February 2010: four new Cisco vulnerabilities

Recently, the The Cisco Product Security Incident Response Team (PSIRT) has published four important vulnerability advisories.

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

• TCP Connection Exhaustion Denial of Service Vulnerability
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
• Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
• WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
• Crafted TCP Segment Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
• NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory.

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory.

Details
The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

• TCP Connection Exhaustion Denial of Service Vulnerability
• SIP Inspection Denial of Service Vulnerabilities
• SCCP Inspection Denial of Service Vulnerability
• WebVPN DTLS Denial of Service Vulnerability
• Crafted TCP Segment Denial of Service Vulnerability
• Crafted IKE Message Denial of Service Vulnerability
• NTLMv1 Authentication Bypass Vulnerability

Impact

• TCP Connection Exhaustion Denial of Service Vulnerability: Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance.
• SIP Inspection Denial of Service Vulnerabilities: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• SCCP Inspection Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• WebVPN DTLS Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• Crafted TCP Segment Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• Crafted IKE Message Denial of Service Vulnerability: Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels.
• NTLMv1 Authentication Bypass Vulnerability: Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910c.shtml

Multiple Vulnerabilities in Cisco Security Agent
The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration.

Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other.

Vulnerable Products
Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability (the Windows version is not affected).

Details
The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center.

Impact
Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. Successful exploitation of the Cisco Security Agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910d.shtml

Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled.

Vulnerable Products
All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output.

Details
The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. The Cisco FWSM is affected by a vulnerability that may cause the device to reload during the processing of a malformed SCCP message when SCCP inspection is enabled. This vulnerability is only triggered by transit traffic; traffic that is destined to the device does not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910e.shtml

Multiple Vulnerabilities in Cisco IronPort Encryption Appliance
Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities.

Vulnerable Products
The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities:

• Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2
• Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1
• Cisco IronPort PostX MAP versions prior to 6.2.9.1

The version of software that is running on a Cisco IronPort Encryption Appliance is located on the About page of the Cisco IronPort Encryption Appliance administration interface.

Details
The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144.

The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145.

Impact
Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges.

Link: http://www.cisco.com/…/security_advisory09186a0080b17903.shtml