Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Cisco ASA CX and PRSM Log Retention Denial of Service Vulnerability

 
Threat Type:CWE-399: Resource Management Errors
IntelliShield ID:26766
Version:1
First Published:2012 September 12 16:28 GMT
Last Published:2012 September 12 16:28 GMT
Port: Not available
CVE:CVE-2012-4629
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:7.8 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:6.4
Related Resources:
View related Security AdvisoryView related Applied Mitigation Bulletin
 
 
Version Summary:Cisco ASA CX Context-Aware Security software and Cisco Prime Security Manager contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.
 
 
Description
Cisco ASA CX Context-Aware Security software and Cisco Prime Security Manager (PRSM) contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted device.

The vulnerability is due to improper log management by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending a high rate of packets to the management interface of the Cisco ASA CX or Cisco PRSM device. A successful exploit of a Cisco ASA CX device could allow the attacker to cause the device to stop processing legitimate user traffic and affect user access to the management interface. A successful exploit of a Cisco PRSM device could cause the device to become unresponsive to legitimate user traffic and unavailable for managing Cisco ASA CX devices.

Cisco has confirmed this vulnerability and released software updates.
 
Warning Indicators
Cisco ASA CX Context-Aware Security and PRSM software versions prior to 9.0.2-103 are vulnerable.
 
IntelliShield Analysis
Attackers do not require authentication to exploit this vulnerability, but may require access to trusted, internal networks to establish a connection with the affected device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

The Cisco ASA CX Context-Aware Security add-on services module extends the ASA platform with context-aware capabilities. The Cisco Prime Security Manager (PRSM) is the management platform for managing multiple Cisco ASA CX devices.

If a customer device has been affected by this vulnerability and /var/log is 100 percent utilized, the customer should contact the Cisco Technical Assistance Center; applying the software updates will not be sufficient to restore service.
 
Vendor Announcements
Cisco has released a security advisory for bug ID CSCub70603 at the following link: cisco-sa-20120912-asacx
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to cause the Cisco ASA CX or PRSM device to stop responding to legitimate user traffic and affect user access to the management interface and tool for managing ASA CX devices.
 
Technical Information
The vulnerability exists because the affected software improperly manages log retention, allowing the /var/log partition to grow until it is 100 percent utilized.

An unauthenticated, remote attacker could exploit this vulnerability by sending a high rate of packets to the management interface of the Cisco ASA CX or Cisco PRSM device. When the packets are processed by the affected software, the /var/log partition could completely fill. This condition could cause the device to become unresponsive to legitimate user traffic and affect user access to the management interface of an ASA CX device, or it could cause a PRSM device to become unresponsive and unavailable for managing an ASA CX device. Successful exploitation could allow an attacker to consume excessive system resources, resulting in a DoS condition.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor critical systems.

If customers have been impacted by this vulnerability on a Cisco ASA CX device and user traffic has been interrupted, administrators may consider removing the Modular Policy Framework (MPF) configuration on the Cisco ASA that directs user traffic to the ASA CX module. Removing the MPF configuration will cause user traffic to bypass the ASA CX module and flow though the Cisco ASA, restoring user service.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Identifying and Mitigating Exploitation of the Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability
 
Patches/Software
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoCisco ASA-CX Software 9.0 .1-40, .2-68
CiscoCisco Prime Security Manager (PRSM) 9.0 .1-40, .2-68

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield