lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-id: <201507090459.6.asa@psirt.cisco.com>
Date: Thu,  9 Jul 2015 04:59:13 -0400
From: Cisco Systems Product Security Incident Response Team <psirt@...co.com>
To: bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in Cisco ASA Software

Advisory ID: cisco-sa-20141008-asa
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Revision 3.0

Last Updated  2015 July 8 21:04  UTC (GMT)

For Public Release 2014 October 8 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:

    Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
    Cisco ASA VPN Denial of Service Vulnerability
    Cisco ASA IKEv2 Denial of Service Vulnerability
    Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
    Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
    Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
    Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
    Cisco ASA VPN Failover Command Injection Vulnerability
    Cisco ASA VNMC Command Input Validation Vulnerability
    Cisco ASA Local Path Inclusion Vulnerability
    Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
    Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
    Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability

These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA Health and Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.

Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.

Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.

Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.

Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).


2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue. 

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa




-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVnjTyAAoJEIpI1I6i1Mx3RjwP/RvUACR95bYhiGShkRFed7SP
wDEL7WNBor2EI58IlgEiyHeWgngheD2NreZ2VC7VdVETKFLPauvdZElNuz5r/Uy+
06BkkE3w9Y/LVKbytUfCtCA+rH426M9AyX0oiG7PvYGsYmADIPri+H/Y3O6jKZjO
0pPW3hxiaDaiYTGvFwMsOSzcVLGJnJIn2+ikBCnwXrdrgSB0OGNmXwVxdNFeo6Qs
qTGW5975HzSI4llgLANS2uYFysPu113xLUXs6qzjV9to3KBWD2fz0/shrSuNaqi3
0saMjeRsNCoMbqKIlSRDzb4w3IezyI5Dh+lk5QFEoGFfuWMmozAx8is8ydTTuY31
VMoKa5P9Xma5vJi/q8Artjisowjt22NQujgf6BcatZcVAOmMgF6X4ZJylzK9IqFi
A15CPIWNLf60CQU4qJAjWc9ehPdnbVG96jdx7cOMX+9OODZS3DYX+X0WvjH3xzlK
S3oDi50VMxBBn+BfzRYgH/Hr3llHyArLxM7NWzGvG6hPunuzuBNcZay64mtirc8p
v4bO8if+MqCRSOTB7CnpJNRtoJyWEODAQfjv+KOlQGuLU5NDNKcByZN37V3kxvkP
wuV/ioB4aAsx/MQo/7acG6rMYFMo88Qxz0iR4oAw0o3iJ5r+2NPSEpCpydATalTW
WyeXlTfXSEW0Bu5VuC1i
=FVjc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ