For specific version information, refer to the "Software Versions and Fixes" section of this advisory.
Cisco ASA UDP Inspection Engine Denial of Service Vulnerability
The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA.
All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine:
- Domain Name System (DNS)
- Session Initiation Protocol (SIP)
- Simple Network Management Protocol (SNMP)
- GPRS Tunneling Protocol (GTP)
- H.323, H.225 RAS
- Media Gateway Control Protocol (MGCP)
- Trivial File Transfer Protocol (TFTP)
- X Display Manager Control Protocol (XDMCP)
- IBM NetBios
- Instant Messaging (depending on the particular IM client/solution being used)
Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information.
The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html
Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable.
To determine whether any of the above inspections are enabled, issue the show service-policy | include <inspection engine name>
command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic:
ciscoasa# show service-policy | include netbios
Inspect: netbios, packet 0, drop 0, reset-drop 0
Cisco ASA Threat Detection Denial of Service Vulnerability
The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default.
To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun
option is enabled, issue the show running-config threat-detection scanning-threat
command and confirm that the returned output includes the shun
option. The following example shows a vulnerable configuration:
ciscoasa# show running-config threat-detection scanning-threat
threat-detection scanning-threat shun
This feature was first introduced in Cisco ASA Software Version 8.0(2), Previous versions of Cisco ASA are not vulnerable.
Cisco ASA Syslog Message 305006 Denial of Service Vulnerability
A denial of service (DoS) vulnerability exists in the implementation of one specific system log (syslog) message (message ID 305006), that could cause a reload of the Cisco ASA if this syslog message needs to be generated.
Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html. Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006.
Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied:
- System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example)
- Cisco ASA Software is configured in any way to generate syslog message 305006
Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging
command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational):
ciscoasa# show logging
Syslog logging: enabled
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 2 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
Using a custom message list (created via the logging list
command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration.
The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable.
This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. The Cisco ASA IDFW feature was introduced in the Cisco ASA Software Version 8.4(2), thus previous versions of Cisco ASA Software are not affected.
Protocol Independent Multicast Denial of Service Vulnerability
Cisco ASA Sofware is affected by a vulnerability that may cause affected devices to reload during the processing of Protocol-Indipendent Multicast (PIM) message when multicast routing is enabled. This feature is not enabled by default.
To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside:
ciscoasa# show pim interface
Address Interface PIM Nbr Hello DR DR
Count Intvl Prior
192.168.1.1 outside on 0 30 1 this system
192.168.2.1 inside off 0 30 1 this system
Cisco ASA is vulnerable if at least one interface state is marked with on
under the PIM column of the show pim interface
Determine the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version
command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.4(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window.
Information about Cisco PIX Security Appliance
Cisco PIX may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA.
All versions of the Cisco PIX Security Appliances Software are affected by the Protocol Independent Multicast Denial of Service Vulnerability.
Version 8.0 of Cisco PIX Security Appliances Software is affected by the Cisco ASA UDP Inspection Engine Denial of Service Vulnerability and Cisco ASA Threat Detection Denial of Service Vulnerability
Cisco PIX Security Appliances is not vulnerable to Cisco ASA Syslog Message 305006 Denial of Service Vulnerability.
With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities.