CERT-MU AD-2008-12

Multiple Vulnerabilities in Cisco PIX and Cisco ASA

Original Issue Date: 4 th June 2008

Overview

The following vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances:

• Crafted TCP ACK Packet Vulnerability
• Crafted TLS Packet Vulnerability
• Instant Messenger Inspection Vulnerability
• Vulnerability Scan Denial of Service
• Control-plane Access Control List Vulnerability

The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists ( ACL).

Note:  These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.

Affected systems  

Crafted TCP ACK Packet Vulnerability

CISCO PIX and CISCO ASA running the following software versions:

• versions 7.1(2)70 on the 7.1.x release, 7.2(4) on the 7.2.x release, and 8.0(3)10 on the 8.0.x release.
• versions 7.1.x and 7.2.x with WebVPN, SSL VPN, or ASDM.
• versions on the 8.0 release that are configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM.

Crafted TLS Packet Vulnerability  

• CISCO PIX and CISCO ASA running software versions prior to 8.0(3)9 on the 8.0.x release or prior to version 8.1(1)1 on the 8.1.x release. (Note: apply if HTTPS is enabled and running on Cisco PIX and Cisco ASA.)

Instant Messenger Inspection Vulnerability  

• CISCO PIX and CISCO ASA running software versions prior to 7.2(4) on the 7.2.x release, 8.0(3)10 on the 8.0.x release, or 8.1(1)2 on the 8.1.x release. (Note: apply if Instant Messenger Inspection is enabled and running on Cisco PIX and Cisco ASA.)

Vulnerability Scan Denial of Service  

• CISCO PIX and CISCO ASA running software versions prior to 7.2(3)2 on the 7.2.x release or 8.0(2)17 on the 8.0.x release.

Control-plane Access Control List Vulnerability  

• CISCO PIX and CISCO ASA running software versions prior to 8.0(3)9 on the 8.0.x release.

 Impact

Successful exploitation of the first four vulnerabilities may cause a reload of the affected device. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition. Successful exploitation of the fifth vulnerability may allow an attacker to bypass control-plane ACLs and successfully send malicious traffic to the device.

writeTopOfTheSection('impact');  

 Workarounds

Crafted TCP ACK Packet Vulnerability

Allow Telnet, SSH, and ASDM connections from only trusted hosts in your network.

Additionally, filters that deny TCP ports 22, 23, 80, and 443 packets may be deployed throughout the network as part of a transit ACL (tACL) policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices behind it. Filters for packets using TCP ports 22, 23, 80, and 443 should also be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients.

Crafted TLS Packet Vulnerability

There are no workarounds for this vulnerability.

Instant Messenger Inspection Vulnerability

disable IM inspection on the security appliance

Vulnerability Scan Denial of Service

There are no workarounds for this vulnerability.

Control-plane Access Control List Vulnerability

There are no workarounds for this vulnerability.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

CISCO

CVE-Name

CVE-2008-2055

CVE-2008-2056

CVE-2008-2057

CVE-2008-2058

CVE-2008-2059

References

CISCO

US CERT