CERT-MU AD-2008-20
Multiple Vulnerabilities in Cisco ASA and PIX IPv6
Original issue date: 03 November, 2008
Overview
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. These vulnerabilities may allow an attacker to bypass authentication mechanisms or cause a denial-of-service condition.
Description
1. Windows NT Domain Authentication Bypass Vulnerability
The vulnerability is due to an error that may occur when the Cisco ASA or PIX device is configured for IPSec or SSL-based VPN access using Microsoft Windows NT Domain authentication. An unauthenticated, remote attacker could exploit the vulnerability to bypass authentication requirements and gain access to internal protected networks.
2. IPv6 Denial of Service Vulnerability
This vulnerability is due to an error when processing malicious packets. Devices running affected versions of PIX or ASA software and configured for IPv6 are at risk. An exploit may occur as the result of processing a malicious packet that could cause the device to fail and automatically restart.
An unauthenticated, remote attacker could exploit the vulnerability by creating and sending a malicious packet to the affected device, resulting in a Denial of Service condition. A stream of packets could cause a device to repeatedly restart, resulting in a persistent Denial of Service condition.
3. Crypto Accelerator Memory Leak Vulnerability
The vulnerability exists in the hardware crypto accelerator initialization code when processing maliciously crafted packets. An unauthenticated, remote attacker could exploit the vulnerability by sending a crafted packet to an affected device that is using the crypto accelerator. When processed, a crafted packet could cause the device to reload. Repeated exploits could result in a persistent Denial of Service condition.
Affected systems
• Cisco PIX or Cisco ASA prior to 7.0(8)3
• Cisco PIX or Cisco ASA prior to 7.1(2)78
• Cisco PIX or Cisco ASA prior to 7.2(4)15
• Cisco PIX or Cisco ASA prior to 8.0(4)6
• Cisco PIX or Cisco ASA prior to 8.1(1)13
Cisco PIX or ASA devices running PIX and ASA software versions 7.2(4)9 or 7.2(4)10 are vulnerable when configured for IPv6.
Cisco ASA devices running ASA software versions prior to 8.0(4) and prior to 8.1(2) are vulnerable.
Impact
Severity Rating: High
Workarounds
• Restrict network access to affected devices.
• Disable access to affected services outside the corporate firewall unless needed for a business purpose, such as to make VPN access available.
• Disable the IPv6 protocol if it is not required using the command no ipv6 address.
• Configure VPN access using a method other than Windows NT Domain authentication.
• Monitor critical systems for device failures that may indicate exploitation.
Solution
Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Vendor Information
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
CVE-Name
CVE-2008-3815
CVE-2008-3816
CVE-2008-3817
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
References
SecurityFocus
http://www.securityfocus.com/bid/31864
http://www.securityfocus.com/bid/31863
http://www.securityfocus.com/bid/31865
|
