For vulnerabilities that involve HTTP and SIP protocols, it is
possible to apply mitigation techniques. Workarounds are available for the
other two vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory:
Enhanced inspection of Malformed HTTP traffic
Disabling HTTP application inspection (appfw) will prevent Cisco PIX
and ASA Appliances from being vulnerable to the issue listed in this Advisory.
By leaving inspect http statement configured, some level of protection for the
end devices (for example, computers protected by Cisco PIX and ASA Appliance)
will remain. However, since this level of inspection is less granular, it may
have negative impact on devices terminating HTTP sessions. Devices which
terminate HTTP sessions may be exposed to packets that may cause these devices
to crash or become compromised.
Inspection of malformed SIP packets
Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from
being vulnerable to the issue listed in this Advisory. However, this may have a
negative impact on end devices terminating SIP sessions. Devices which
terminate SIP sessions could be exposed to packets that may cause these devices
to crash or become compromised.
If you run a 7.x software release, the alternative is to only allow
traffic from trusted hosts. The configuration needed to accomplish this is as
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip
match access-list sip-acl
inspect dns maximum-length 512
inspect h323 h225
inspect h323 ras
service-policy global_policy global
In this example, the SIP endpoints are any host within the 10.1.1.0
network (inside the trusted network) and a host with the IP address of
192.168.5.4 (outside of the trusted network). You have to substitute these IP
addresses with the ones that are used in your network.
Note that SIP is an UDP-based protocol, so spoofing SIP messages is
Inspection of a stream of malformed TCP packets
The workaround is to increase the minimum TCP segment size (MSS) to 64.
This is accomplished with a global sysopt
sysopt connection tcpmss minimum 64
There are two workarounds for this vulnerability. One consists of the
use of TACACS+ or Radius for authentication, and another is to change the
minimum privilege of the user from zero to one.
Use TACACS+ or Radius for authentication
Do not use the LOCAL method for user authentication,
but use TACACS+ or Radius instead. This example shows how to configure the
Cisco PIX appliance to use TACACS+ or Radius to authenticate Secure Shell (SSH)
access to the device.
pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+)
pixfirewall(config)#aaa authentication ssh console AuthOutbound
pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 <radius_key>
In this example, 10.0.0.1 is the IP address of the Radius server and
radius_key is the shared key between the Radius server and the
More information on how to configure TACACS+ or Radius on Cisco PIX and
ASA appliances can be found at
Changing user's minimum privilege level
The second workaround consists of the change of the user minimum
privilege level from zero to one. In that case, your configuration may look
pixfirewall(config)# aaa authentication enable console LOCAL
pixfirewall(config)# username <user_name> password <secret_pwd> privilege 1
It is possible to use any other level as long as it is not zero or 15.
If it is 15, the user has all privileges, and that is what we want to avoid in
the first place.