Gladiator Research and Security

GSA Reference Number: AD090409-01

Simply Put: Cisco has announced a number of newly discovered vulnerabilities in both their Cisco ASA 5500 Series and Cisco PIX Security Appliances running 7.x and 8.x firmware versions.  These vulnerabilities cover SSL and IPSec VPN Connectivity, Access-List Restrictions, and Packet Inspection.  The vulnerabilities in this latest Cisco release are considered critical by Gladiator. We will be reviewing all CoreDefense monitored Cisco ASA and PIX devices for susceptibility.

Attack Details:

Cisco’s Security Advisory includes six separate vulnerabilities:

• Remote VPN Authentication Bypass – When the Account Override Feature is implemented in IPSec or SSL Remote VPNs it allows for a user to potentially bypass VPN authentication.
• Denial of Service Vulnerabilities (4) – An attacker has the ability to specifically craft packets that can result in a reboot of the Security appliance, thus creating a Denial of Service attack based on the services running on the Firewall or the inspection of certain protocols (H.323, SQL *Net).
• Access Control List Bypass – A vulnerability exists which could lead to an attacker bypassing the implicit deny listed in access control lists by default.  This vulnerability could lead to access from unauthorized sources.

Countermeasures: Cisco has released IOS patches for each of the vulnerabilities listed above. Do not attempt applying these updates without assistance from your network support vendor, if applicable.  Gladiator CoreDefense customers with devices affected by this vulnerability will be contacted and patched to Cisco’s Recommended Release Versions.

Reference Links:

• Cisco Security Advisory Bundle (http://www.cisco.com/en/US/products/products_security_advisory09186a0080a994f6.shtml)
• Secunia Cisco ASA and PIX Multiple Vulnerabilities (http://secunia.com/advisories/34607)