Apr
13
2009

Multiple Vulnerabilities in Cisco ASA / PIX security

Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances.

Vulnerable Products
The following is a list of the products affected by each vulnerability as described in detail within this advisory.

VPN Authentication Bypass Vulnerability
Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability.

Note:  The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is disabled by default.

Crafted HTTP Packet DoS Vulnerability
Cisco ASA security appliances may experience a device reload that can be triggered by a series of crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability.

Crafted TCP Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a memory leak that can be triggered by a series of crafted TCP packets. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features:

  • SSL VPNs
  • ASDM Administrative Access
  • Telnet Access
  • SSH Access
  • Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
  • Virtual Telnet
  • Virtual HTTP
  • Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection
  • Cut-Through Proxy for Network Access
  • TCP Intercept

Crafted H.323 Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability.

SQL*Net Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of SQL*Net packets, when SQL*Net inspection is enabled. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability.

Access Control List Bypass Vulnerability
A vulnerability exists in the Cisco ASA and Cisco PIX security appliances that may allow traffic to bypass the implicit deny behavior at the end of ACLs that are configured within the device. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability.

Details
These vulnerabilities are independent of each other.

Impact
Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. The Denial of Service (DoS) vulnerabilities may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA.

Test vulnerability:
The following example data is sufficient to exploit the denial-of-service issue affecting PIX and ASA:

/*Utilize 1550 blocks on an ASA to trigger a crash…*/

hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2

/* Trigger the vuln a bit faster */

hping --fast -p 22 -w 1518 -S -d 26201 -a 10.22.1.1 10.22.1.2

Link: http://www.cisco.com/…/products_security_advisory09186a0080a994f6.shtml