Home / Cisco Security / Security Advisories

Cisco Security Advisory

Multiple Vulnerabilities in Cisco ASA Software

Critical
Advisory ID:
cisco-sa-20141008-asa
First Published:
2014 October 8 16:00 GMT
Last Updated:
2015 July 9 15:14 GMT
Version 3.0:
Interim
Workarounds:
See below
CVE-2014-3382
CVE-2014-3383
CVE-2014-3384

More...

CWE-16
CWE-20
CWE-287
More...
CVSS Score:
Base 9.0, Temporal 7.4Click Icon to Copy Verbose Score
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE-2014-3382
CVE-2014-3383
CVE-2014-3384

More...

CWE-16
CWE-20
CWE-287
More...

Summary

  • 2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue.

    Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
    • Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
    • Cisco ASA VPN Denial of Service Vulnerability
    • Cisco ASA IKEv2 Denial of Service Vulnerability
    • Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
    • Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
    • Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
    • Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
    • Cisco ASA VPN Failover Command Injection Vulnerability
    • Cisco ASA VNMC Command Input Validation Vulnerability
    • Cisco ASA Local Path Inclusion Vulnerability
    • Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
    • Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
    • Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
    These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

    Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA Health and Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.

    Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.

    Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.

    Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.

    Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).


    Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.

    This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Affected Products

  • Cisco ASA Software running on the following products is affected by multiple vulnerabilities:
    • Cisco ASA 5500 Series Adaptive Security Appliances
    • Cisco ASA 5500-X Series Next-Generation Firewalls
    • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
    • Cisco ASA 1000V Cloud Firewall
    • Cisco Adaptive Security Virtual Appliance (ASAv)
    Affected releases of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected releases.

    Vulnerable Products

    Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if SQL*Net inspection is enabled.

    To determine whether SQL*Net inspection is enabled, use the show service-policy | include sqlnet command and verify that an output is returned. The following example shows the Cisco ASA Software with SQL*Net inspection enabled: 
    ciscoasa# show service-policy | include sqlnet
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
    Note: SQL*Net inspection is enabled by default.

    Cisco ASA VPN Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 and IKEv2 VPN connections. This includes LAN-to-LAN, Remote Access VPN both via the IPSec VPN client and IKEv2 AnyConnect VPN, and L2TP over IPSec VPN connections. Clientless or AnyConnect SSL VPNs are not affected by this vulnerability.

    To determine if the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN connections, a crypto map should be configured for at least one interface. Administrators should use the show running-config crypto map | include interface command and verify that it returns output. The following example shows a crypto map called cmap configured on the outside interface: 
    ciscoasa# show running-config crypto map | include interface
crypto map outside_map interface outside
    Note: IKEv1 or IKEv2 VPN are not configured by default.

    Cisco ASA IKEv2 Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv2 VPN connections. This includes LAN-to-LAN IKEv2 and AnyConnect IKEv2 VPN connections. To determine whether IKEv2 VPN is enabled use the show running-config crypto ikev2 | include enable command and verify that the command returns output. The following example shows a Cisco ASA with IKEv2 VPN enabled on the interface outside: 
    ciscoasa# show running-config crypto ikev2 | include enable
crypto ikev2 enable outside
    In addition to having IKEv2 enabled, the Cisco ASA needs to have a crypto map configured on the interface where IKEv2 is enabled. This can be determined by using the show running-config crypto map | include interface command and verifying that it returns output. The following example shows a crypto map called cmap configured on the outside interface: 
    ciscoasa# show running-config crypto map | include interface
crypto map outside_map interface outside
    Note: IKEv2 VPN is not enabled by default.

    Cisco ASA Health and Performance Monitor Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if health and performance monitoring (HPM) for ASDM is enabled.

    To determine whether HPM is enabled, use the show running-config | include hpm command and verify that an output is returned. The following example shows the Cisco ASA Software with the HPM feature enabled:

    ciscoasa# show running-config | include hpm
ciscoasa# hpm topn enable
    Note: HPM is not enabled by default.

    Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if GPRS Tunneling Protocol (GTP) inspection is enabled.

    To determine whether GTP inspection is enabled, use the show service-policy | include gtp command and verify that an output is returned. The following example shows the Cisco ASA Software with GTP inspection enabled: 
    ciscoasa# show service-policy | include gtp
Inspect: gtp, packet 0, drop 0, reset-drop 0
    Note: GTP inspection is not enabled by default.

    Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if SunRPC inspection is enabled.

    To determine whether SunRPC inspection is enabled, use the show service-policy | include sunrpc command and verify that an output is returned. The following example shows the Cisco ASA Software with SunRPC inspection enabled: 
    ciscoasa# show service-policy | include sunrpc
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
    Note: SunRPC inspection is enabled by default.

    Cisco ASA DNS Inspection Engine Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if DNS inspection is enabled.

    To determine whether DNS inspection is enabled, use the show service-policy | include dns command and verify that an output is returned. The following example shows the Cisco ASA Software with DNS inspection enabled: 
    ciscoasa# show service-policy | include dns
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
    Note: DNS inspection is enabled by default.

    Cisco ASA VPN Failover Command Injection Vulnerability

    Cisco ASA Software is affected by this vulnerability if the system is configured to terminate any type of VPN connections, except Clientless SSL VPN, and it is configured in high availability (HA) mode (also known as failover mode).

    Administrators can use the show running-config crypto map | include interface command to verify if any type of IKEv1 or IKEv2 IPSec VPNs are configured on the system and the show running-config webvpn | include anyconnect command to verify if AnyConnect SSL VPN is configured. The following example shows a Cisco ASA with both IPSec and AnyConnect SSL VPNs configured: 
    ciscoasa# show running-config webvpn | include anyconnect enable
 anyconnect enable
ciscoasa# show run crypto map | include interface
 crypto map outside_map interface outside
    Administrators can use the show failover command and verify that the failover is ON to determine if high availability mode is configured. The following example shows a Cisco ASA with high availability mode enabled: 
    ciscoasa# show failover
Failover On
[...]
    Note: This vulnerability affects only HA configurations that do not use a failover key to protect failover traffic. HA and VPN are not enabled by default.

    Cisco ASA VNMC Command Input Validation Vulnerability

    All Cisco ASA running an affected version of software are affected by this vulnerability.

    Cisco ASA Local Path Inclusion Vulnerability

    All Cisco ASA running an affected version of software are affected by this vulnerability.

    Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability

    Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled. To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled on at least one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface: 
    ciscoasa# show running-config webvpn 
webvpn
 enable outside
 [...]
    Note: The Clientless SSL VPN portal is not enabled by default.

    Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

    Cisco ASA Software is affected by this vulnerability if the following conditions are met:
    1. Clientless SSL VPN portal functionality is enabled
    2. A default customization object or a newly created customization object for Clientless SSL VPN portal has to be previewed in ASDM
    To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled at least on one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface: 
    ciscoasa# show running-config webvpn 
webvpn
 enable outside
 [...]
    There is no method to determine if a preview of a customization object has been done. The following method is used to preview a customization object. In ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION -> PREVIEW.

    Additional Indicator of Compromise for Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
    Customers running a vulnerable configuration should verify that the portal customization has not been compromised. Customers can verify that the portal has not been compromised by exporting the customization objects and manually verifying that the objects do not include malicious code.

    The new custom object and default customization object (DfltCustomization) should be analyzed. To export an SSL VPN portal customization object, use the export webvpn customization command, where the is the name of the SSL VPN portal customization object being exported and is the name of the file that will include a copy of the customization object.

    The following example shows how to export the default customization object DfltCustomization to a file called Customization_to_verify

    ciscoasa# export webvpn customization DfltCustomization Customization_to_verify
    The Customization_to_verify file is stored on the device disk and can be exported for further analysis.

    Customers should repeat this process for all of the customization objects that are present on the system.
    Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability

    Cisco ASA Software is affected by this vulnerability if the Smart Call Home (SCH) feature is configured or has been configured on the system. When the feature is configured, a digital certificate trustpoint called _SmartCallHome_ServerCA is automatically installed on the system. To determine whether this trustpoint is installed, use the show running-config crypto ca trustpoint _SmartCallHome_ServerCA command and verify that it returns output. The following example shows a Cisco ASA with this trustpoint installed: 
    ciscoasa# show running-config crypto ca trustpoint _SmartCallHome_ServerCA
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
    Note: The presence of this trustpoint would make the system vulnerable; however, this vulnerability cannot be exploited unless there is another feature configured that relies on digital certificates validation services. Examples of these features are digital certificate authentication for VPN or ASDM connections or TLS-Proxy and Phone-proxy. SCH is not enabled by default.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by these vulnerabilities.

    Details

    • Cisco Adaptive Security Appliance (ASA) Software is the operating system used by the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco ASA 5500-X Next Generation Firewall, the Cisco ASA Services Module (ASASM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the Cisco ASA 1000V Cloud Firewall, and the Cisco Adaptive Security Virtual Appliance (ASAv). The Cisco ASA family provides network security services such as firewall, intrusion prevention system (IPS), anti-X, and VPN.

      Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability

      A vulnerability in SQL*Net inspection engine code could allow an unauthenticated, remote attacker to cause a reload of the affected system.

      The vulnerability is due to improper handling of crafted SQL REDIRECT packets. An attacker could exploit this vulnerability by sending a crafted sequence of REDIRECT packets through the affected system.

      Note: Only transit traffic that is inspected by the Cisco ASA SQL*Net inspection engine can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) traffic.

      This vulnerability is documented in Cisco bug ID CSCum46027 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3382.

      Cisco ASA VPN Denial of Service Vulnerability

      A vulnerability in the IKE code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.

      The vulnerability is due to insufficient validation of UDP packets. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow an attacker to cause a reload of an affected system.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) traffic.

      This vulnerability is documented in Cisco bug ID CSCul36176 (registered customers only) and has been assigned CVE ID CVE-2014-3383.

      Cisco ASA IKEv2 Denial of Service Vulnerability

      A vulnerability in the IKEv2 code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.
      The vulnerability is due to improper handling of crafted IKEv2 packets. An attacker could exploit this vulnerability by sending a crafted packet during the establishment of an IKEv2 tunnel. An exploit could allow the attacker to cause a reload of the affected system leading to a DoS condition

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.

      This vulnerability is documented in Cisco bug ID CSCum96401 (registered customers only) and has been assigned CVE ID CVE-2014-3384.

      Cisco ASA Health and Performance Monitor Denial of Service Vulnerability

      A vulnerability in Health and Performance Monitoring (HPM) for ASDM functionality of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of an affected device and eventual denial of service (DoS) condition.

      The vulnerability is due to a race condition in the operation of the HPM functionality. An attacker could exploit this vulnerability by sending a large number of half-open simultaneous connections to be established through the affected device. An exploit could allow the attacker to cause a reload of an affected device, which could lead to a DoS condition.

      Note: Only transit TCP traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.

      This vulnerability is documented in Cisco bug ID CSCum00556 (registered customers only) and has been assigned CVE ID CVE-2014-3385.

      Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability

      A vulnerability in the GPRS Tunneling Protocol (GTP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.

      The vulnerability is due to improper handling of GTP packets when sent in a specific sequence. An attacker could exploit this vulnerability by sending crafted GTP packets through an affected system. An exploit could allow the attacker to cause the reload of an affected system

      Note: Only transit traffic that is inspected by the Cisco ASA GTP inspection engine can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can only be triggered by IPv4 traffic.

      This vulnerability is documented in Cisco bug ID CSCum56399 (registered customers only) and has been assigned CVE ID CVE-2014-3386.

      Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability

      A vulnerability in the SunRPC inspection engine of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.

      The vulnerability is due to insufficient validation of crafted SunRPC packets. An attacker could exploit this vulnerability by sending crafted SunRPC packets through the affected system. An exploit could allow the attacker to cause the reload of an affected system.

      Note: Only transit traffic that is inspected by the Cisco ASA SunRPC inspection engine can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.

      This vulnerability is documented in Cisco bug ID CSCun11074 (registered customers only) and has been assigned CVE ID CVE-2014-3387.

      Cisco ASA DNS Inspection Engine Denial of Service Vulnerability

      A vulnerability in the DNS inspection engine of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.
      The vulnerability is due to insufficient validation of crafted DNS packets. An attacker could exploit this vulnerability by sending crafted DNS packets through the affected system. An exploit could allow the attacker to cause the reload of an affected system.

      Note: Only transit traffic that is inspected by the Cisco ASA DNS inspection engine can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.

      This vulnerability is documented in Cisco bug ID CSCuo68327 (registered customers only) and has been assigned CVE ID CVE-2014-3388.

      Cisco ASA VPN Failover Command Injection Vulnerability

      A vulnerability in the VPN code of Cisco ASA Software could allow an authenticated, remote attacker to submit configuration commands to the standby unit via the failover interface. As result, an attacker could be able to take full control of both the active and standby failover units.

      The vulnerability is due to improper implementation of the internal filter for packets coming from an established VPN tunnel. An attacker could exploit this vulnerability by sending crafted packets directed to the failover interface IP address.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects only systems configured in routed firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.

      This vulnerability is documented in Cisco bug ID CSCuq28582 (registered customers only) and has been assigned CVE ID CVE-2014-3389.

      Cisco ASA VNMC Command Input Validation Vulnerability

      A vulnerability in the Virtual Network Management Center (VNMC) policy code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, local attacker to access the underlying Linux operating system with the privileges of the root user.

      The vulnerability is due to insufficient sanitization of user supplied input. An attacker could exploit this vulnerability by logging in to an affected system as administrator, copying a malicious script onto the disk, and executing the script.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. In default configuration, Administration or privilege 15 access is needed in order to exploit this vulnerability.

      This vulnerability is documented in Cisco bug ID CSCuq41510 (registered customers only) and CSCuq47574 (registered customers only) and has been assigned CVE ID CVE-2014-3390.

      Cisco ASA Local Path Inclusion Vulnerability

      A vulnerability in the function that exports environment variables of Cisco ASA Software could allow an authenticated, local attacker to inject a malicious library and take complete control of the system.

      The vulnerability is due to improper setting of the LD_LIBRARY_PATH environment. An attacker could exploit this vulnerability by copying a malicious library onto the affected system's external memory and triggering a reload of the system. An exploit could allow the attacker to force the affected system to load a malicious library and access the underlying Linux OS, which could lead to a full compromise of the system.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. In order to exploit this vulnerability a reload of the system is needed. In default configuration, Administration or privilege 15 access is needed in order to exploit this vulnerability.

      This vulnerability is documented in Cisco bug ID CSCtq52661 (registered customers only) and has been assigned CVE ID CVE-2014-3391.

      Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability

      A vulnerability in the Clientless SSL VPN portal feature could allow an unauthenticated, remote attacker to access random memory locations. Due to this vulnerability, the attacker may be able to access the information stored in memory and in some cases may be able to corrupt this portion of memory, which could lead to a reload of the affected system.

      The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by setting random values on parameters passed during access to the Clientless SSL VPN portal.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects only systems configured in routed firewall mode and only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is required to exploit this vulnerability.

      This vulnerability is documented in Cisco bug ID CSCuq29136 (registered customers only) and has been assigned CVE ID CVE-2014-3392.

      Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

      A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

      The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework. An attacker could exploit this vulnerability by modifying some of the customization objects in the RAMFS cache file system. An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects only systems configured in routed firewall mode and only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is required to exploit this vulnerability.

      This vulnerability is documented in Cisco bug ID CSCup36829 (registered customers only) and has been assigned CVE ID CVE-2014-3393.

      Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability

      A vulnerability in the Smart Call Home (SCH) feature of Cisco ASA Software could allow an unauthenticated, remote attacker to bypass digital certificate validation if any feature that uses digital certificates is configured on the affected system.

      The vulnerability exists because when SCH is configured, a trustpoint, including a VeriSign certificate, is automatically installed. An attacker could exploit this vulnerability by presenting a valid certificate signed by VeriSign when authenticating to the affected system. An exploit could allow the attacker, for example, to bypass digital certificate authentication when used by a given feature. Examples of features that could be configured to use digital certificates validation include VPN and Adaptive Security Device Management (ASDM) authentication, TLS Proxy, and Phone Proxy.

      Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is required to exploit this vulnerability.

      This vulnerability is documented in Cisco bug ID CSCun10916 (registered customers only) and has been assigned CVE ID CVE-2014-3394.

    Workarounds

    • For the following vulnerabilities there is no workaround except disabling the affected feature:
      • Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
      • Cisco ASA VPN Denial of Service Vulnerability
      • Cisco ASA IKEv2 Denial of Service Vulnerability
      • Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
      • Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
      • Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
      • Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
      • Cisco ASA VNMC Command Input Validation Vulnerability
      • Cisco ASA Local Path Inclusion Vulnerability
      • Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
      • Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
      • Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
      Note: For the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability, removing the SCH configuration will not remove the trustpoint. In order to eliminate the trustpoint, the administrator should use the no crypto ca trustpoint command. The following example shows how to remove the trustpoint enabled by the SCH feature. Removing this trustpoint will cause SCH to stop working correctly. 
      ciscoasa(config)# no crypto ca trustpoint _SmartCallHome_ServerCA
      For the Cisco ASA VPN Failover Command Injection Vulnerability, configuring a failover key would provide a workaround for this issue. To configure a failover key, use the failover key command. The following example shows how to configure a failover key named cisco-key: 
      ciscoasa(config)#failover key cisco-key
      Note: The use of the failover ipsec command will not provide a workaround to this issue.

    Fixed Software

    • When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

      In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

      Each row of the following Cisco ASA Software table lists the first fixed release for each of the vulnerabilities described in this advisory for each Cisco ASA major release. The last row of the table gives information about the release version that includes the fix for all the vulnerabilities described in this advisory for each Cisco ASA major release. Customers should upgrade to a release that is equal to or later than these release versions.



      		 7.2
      		8.2
      		8.3
      		8.4
      		8.5
      		8.6
      		8.7
      		9.0
      		9.1
      		9.2
      		9.3
      CSCum46027 - Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability

      7.2(5.13)

      8.2(5.50)

      8.3(2.42)

      8.4(7.15)

      8.5(1.21)

      8.6(1.14)

      8.7(1.13)

      9.0(4.5)

      9.1(5.1)

      		Not Affected Not Affected
      CSCul36176 - Cisco ASA VPN Denial of Service Vulnerability

      Not Affected

      Not Affected

      Not Affected

      Not Affected

      Not Affected

      Not Affected

      Not Affected

      Not Affected

      9.1(5.1)1

      		Not Affected Not Affected
      CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability Not Affected Not Affected Not Affected 8.4(7.15) Not Affected 8.6(1.14) Not Affected 9.0(4.8) 9.1(5.1) Not Affected Not Affected
      CSCum00556 - Cisco ASA Health and Performance Monitor Denial of Service Vulnerability

      Not Affected

      Not Affected

      8.3(2.42)

      8.4(7.11)

      8.5(1.19)

      8.6(1.13)

      8.7(1.11)

      9.0(4.8)

      9.1(4.5)

      		Not Affected Not Affected
      CSCum56399 - Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability

      Not Affected

      8.2(5.51)

      Not Affected

      8.4(7.15)

      Not Affected

      Not Affected

      		 8.7(1.13)

      9.0(4.8)

      9.1(5.1)

      		Not Affected Not Affected
      CSCun11074 - Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability 7.2(5.14) 8.2(5.51) 8.3(2.42) 8.4(7.23) 8.5(1.21) 8.6(1.14) 8.7(1.13)
      		 9.0(4.5) 9.1(5.3) Not Affected Not Affected
      CSCuo68327 - Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Not Affected Not Affected Not Affected Not Affected Not Affected Not Affected Not Affected 9.0(4.13)2 9.1(5.7)2 9.2(2) Not Affected

      CSCuq28582 - Cisco ASA VPN Failover Command Injection Vulnerability

      		 7.2(5.15) 8.2(5.51) 8.3(2.42) 8.4(7.23)
      		Not Affected 8.6(1.15) Not Affected
      		 9.0(4.24) 9.1(5.12) 9.2(2.6) 9.3(1.1)

      CSCuq41510 and CSCuq47574 - Cisco ASA VNMC Command Input Validation Vulnerability

      		 Not Affected Not Affected Not Affected Not Affected Not Affected Not Affected 8.7(1.14) Not Affected Not Affected 9.2(2.8) 9.3(1.1)
      CSCtq52661 - Cisco ASA Local Path Inclusion Vulnerability Not Affected
      		8.2(5.52)
      		 Not Available - Upgrade to 8.4 or later 8.4(3) Not Available - Upgrade to 9.0 or later Not Affected
      		8.7(1.13) Not Affected
      		Not Affected
      		Not Affected Not Affected
      CSCuq29136 - Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Not Affected 8.2(5.51) 8.3(2.42) 8.4(7.23) Not Affected 8.6(1.15) Not Affected 9.0(4.24) 9.1(5.12) 9.2(2.8) 9.3(1.1)
      CSCup36829 - Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability3 Not Affected 8.2(5.51)3 8.3(2.42)3 8.4(7.23)3
      		 Not Affected 8.6(1.14)3
      		 Not Affected 9.0(4.24)3 9.1(5.12)3 9.2(2.4)3
      		 Not Affected
      CSCun10916 - Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability Not Affected 8.2(5.50) Not Affected 8.4(7.15) Not Affected 8.6(1.14) 8.7(1.13) 9.0(4.8) 9.1(5.1) Not Affected
      		 Not Affected
      Recommended release that fixes all the vulnerabilities in this security advisory 7.2(5.15) and later
             		8.2(5.52) and later Not Available - Upgrade to 8.4 or later 8.4(7.23) and later Not Available - Upgrade to 9.0 or later
             		8.6(1.15) and later 8.7(1.14) and later 9.0(4.24) and later 9.1(5.12) and later 9.2(2.8) and later 9.3(1.1) and later

      1The Cisco ASA VPN Denial of Service Vulnerability was introduced in Cisco ASA Software release 9.1(4.3)
      2The Cisco ASA DNS Inspection Engine Denial of Service Vulnerability was introduced in Cisco ASA Software releases 9.0(4.8) and 9.1(5.2).
      3Customers affected by the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability should read the "Important Note about Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability" section for additional information on how to mitigate this vulnerability.

      Note: Cisco ASA Software release 9.3(1.1) will be available by November 10, 2014

      Important Note about Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
      Customers running a vulnerable configuration, regardless of the software release, should verify that the portal customization has not been compromised. While upgrading to a fixed version of Cisco ASA Software prevents this vulnerability from being exploited further, it will not modify any customization objects that have already been compromised and are present on the system. If an attacker has already compromised a customization object, the compromised object will stay persistent after the upgrade.

      To verify whether a customization object has been compromised, follow the instruction in "Additional Indicator of Compromise for Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability" that are included in the "Vulnerable Products" section of this advisory.

      The following method can be used to restore the default customization object (DfltCustomization):
      1. Export the default template to a file. The following example shows how to export the default template to a file called default_template
        2. ciscoasa# export webvpn customization Template default_template
      2. Import the default template as default customization object (DfltCustomization):
      ciscoasa# import webvpn customization DfltCustomization default_template
      Note: This will override any changes done to the default customization object (DfltCustomization). It is not possible to remove the default customization object (DfltCustomization) from the system.

      The import webvpn customization command can also be used to restore non-default customization objects after these have been manually edited and verified. It is possible to remove any non-default customization object by using ASDM and navigating to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION. In the CUSTOMIZATION panel, select the non-default customization objects and click on Delete.
      

      Software Download
      
Cisco ASA Software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html
      

      
For Cisco ASA 5500 Series Adaptive Security Appliances and Cisco ASA 5500-X Next Generation Firewall navigate to Products
> Security > Firewalls > Adaptive Security Appliances (ASA)
> Cisco ASA 5500 Series Adaptive Security Appliances >  > Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and can be found by expanding the Interim tab on the download page.
      

      
For the Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, navigate to Products
> Cisco Interfaces and Modules > Cisco Services Modules >
Cisco Catalyst 6500 Series / 7600 Series ASA Services Module >
Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and can be found by expanding the Interim tab on the download page.
      

      
For the Cisco ASA 1000V Cloud Firewall, navigate to Products
> Security > Firewalls > Adaptive Security Appliances (ASA)
> Cisco ASA 1000V Cloud Firewall > Adaptive Security Appliance
(ASA) Software.
      

      
For the Cisco Adaptive Security Virtual Appliance (ASAv), navigate to Products
> Security > Firewalls > Adaptive Security Appliances (ASA)
> Cisco Adaptive Security Virtual Appliance (ASAv) > Adaptive Security Appliance
(ASA) Software.
      

      • 

    

    

    
                          Exploitation and Public Announcements
                          
                        
    

    

      

    • 

      The Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability were reported to Cisco by Alec Stuart-Muirk. 
      

      
Exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability have been demonstrated at the Ruxcon 2014 security conference by Alec Stuart-Muirk.
      

      
The Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability was reported to Cisco by Hyrum M from SecurityMetrics.
      
A blog post by Hyrum M is also publicly available that demonstrates an exploit of this vulnerability.
      

      
All the other vulnerabilities described in this advisory have been found during internal tests or during the resolution of support cases.
      

      
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements concerning the other vulnerabilities described in this advisory.
      

      
The Cisco PSIRT is aware of malicious use of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability.
      
Customer are advise to read through the "Important Note about Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability" in the "Software Versions and Fixes" section of this security advisory and to upgrade to a version that includes the fix for this vulnerability
      

      
2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue. 
      

      
The Cisco PSIRT is not aware of malicious use of the other vulnerabilities that are described in this advisory.
      

      • 

    


    

    

    
        Cisco Security Vulnerability Policy
        
      
    

    

      

    • 

      

      To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
      

      

      • 

    

    

    Subscribe to Cisco Security Notifications
    

    


    

    
          
          Action Links for This Advisory
        
    

    


    

    
          
          Related to This Advisory
        
    

    


    

    

    

    
                        URL
                        
                      
    

    


    

    
                        Revision History
                        
                      
    

    

      

    • 

      
	
		
      
			Revision 3.0
			2015-July-09
			Moved the July 8 update information to the top of the Summary section. 
		
      
		
      
			Revision 3.0
			2015-July-08
			Updated the ?Summary? and ?Exploitation and Public Announcements" sections of this advisory with additional information on CSCul36176 - Cisco ASA VPN Denial of Service Vulnerability.
		
      
		
      
			Revision 2.0
			2015-February-11
			Added important information about Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability - CSCup36829 - in the "Vulnerable Products," "Software Versions and Fixes," and "Exploitation and Public Announcements" sections of this advisory.
		
      
		
      
			Revision 1.2
			2015-January-13
			Added information about first fixed release for CSCtq52661.
		
      
		
      
			Revision 1.1
			2014-October-24
			Updated the target date for Cisco ASA Software version 9.3(1.1) and the "Exploitation and Public Announcements" Section.
		
      
		
      
			Revision 1.0
			2014-October-08
			Initial public release.
		
      
	      

      
Show Less

      

      • 

    



    

    


    



    

    

    
        Cisco Security Vulnerability Policy
        
      
    

    

      

    • 

      

      To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
      

      

      • 

    

    

    Subscribe to Cisco Security Notifications
    

    


    

    
          
          Action Links for This Advisory
        
    

    


    

    
          
          Related to This Advisory