VUPEN - Cisco ASA and PIX Denial of Service and Security Bypass Vulnerabilities / Exploit (Security Advisories

	About Us \| Contact Us

VUPEN Free Resources

VUPEN Security Advisories

VUPEN Security Blog & News

Zero-day Attacks Monitor

Daily Security Mailinglist

Explanation of Terms

Advanced Search Engine

Cisco ASA and PIX Denial of Service and Security Bypass Vulnerabilities

VUPEN ID	VUPEN/ADV-2009-0981
CVE ID	CVE-2009-1155 - CVE-2009-1156 - CVE-2009-1157 - CVE-2009-1158 - CVE-2009-1159 - CVE-2009-1160
CWE ID	Available in VUPEN VNS Customer Area
CVSS V2	Available in VUPEN VNS Customer Area
Rated as	Moderate Risk
Impact	Available in VUPEN VNS Customer Area
Authentication Level	Available in VUPEN VNS Customer Area
Access Vector	Available in VUPEN VNS Customer Area
Release Date	2009-04-09
Share

Technical Description

Multiple vulnerabilities have been identified in Cisco ASA and PIX, which could be exploited by attackers to bypass security restrictions or cause a denial of service.

The first issue is caused by an unspecified error when the override account feature is enabled, which could allow VPN users to bypass authentication.

The second vulnerability is caused by an error when processing specially crafted SSL or HTTP packets, which could allow attackers to create a denial of service on a vulnerable Cisco ASA device that is configured to terminate SSL VPN connections. A TCP three-way handshake is needed to exploit this vulnerability.

The third issue is caused by a memory leak when processing specially crafted TCP packets, which could allow attackers to create a denial of service on a vulnerable Cisco ASA device that is configured for SSL VPNs, ASDM Administrative Access, Telnet Access, SSH Access, cTCP for Remote Access VPNs, Virtual Telnet, Virtual HTTP, TLS Proxy for Encrypted Voice Inspection, Cut-Through Proxy for Network Access, or TCP Intercept. A TCP three-way handshake is not needed to exploit this vulnerability.

The fourth vulnerability is caused by an error when processing specially crafted H.323 packets, which could allow attackers to create a denial of service on a vulnerable Cisco ASA device that is configured with H.323 inspection. A TCP three-way handshake is not needed to exploit this vulnerability.

The fifth issue is caused by an error when processing a series of SQL*Net packets, which could allow attackers to create a denial of service on a Cisco ASA or Cisco PIX device that is configured with SQL*Net inspection (enabled by default). A TCP three-way handshake is needed to exploit this vulnerability.

The sixth vulnerability is caused by an unspecified error which may allow traffic to bypass the implicit deny statement on any ACL applied on the vulnerable device.

Affected Products

Cisco ASA (Adaptive Security Appliances) version 7.1
Cisco ASA (Adaptive Security Appliances) version 7.1
Cisco ASA (Adaptive Security Appliances) version 8.0
Cisco ASA (Adaptive Security Appliances) version 8.1
Cisco PIX version 7.1
Cisco PIX version 7.2
Cisco PIX version 8.0
Cisco PIX version 8.1

Solution

Apply fixes :
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml

References

http://www.vupen.com/english/advisories/2009/0981
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html

Credits

Vulnerabilities reported by Gregory W. MacPherson and Robert J. Combo (Verizon Business), Jon Ramsey, Jeff Jarmoc, and Fernando Medrano (SecureWorks), and the vendor.

Changelog

2009-04-09 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.

Monthly Statistics

VUPEN Security Advisories By Criticality: Aug 2010
Critical Risk	: 0%
High Risk	: 0%
Moderate Risk	: 0%
Low Risk	: 100%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.

Try VUPEN VNS