For specific version information, refer to the "Software Versions and Fixes" section of this advisory.
DHCP Memory Allocation Denial of Service Vulnerability
This vulnerability is triggered when the Cisco ASA Software processes a DHCP request. DHCP relay and DHCP server features will trigger the DHCP request packet process. If either feature is enabled, the Cisco ASA Software may be vulnerable.
To determine whether the DHCP server feature is enabled on Cisco ASA Software use the
show dhcpd state command and verify that at least one interface is configured
for DHCP server. The following example shows the Cisco ASA Software with DHCP
server enabled on the inside interface
ciscoasa# show dhcpd state
Context Configured as DHCP Server
Interface inside, Configured for DHCP SERVER
To determine whether the DHCP relay feature is enabled on Cisco ASA Software use the
show dhcprelay state command and verify that DHCP relay is active. The following example shows the Cisco ASA Software with DHCP relay enabled.
ciscoasa# show dhcprelay state
Context Configured as DHCP Relay
Interface outside, Configured for DHCP RELAY SERVER
Interface inside, Configured for DHCP RELAY
Note: By default, DHCP server is enabled on the inside interface of the Cisco ASA 5505 and on the management interface of all other Cisco ASA 5500 Series Adaptive Security Appliances. DHCP server is disabled by default on Cisco Catalyst 6500 Series ASA Services Module.
DHCP relay feature is not enabled by default on any Cisco ASA 5500 Series Adaptive Security Appliances and Cisco
Catalyst 6500 Series ASA Services Module platforms.
SSL VPN Authentication Denial of Service Vulnerability
This vulnerability may affect Cisco ASA Software configured for Clientless or AnyConnect SSL VPN. Cisco ASA Software configured as an IPsec VPN Server, IPsec/L2TP VPN Server or IKEv2 AnyConnect VPN server is not affected. Because this vulnerability is triggered when receiving a crafted authentication challenge-response, Cisco ASA Software is not affected when configured to use the AAA protocol that does not support the challenge option or with the challenge option disabled.
To be affected, the Cisco ASA Software should have SSL VPN enabled and the
tunnel group configured to authenticate to a remote AAA server using a
AAA protocol that has the AAA challenge option enabled.
Currently the following AAA setup may be configured with the challenge option enabled and hence be considered vulnerable:
- Native RSA SecurID (also known as SDI) - This is vulnerable when the SecureID server requires a challenge response from the user.
- RADIUS and TACACS+ authentication challenge - These are vulnerable when the AAA server uses a token-based authentication system which is capable of sending challenge requests to authenticating users.
- Active Directory password management via RADIUS or LDAP. In these cases the Cisco ASA Software facilitates a user password change prior to authentication with Active Directory.
Other AAA authentication methods supported by the Cisco ASA Software such as HTTP form-based or using NT LAN Manager (NTLM) and Kerberos authentication protocols
are not affected by this vulnerability.
To determine whether Cisco ASA Software has SSL VPN enabled use the show
running-config webvpn command and verify that SSL VPN is enabled on at least one
interface. The following example shows the Cisco ASA Software with SSL VPN enabled
on the outside interface:
ciscoasa# show running-config webvpn
To determine whether the Cisco ASA Software has the tunnel group configured for
a remote AAA server, use the show running-config tunnel-group
<tg_name> general-attributes command and verify that the
authentication-server-group is set to authenticate to a remote AAA
server. The following example shows the Cisco ASA Software with the tunnel group
WebVPN configured to authenticate against a remote AAA server with tag labeled RSA.
ciscoasa#show running-config tunnel-group WebVPN general-attributes
tunnel-group WebVPN general-attributes
To determine which AAA protocol is in use for a given AAA server, use the show aaa-server <server-tag>. The AAA protocol in use is indicated under Server Group. The following example shows a AAA server with tag labeled RSA which is using RSA SecurID (SDI) as AAA protocol:
ciscoasa# show aaa-server RSA
Server Group: RSA
Server Protocol: sdi
Note: SSL VPN is not enabled by default. The default AAA setting for tunnel
group is LOCAL which is not affected by this vulnerability.
SIP Inspection Media Update Denial of Service Vulnerability
The Cisco ASA Software may be affected by this vulnerability if Session Initiation Protocol (SIP) inspection is enabled.
To determine whether SIP inspection is enabled use the
show service-policy inspect sip
command. The following example shows Cisco ASA Software
with SIP inspection enabled:
ciscoasa# show service-policy | include sip
Inspect: sip , packet 67, drop 0, reset-drop 0
Note: SIP inspection functionality is enabled by default.
DCERPC Inspection Buffer Overflow Vulnerability and DCERPC Inspection Denial Of Service Vulnerabilities
Cisco ASA Software is affected by these vulnerabilities if DCERPC inspection is enabled.
To determine whether the DCERPC inspection is enabled use the
show service-policy | include dcerpc
command. The following example shows the Cisco ASA
Software with DCERPC inspection enabled:
ciscoasa# show service-policy | include dcerpc
Inspect: dcerpc, packet 0, drop 0, reset-drop 0
Note: DCERPC inspection is not enabled by default.
Determine the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version
command. The following example shows a Cisco ASA 5500 Series Adaptive
Security Appliance that is running software version 8.4(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Customers who use Cisco Adaptive Security Device Manager (ASDM) to
manage devices can locate the software version in the table that is
displayed in the login window or upper-left corner of the Cisco ASDM
Information about Cisco PIX Security Appliance Software
All versions of the Cisco PIX Security Appliance Software are affected by the DHCP Memory Allocation Denial of Service Vulnerability.
Cisco PIX Security Appliance Software is not affected by any other vulnerabilities described in this security advisory.
The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.
With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities.