Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Multiple Vulnerabilities in Cisco PIX and ASA Appliances

Advisory ID: cisco-sa-20070214-pix

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-pix

Revision 1.4

For Public Release 2007 February 14 16:00  UTC (GMT)


Summary

Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following:

  • Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic
  • Inspection of malformed Session Initiation Protocol (SIP) packets
  • Inspection of a stream of malformed Transmission Control Protocol (TCP) packets
  • Privilege escalation

These vulnerabilities are independent of each other. If a vulnerability affects a device, it does not necessarily mean that the device is affected by all of them.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-pix.

Affected Products

In addition to the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances, some vulnerabilities also affect Cisco Firewall Services Module (FWSM). More information regarding FWSM can be found in the companion advisory http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-fwsm.

Vulnerable Products

The following software releases for Cisco PIX and ASA Security Appliances are affected:

Vulnerability Name

Only affected if...

Vulnerable by default?

Versions affected

Cisco Bug ID

Enhanced inspection of Malformed HTTP traffic

Enhanced inspection of HTTP traffic is enabled via the command inspect http <appfw>

No

Only 7.x software releases prior to 7.0(4.14) and 7.1(2.1)

CSCsd75794

Inspection of malformed SIP packets

SIP inspection is enabled via the command fixup protocol sip, fixup protocol sip udp 5060 or inspect sip

Yes

For 6.x software all releases prior to 6.3(5.115), for 7.0.x software all releases prior to 7.0(5.2), and for 7.1.x software all releases prior to 7.1(2.5)

CSCse27708 and CSCsd97077

Inspection of a stream of malformed TCP packets

TCP-based protocol inspection is enabled, for example inspect ftp or inspect http

Yes

Only 7.2.2 software release

CSCsh12711

Privilege escalation

If LOCAL method is used for user authentication

No

7.2.x software releases prior to 7.2(2.8)

CSCsh33287

In order to determine if you run a vulnerable version of Cisco PIX or ASA software, issue the show version command.

This example shows a Cisco PIX Security Appliance that runs software release 7.1(1):

pixfirewall# show version

Cisco PIX Security Appliance Software Version 7.1(1) 

This example shows a Cisco ASA Security Appliance that runs software release 7.2(1)18.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 7.2(1)18 
Device Manager Version 5.1(2)

For customers that manage their devices through the PIX Device Manager (PDM) or the Cisco Adaptive Security Device Manager (ASDM), log into the application, and the version can be found either in the table in the login window or in the upper left hand corner of the PDM/ASDM window indicated by a label similar to this: PIX Version 7.1(1)

The relationship between vulnerabilities that affect Cisco PIX and ASA Security Appliances and FWSM is given in the following table:

Vulnerability

PIX/ASA Bug ID

FWSM Bug ID

Enhanced Inspection of Malformed HTTP Traffic May Cause Reload

CSCsd75794

CSCsd75794

Inspection of Malformed SIP Messages May Cause Reload

CSCse27708 and CSCsd97077

CSCsg80915

Products Confirmed Not Vulnerable

With the exception of the Cisco FWSM module, no other Cisco products are known to be vulnerable to the issues described in this advisory.

Details

This Security Advisory describes multiple distinct vulnerabilities. They are independent of each other.

1. Enhanced inspection of Malformed HTTP traffic

Cisco PIX and ASA Security Appliances may crash when inspecting a malformed HTTP request when enhanced HTTP inspection is enabled. If enhanced HTTP application inspection is enabled your configuration will contain a line like "inspect http <appfw>" where <appfw> is the name of a specific HTTP map. Please note that regular HTTP inspection (configured via the command "inspect http" without an HTTP map) is not affected by this vulnerability. This vulnerability affects only 7.x software releases.

For information on what enhanced inspection of HTTP traffic does, and how to configure it, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1431359

This vulnerability is documented in Cisco Bug ID CSCsd75794 (registered customers only).

2. Inspection of malformed SIP packets

The inspection of a malformed SIP packet may crash Cisco PIX and ASA appliances. In order to trigger this vulnerability, SIP fixup (for 6.x software) or inspect (for 7.x software) feature must be enabled. SIP fixup (in 6.x and earlier) and SIP inspection (in 7.x and later) are enabled by default.

Note that SIP can use TCP and UDP as transport protocol. When UDP protocol is used, spoofing SIP messages is possible.

This vulnerability is documented in Cisco Bug IDs CSCsd97077 (registered customers only) and CSCse27708 ( registered customers only).

3. Inspection of a stream of malformed TCP packets

By processing a stream of malformed packet in a TCP-based protocol Cisco PIX and ASA Appliances may crash. Processing of the protocol must be done by inspect feature. The packets can be addressed to the device itself or just transiting it. Cisco PIX and ASA Appliance can inspect the following TCP-based protocols:

  • Computer Telephony Interface Quick Buffer Encoding (CITQBE)
  • Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
  • Domain Name Service (DNS)
  • Extended Simple Mail Transfer Protocol (ESMTP)
  • File Transfer Protocol (FTP)
  • H.323 protocol
  • Hyper Text Transfer Protocol (HTTP)
  • Internet Locator Server (ILS)
  • Instant Messaging (IM)
  • Point-to-Point Tunneling Protocol (PPTP)
  • Remote Shell (RSH)
  • Real Time Streaming Protocol (RTSP)
  • Session Initiation Protocol (SIP)
  • Skinny (or Simple) Client Control Protocol (SCCP)
  • Simple Mail Transfer Protocol (SMTP)
  • Oracle SQL*Net
  • Sun RPC

This vulnerability is documented in Cisco Bug ID CSCsh12711 (registered customers only).

4. Privilege escalation

Using the LOCAL method for user authentication may result in privilege escalation. In order to exploit this vulnerability, a user must be defined in the local database with a privilege of zero and be able to successfully authenticate to the affected device. Only if these conditions are met can the user escalate assigned privileges to level 15 and become an administrator. After that, the user can change every aspect of the configuration and operation of the device.

A device is vulnerable to this issue if these lines are present in the device's configuration:

pixfirewall(config)# aaa authentication enable console LOCAL
pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0

This vulnerability is documented in Cisco Bug ID CSCsh33287 (registered customers only).

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .

CSCsd75794 - Enhanced inspection of Malformed HTTP traffic can crash device (registered customers only)

Calculate the environmental score of CSCsd75794

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCse27708 - Traceback when inspecting SIP packets (registered customers only)

Calculate the environmental score of CSCse27708

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCsd97077 - ASA/PIX Traceback when inspecting SIP packets (registered customers only)

Calculate the environmental score of CSCsd97077

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCsh12711 - Traceback in TCP Normalizer (registered customers only)

Calculate the environmental score of CSCsh12711

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCsh33287 - Users with priv 0 can get to level 15 when authen. ena. LOCAL configured (registered customers only)

Calculate the environmental score of CSCsh33287

CVSS Base Score - 6

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Required

Complete

Complete

Complete

Normal

Temporal Score - 5

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

Impact

Successful exploitation of the first three vulnerabilities listed in this Advisory may crash the affected device. Repeated exploitation can result in a sustained DoS attack.

Successful exploitation of CSCsh33287 can result in the escalation of user privileges and complete compromise of the affected Cisco PIX and ASA Appliances.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

The following list contains the first fixed software release for each vulnerability:

Vulnerability

Cisco Bug ID

First Fixed Release

Enhanced inspection of Malformed HTTP traffic

CSCsd75794

7.0(4.14), 7.0(5), 7.1(2.1), 7.2(1)

Inspection of malformed SIP packets

CSCse27708 and CSCsd97077

6.3(5.115), 7.0(5.2), 7.1(2.5)

Inspection of a stream of malformed TCP packets

CSCsh12711

7.2(2.10)

Privilege escalation

CSCsh33287

7.2(2.10)

The following software releases contain fixes for all vulnerabilities mentioned in this Security Advisory: 6.3(5.115) (for 6.x releases), 7.0(5.2), 7.1(2.5), 7.2(2.10).

Fixed PIX/ASA 7.x software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 for Cisco PIX Appliance and from http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 for Cisco ASA Appliance.

The latest PIX 6.3.x interim release can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2. The first 6.3.5.x release with the fixes for the vulnerabilities described in this advisory is 6.3(5.115) so 6.3(5.125), which is posted to the previous location, has the fixes as well.


Workarounds

For vulnerabilities that involve HTTP and SIP protocols, it is possible to apply mitigation techniques. Workarounds are available for the other two vulnerabilities.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070214-firewall

Enhanced inspection of Malformed HTTP traffic

Disabling HTTP application inspection (appfw) will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. By leaving inspect http statement configured, some level of protection for the end devices (for example, computers protected by Cisco PIX and ASA Appliance) will remain. However, since this level of inspection is less granular, it may have negative impact on devices terminating HTTP sessions. Devices which terminate HTTP sessions may be exposed to packets that may cause these devices to crash or become compromised.

Inspection of malformed SIP packets

Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. However, this may have a negative impact on end devices terminating SIP sessions. Devices which terminate SIP sessions could be exposed to packets that may cause these devices to crash or become compromised.

If you run a 7.x software release, the alternative is to only allow traffic from trusted hosts. The configuration needed to accomplish this is as follows.

access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip                                                              
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip                                                            
                                                                                
class-map sip-traffic                                       
 match access-list sip-acl                                   
!                                                                               
!                                                                               
policy-map global_policy                                                        
 class inspection_default                                                       
  inspect dns maximum-length 512                                                
  inspect ftp                                                                   
  inspect h323 h225                                                             
  inspect h323 ras                                                              
  inspect rsh                                                                   
  inspect rtsp                                                                  
  inspect esmtp                                                                 
  inspect sqlnet                                                                
  inspect skinny                                                                
  inspect sunrpc                                                                
  inspect xdmcp                                                                 
  inspect netbios                                                               
  inspect tftp                                                                  
 class sip-traffic                                            
  inspect sip                                             
!                                                                               
service-policy global_policy global                                             

In this example, the SIP endpoints are any host within the 10.1.1.0 network (inside the trusted network) and a host with the IP address of 192.168.5.4 (outside of the trusted network). You have to substitute these IP addresses with the ones that are used in your network.

Note that SIP is an UDP-based protocol, so spoofing SIP messages is possible.

Inspection of a stream of malformed TCP packets

The workaround is to increase the minimum TCP segment size (MSS) to 64. This is accomplished with a global sysopt command:

sysopt connection tcpmss minimum 64

Privilege escalation

There are two workarounds for this vulnerability. One consists of the use of TACACS+ or Radius for authentication, and another is to change the minimum privilege of the user from zero to one.

Use TACACS+ or Radius for authentication

Do not use the LOCAL method for user authentication, but use TACACS+ or Radius instead. This example shows how to configure the Cisco PIX appliance to use TACACS+ or Radius to authenticate Secure Shell (SSH) access to the device.

pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+)
pixfirewall(config)#aaa authentication ssh console AuthOutbound
pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 <radius_key>

In this example, 10.0.0.1 is the IP address of the Radius server and radius_key is the shared key between the Radius server and the appliance.

More information on how to configure TACACS+ or Radius on Cisco PIX and ASA appliances can be found at http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml.

Changing user's minimum privilege level

The second workaround consists of the change of the user minimum privilege level from zero to one. In that case, your configuration may look like this:

pixfirewall(config)# aaa authentication enable console LOCAL
pixfirewall(config)# username <user_name> password <secret_pwd> privilege 1

It is possible to use any other level as long as it is not zero or 15. If it is 15, the user has all privileges, and that is what we want to avoid in the first place.

Obtaining Fixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers Using Third-Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of any vulnerability described in this advisory.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco's worldwide website at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-pix

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

  • cust-security-announce@cisco.com
  • first-teams@first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
  • comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 1.4

2007-March-15

Text updated to reflect the fact that SIP can use TCP and UDP as transport protocol.

Revision 1.3

2007-Feb-21

It was incorrectly stated in previous versions of this document that SIP inspection is disabled by default in PIX/ASA 7.x software. The advisory has been revised to make it clear that the "Inspection of malformed SIP packets" vulnerability affects the default configuration in all versions of PIX/ASA software.

Revision 1.2

2007-Feb-15

Included download location for the latest PIX 6.3.5 interim that has the fixes for the issues described in this advisory.

Revision 1.1

2007-Feb-14

Clarified that all 7.2.x releases are affected by CSCsh33287 (it was incorrectly stated that only 7.2.2 was affected).

Revision 1.0

2007-Feb-14

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version