on the affected device. An exploit could allow the attacker to cause the device to exhaust all available memory, causing the device to be unable to allocate memory for packets sent to it.

Impact
Successful exploitation of the vulnerability could cause critical services on the affected device to fail, resulting in a DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131002-iosxr