[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances

Cisco Systems Product Security Incident Response Team psirt at cisco.com
Wed Feb 14 11:39:36 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: 
Multiple Vulnerabilities in Cisco PIX and ASA Appliances

Advisory ID: cisco-sa-20070214-pix

http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml

Revision 1.0

For Public Release 2007 February 14 1600 UTC (GMT)

- -----------------------------------------------------------------------

Summary
=======

Multiple vulnerabilities are found in Cisco PIX 500 Series Security
Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances.
They affect the following:

  * Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP)
    traffic
  * Inspection of malformed Session Initiation Protocol (SIP) packets
  * Inspection of a stream of malformed Transmission Control Protocol
    (TCP) packets
  * Privilege escalation

Vulnerabilities are independent of each other. If a vulnerability
affects a device, it does not necessarily mean that the device is
affected by all of them.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml.

Affected Products
=================

In addition to the Cisco PIX 500 Series Security Appliances and the
Cisco ASA 5500 Series Adaptive Security Appliances, some
vulnerabilities also affect Cisco Firewall Services Module (FWSM). More
information regarding FWSM can be found in the companion advisory 
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml.

Vulnerable Products
+------------------

The following software releases for Cisco PIX and ASA Security
Appliances are affected:

+---------------------------------------------------------------------+
| Vulnerability | Only affected  | Vulnerable | Versions | Cisco Bug  |
|     Name      |     if...      |     by     | affected |     ID     |
|               |                |  default?  |          |            |
|---------------+----------------+------------+----------+------------|
|               | Enhanced       |            | Only 7.x |            |
|               | inspection of  |            | software |            |
| Enhanced      | HTTP traffic   |            | releases |            |
| inspection of | is enabled via | No         | prior to | CSCsd75794 |
| Malformed     | the command    |            | 7.0      |            |
| HTTP traffic  | "inspect http  |            | (4.14)   |            |
|               | <appfw>"       |            | and 7.1  |            |
|               |                |            | (2.1)    |            |
|---------------+----------------+------------+----------+------------|
|               |                |            | For 6.x  |            |
|               |                |            | software |            |
|               |                |            | all      |            |
|               |                |            | releases |            |
|               |                |            | prior to |            |
|               |                |            | 6.3      |            |
|               |                |            | (5.115), |            |
|               |                |            | for      |            |
|               | SIP inspection | No for 7.x | 7.0.x    |            |
| Inspection of | is enabled via | releases   | software | CSCse27708 |
| malformed SIP | the command    | Yes for    | all      | and        |
| packets       | "fixup         | 6.x        | releases | CSCsd97077 |
|               | protocol sip"  | releases   | prior to |            |
|               | or             |            | 7.0      |            |
|               | "inspect sip"  |            | (5.2),   |            |
|               |                |            | and for  |            |
|               |                |            | 7.1.x    |            |
|               |                |            | software |            |
|               |                |            | all      |            |
|               |                |            | releases |            |
|               |                |            | prior to |            |
|               |                |            | 7.1(2.5) |            |
|---------------+----------------+------------+----------+------------|
|               | TCP-based      |            |          |            |
| Inspection of | protocol       |            | Only     |            |
| a stream of   | inspection is  |            | 7.2.2    |            |
| malformed TCP | enabled, for   | Yes        | software | CSCsh12711 |
| packets       | example        |            | release  |            |
|               | "inspect ftp"  |            |          |            |
|               | or             |            |          |            |
|               | "inspect http" |            |          |            |
|---------------+----------------+------------+----------+------------|
|               | If LOCAL       |            | Only     |            |
| Privilege     | method is used | No         | 7.2.2    | CSCsh33287 |
| escalation    | for user       |            | software |            |
|               | authentication |            | release  |            |
+---------------------------------------------------------------------+

In order to determine if you run a vulnerable version of Cisco PIX or
ASA software, issue the "show version" command.

This example shows a Cisco PIX Security Appliance that runs software
release 7.1(1):

    pixfirewall# show version

    Cisco PIX Security Appliance Software Version 7.1(1)


This example shows a Cisco ASA Security Appliance that runs software
release 7.2(1)18.

    ciscoasa# show version

    Cisco Adaptive Security Appliance Software Version 7.2(1)18
    Device Manager Version 5.1(2)


For customers that manage their devices through the PIX Device Manager
(PDM) or the Cisco Adaptive Security Device Manager (ASDM), log into
the application, and the version can be found either in the table in
the login window or in the upper left hand corner of the PDM/ASDM
window indicated by a label similar to this: PIX Version 7.1(1)

The relationship between vulnerabilities that affect Cisco PIX and ASA
Security Appliances and FWSM is given in the following table:

+-------------------------------------------------------------+
|          Vulnerability          | PIX/ASA Bug  |  FWSM Bug  |
|                                 |      ID      |     ID     |
|---------------------------------+--------------+------------|
| Enhanced Inspection of          |              |            |
| Malformed HTTP Traffic May      | CSCsd75794   | CSCsd75794 |
| Cause Reload                    |              |            |
|---------------------------------+--------------+------------|
| Inspection of Malformed SIP     | CSCse27708   |            |
| Messages May Cause Reload       | and          | CSCsg80915 |
|                                 | CSCsd97077   |            |
+-------------------------------------------------------------+

Products Confirmed Not Vulnerable
+--------------------------------

With the exception of the Cisco FWSM module, no other Cisco products
are known to be vulnerable to the issues described in this advisory.

Details
=======

This Security Advisory describes multiple distinct vulnerabilities.
They are independent of each other.

1. Enhanced inspection of Malformed HTTP traffic
+-----------------------------------------------

Cisco PIX and ASA Security Appliances may crash when inspecting a
malformed HTTP request when enhanced HTTP inspection is enabled. If
enhanced HTTP application inspection is enabled your configuration will
contain a line like "inspect http <appfw>" where <appfw> is the name of
a specific HTTP map. Please note that regular HTTP inspection
(configured via the command "inspect http" without an HTTP map) is not
affected by this vulnerability. This vulnerability affects only 7.x
software releases.

For information on what enhanced inspection of HTTP traffic does, and
how to configure it, refer to the following URL: 
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1431359

This vulnerability is documented in Cisco Bug ID CSCsd75794. 


2. Inspection of malformed SIP packets
+-------------------------------------

The inspection of a malformed SIP packet may crash Cisco PIX and ASA
appliances. In order to trigger this vulnerability, SIP fixup (for 6.x
software) or inspect (for 7.x software) feature must be enabled. SIP
fixup is enabled by default in the 6.x software releases, and SIP
inspection is disabled by default in the 7.x and later software
releases.

This vulnerability is documented in Cisco Bug IDs CSCsd97077
and CSCse27708.

3. Inspection of a stream of malformed TCP packets
+-------------------------------------------------

By processing a stream of malformed packet in a TCP-based protocol
Cisco PIX and ASA Appliances may crash. Processing of the protocol must
be done by inspect feature. The packets can be addressed to the device
itself or just transiting it. Cisco PIX and ASA Appliance can inspect
the following TCP-based protocols:

  * Computer Telephony Interface Quick Buffer Encoding (CITQBE)
  * Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
  * Domain Name Service (DNS)
  * Extended Simple Mail Transfer Protocol (ESMTP)
  * File Transfer Protocol (FTP)
  * H.323 protocol
  * Hyper Text Transfer Protocol (HTTP)
  * Internet Locator Server (ILS)
  * Instant Messaging (IM)
  * Point-to-Point Tunneling Protocol (PPTP)
  * Remote Shell (RSH)
  * Real Time Streaming Protocol (RTSP)
  * Session Initiation Protocol (SIP)
  * Skinny (or Simple) Client Control Protocol (SCCP)
  * Simple Mail Transfer Protocol (SMTP)
  * Oracle SQL*Net
  * Sun RPC

This vulnerability is documented in Cisco Bug ID CSCsh12711. 


4. Privilege escalation
+----------------------

Using the LOCAL method for user authentication may result in privilege
escalation. In order to exploit this vulnerability, a user must be
defined in the local database with a privilege of zero and be able to
successfully authenticate to the affected device. Only if these
conditions are met can the user escalate assigned privileges to level
15 and become an administrator. After that, the user can change every
aspect of the configuration and operation of the device.

A device is vulnerable to this issue if these lines are present in the
device's configuration:

    pixfirewall(config)# aaa authentication enable console LOCAL
    pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0


This vulnerability is documented in Cisco Bug ID CSCsh33287. 


Vulnerability Scoring Details
+----------------------------

Cisco is providing scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). Cisco will
provide a base and temporal score. Customers can then compute
environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco PSIRT will set the bias in all cases to normal. Customers are
encouraged to apply the bias parameter when determining the
environmental impact of a particular vulnerability.

CVSS is a standards based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks: 
http://intellishield.cisco.com/security/alertmanager/cvss


CSCsd75794 - Enhanced inspection of Malformed HTTP traffic can crash device

CVSS Base Score: 3.3
    Access Vector: Remote
    Access Complexity: Low
    Authentication: Not Required
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: Complete
    Impact Bias: Normal

CVSS Temporal Score: 2.7
    Exploitability: Functional
    Remediation Level: Official Fix
    Report Confidence: Confirmed



CSCse27708 - Traceback when inspecting SIP packets

CVSS Base Score: 3.3
    Access Vector: Remote
    Access Complexity: Low
    Authentication: Not Required
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: Complete
    Impact Bias: Normal

CVSS Temporal Score: 2.7
    Exploitability: Functional
    Remediation Level: Official Fix
    Report Confidence: Confirmed



CSCsd97077 - ASA/PIX Traceback when inspecting SIP packets 

CVSS Base Score: 3.3
    Access Vector: Remote
    Access Complexity: Low
    Authentication: Not Required
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: Complete
    Impact Bias: Normal

CVSS Temporal Score: 2.7
    Exploitability: Functional
    Remediation Level: Official Fix
    Report Confidence: Confirmed



CSCsh12711 - Traceback in TCP Normalizer

CVSS Base Score: 3.3
    Access Vector: Remote
    Access Complexity: Low
    Authentication: Not Required
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: Complete
    Impact Bias: Normal

CVSS Temporal Score: 2.7
    Exploitability: Functional
    Remediation Level: Official Fix
    Report Confidence: Confirmed



CSCsh33287 - Users with priv 0 can get to level 15 when authen. ena.
		LOCAL configured 


CVSS Base Score: 6
    Access Vector: Remote
    Access Complexity: Low
    Authentication: Required
    Confidentiality Impact: Complete
    Integrity Impact: Complete
    Availability Impact: Complete
    Impact Bias: Normal

CVSS Temporal Score: 5
    Exploitability: Functional
    Remediation Level: Official Fix
    Report Confidence: Confirmed


Impact
======

Successful exploitation of the first three vulnerabilities listed in
this Advisory may crash the affected device. Repeated exploitation can
result in a sustained DoS attack.

Successful exploitation of CSCsh33287 can result in the escalation of
user privileges and complete compromise of the affected Cisco PIX and
ASA Appliances.

Software Version and Fixes
==========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.

The following list contains the first fixed software release for each
vulnerability:

+-------------------------------------------------------------+
|      Vulnerability      | Cisco Bug ID  |    First Fixed    |
|                         |               |      Release      |
|-------------------------+---------------+-------------------|
| Enhanced inspection of  |               | 7.0(4.14), 7.0    |
| Malformed HTTP traffic  | CSCsd75794    | (5), 7.1(2.1),    |
|                         |               | 7.2(1)            |
|-------------------------+---------------+-------------------|
| Inspection of malformed | CSCse27708    | 6.3(5.115), 7.0   |
| SIP packets             | and           | (5.2), 7.1(2.5)   |
|                         | CSCsd97077    |                   |
|-------------------------+---------------+-------------------|
| Inspection of a stream  |               |                   |
| of malformed TCP        | CSCsh12711    | 7.2(2.10)         |
| packets                 |               |                   |
|-------------------------+---------------+-------------------|
| Privilege escalation    | CSCsh33287    | 7.2(2.10)         |
+-------------------------------------------------------------+

The following software releases contain fixes for all vulnerabilities
mentioned in this Security Advisory: 6.3(5.115) (for 6.x releases), 7.0
(5.2), 7.1(2.5), 7.2(2.10).

The fixed software can be downloaded from
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix for Cisco PIX Appliance
and from http:// www.cisco.com/pcgi-bin/tablebuild.pl/asa for Cisco ASA
Appliance.

Workarounds
===========

For vulnerabilities that involve HTTP and SIP protocols, it is possible
to apply mitigation techniques. Workarounds are available for the other
two vulnerabilities.

Additional mitigations that can be deployed on Cisco
devices within the network are available in the Cisco
Applied Intelligence companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-air-20070214-firewall.shtml

Enhanced inspection of Malformed HTTP traffic
+--------------------------------------------

Disabling HTTP application inspection (appfw) will prevent Cisco PIX
and ASA Appliances from being vulnerable to the issue listed in this
Advisory. By leaving inspect http statement configured, some level of
protection for the end devices (e.g,. computers protected by Cisco PIX
and ASA Appliance) will remain. However, since this level of inspection
is less granular, it may have negative impact on devices terminating
HTTP sessions. Devices which terminate HTTP sessions may be exposed to
packets that may cause these devices to crash or become compromised.

Inspection of malformed SIP packets
+----------------------------------

Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from
being vulnerable to the issue listed in this Advisory. However, this
may have a negative impact on end devices terminating SIP sessions.
Devices which terminate SIP sessions could be exposed to packets that
may cause these devices to crash or become compromised.

If you run a 7.x software release, the alternative is to only allow
traffic from trusted hosts. The configuration needed to accomplish this
is as follows.

    access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip
    access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip

    class-map sip-traffic
     match access-list sip-acl
    !
    !
    policy-map global_policy
     class inspection_default
      inspect dns maximum-length 512
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
     class sip-traffic
      inspect sip
    !
    service-policy global_policy global


In this example, the SIP endpoints are any host within the 10.1.1.0
network (inside the trusted network) and a host with the IP address of
192.168.5.4 (outside of the trusted network). You have to substitute
these IP addresses with the ones that are used in your network.

Note that SIP is an UDP-based protocol, so spoofing SIP messages is
possible.

Inspection of a stream of malformed TCP packets
+----------------------------------------------

The workaround is to increase the minimum TCP segment size (MSS) to 64.
This is accomplished with a global "sysopt" command:

    sysopt connection tcpmss minimum 64


Privilege escalation
+-------------------

There are two workarounds for this vulnerability. One consists of the
use of TACACS+ or Radius for authentication, and another is to change
the minimum privilege of the user from zero to one.

Use TACACS+ or Radius for authentication
+---------------------------------------

Do not use the LOCAL method for user authentication, but use TACACS+ or
Radius instead. This example shows how to configure the Cisco PIX
appliance to use TACACS+ or Radius to authenticate Secure Shell (SSH)
access to the device.

    pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+)
    pixfirewall(config)#aaa authentication ssh console AuthOutbound
    pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 <radius_key>


In this example, 10.0.0.1 is the IP address of the Radius server and
"radius_key" is shared key between the Radius server and the appliance.

More information on how to configure TACACS+ or Radius on Cisco PIX and
ASA appliances can be found at 
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

Changing user's minimum privilege level
+--------------------------------------

The second workaround consists of the change of the user minimum
privilege level from zero to one. In that case, your configuration may
look like this:

    pixfirewall(config)# aaa authentication enable console LOCAL
    pixfirewall(config)# username <user_name> password <secret_pwd> privilege 1


It is possible to use any other level as long as it is not zero or 15.
If it is 15, the user has all privileges, and that is what we want to
avoid in the first place.

Obtaining Fixed Software
========================

Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed software
becomes available. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to
be bound by the terms of Cisco's software license terms found
at http://www.cisco.com/public/sw-license-agreement.html,
or as otherwise set forth at Cisco.com. Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt at cisco.com" or "security-alert at cisco.com"
for software upgrades.

Customers with Service Contracts
================================

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
=================================================

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations, such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
===================================

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, which includes special
localized telephone numbers, instructions, and e-mail addresses for use
in various languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of any vulnerability described in this advisory.

Status of this Notice: FINAL
===========================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at: 
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-teams at first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0   | 2007-Feb-14   | Initial public release     |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- -----------------------------------------------------------------------
All contents are Copyright 1992-2007 Cisco Systems, Inc. All rights
reserved. 
- -----------------------------------------------------------------------

Updated: Feb 14, 2007                                Document ID: 77853

- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFF0zgX8NUAbBmDaxQRAo18AKCSYlklTJv76352vQ5DMwUTAdod1gCffdnT
HhbxlsAN8Rt4qfbeZcbDIAs=
=cqoN
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list