Vulnslist

find the latest Cisco vulnerabilities

Multiple Vulnerabilities in Cisco ASA Software

cisco-sa-20130410-asa · High · Published · Updated

Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm

Cisco advisory ·CSAF JSON

Workarounds

IKE Version 1 Denial of Service Vulnerability
Disabling IKE version 1, if feasible, will mitigate this vulnerability. Note that disabling IKE version 1 will disable IPsec-based VPN tunnels (LAN-to-LAN and remote access) that are configured to use IKE version 1 for Security Association (SA) negotiation and establishment. However, if administrators use only SSL VPN (remote access only), it may be possible to disable IKE version 1 with no impact to the VPN solution. IKE version 1 can be disabled with the global configuration commands  no crypto isakmp enable (Cisco ASA Software 8.3.x and earlier) or no crypto ikev1 enable (Cisco ASA Software 8.4.x and later).

IKE version 2 is not affected by this vulnerability, so migrating to IKE version 2 and disabling IKE version 1 will eliminate this vulnerability.

Crafted URL Denial of Service Vulnerability
Disabling AAA for network access control and HTTP(S) listening ports to authenticate network users, if feasible, will mitigate this vulnerability. HTTP(S) listening ports to authenticate network users can be disabled with the global configuration command no aaa authentication listener.

Denial of Service During Validation of Crafted Certificates
There are no workarounds that mitigate this vulnerability.

DNS Inspection Denial of Service Vulnerability
Disabling DNS inspection, if feasible, will mitigate this vulnerability. The following commands will disable the DNS inspection that is configured by default:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect dns

CVEsCVE-2013-1149, CVE-2013-1150, CVE-2013-1151, CVE-2013-1152
Cisco Bug IDsCSCub85692, CSCuc72408, CSCuc80080, CSCud16590, CSCud20267
CVSS ScoreBase 7.8
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
Base 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
Product Names From Source
Cisco Firewall Services Module (FWSM), Cisco Adaptive Security Appliance (ASA) Software 8.2.1, Cisco Adaptive Security Appliance (ASA) Software 8.2.2, Cisco Adaptive Security Appliance (ASA) Software 8.2.3, Cisco Adaptive Security Appliance (ASA) Software 8.2.4, Cisco Adaptive Security Appliance (ASA) Software 8.2.5, Cisco Adaptive Security Appliance (ASA) Software 8.4.1, Cisco Adaptive Security Appliance (ASA) Software 8.4.2, Cisco Adaptive Security Appliance (ASA) Software 8.4.3, Cisco Adaptive Security Appliance (ASA) Software 8.4.4, Cisco Adaptive Security Appliance (ASA) Software 8.4.5, Cisco Adaptive Security Appliance (ASA) Software 9.0.1, Cisco Adaptive Security Appliance (ASA) Software 9.0.2, Cisco Adaptive Security Appliance (ASA) Software

Related Products

Product CVE Evidence
Cisco Firewall Services Module (FWSM) CVE-2013-1152 Cisco OpenVuln
Cisco Firewall Services Module (FWSM) CVE-2013-1151 Cisco OpenVuln
Cisco Firewall Services Module (FWSM) CVE-2013-1150 Cisco OpenVuln
Cisco Firewall Services Module (FWSM) CVE-2013-1149 Cisco OpenVuln
Cisco Adaptive Security Appliance (ASA) Software CVE-2013-1152 Cisco OpenVuln
Cisco Adaptive Security Appliance (ASA) Software CVE-2013-1151 Cisco OpenVuln
Cisco Adaptive Security Appliance (ASA) Software CVE-2013-1150 Cisco OpenVuln
Cisco Adaptive Security Appliance (ASA) Software CVE-2013-1149 Cisco OpenVuln