Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1244 Multiple vulnerabilities have been identified in Cisco Adaptive Security Appliance 18 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Adaptive Security Appliance Publisher: Cisco Systems Operating System: Cisco Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-1385 CVE-2016-1379 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-vpn https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-xml Comment: This bulletin contains two (2) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Cisco Adaptive Security Appliance XML Parser Denial of Service Vulnerability Medium Advisory ID: cisco-sa-20160517-asa-xml Published: 2016 May 17 00:00 GMT Version 1.0: Final CVSS Score: Base - 6.8 Workarounds: No workarounds available Cisco Bug IDs: CSCut14209 CVE-2016-1385 CWE-119 Summary A vulnerability in XML parser code of Cisco Adaptive Security Appliance Software could allow an authenticated, remote attacker to cause system instability or a reload of the affected system. The vulnerability is due to insufficient hardening of the XML parser configuration. An attacker could exploit this vulnerability in multiple ways by utilizing a malicious file. An attacker with administrative privileges could exploit this by uploading a malicious XML file on the system and trigger the XML code to parse the malicious file. Additionally, an attacker with Clienteles SSL VPN access could exploit this vulnerability by sending a crafted XML file. An exploit would allow the attacker to crash the XML parser process, which could cause system instability, memory exhaustion, and in some cases lead to a reload of the affected system. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-xml Affected Products If the attacker has administrative privileges, the exposure does not depend on the actual configuration. In the scenario where the attacker has access to a Clientless SSL VPN session, Cisco Adaptive Security Appliance software is vulnerable if the Clientless SSL VPN feature and File Access (also known as Browse Networks) via Common Internet File System (CIFS) or FTP is allowed. Vulnerable Products All Cisco Adaptive Security Appliance releases are affected by this vulnerability Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. Workarounds Workarounds are not available. Fixed Software When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers should upgrade to an appropriate release as indicated in the following table. In the table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Cisco ASA Major Release First Fixed Release Prior to 9.0 Affected. Migrate to 9.1(7.6) or later 9.0 Affected. Migrate to 9.1(7.6) or later 9.1 9.1(7.6) 9.2 9.2(4.8) 9.3 9.3(3.8) 9.4 9.4(2.6) 9.5 9.5(2.6) 9.6 Not affected Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during internal security tests. URL http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-xml Revision History Version Description Section Status Date 1.0 Initial public release. - Final 2016-May-17 Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability Medium Advisory ID: cisco-sa-20160517-asa-vpn Published: 2016 May 17 14:00 GMT Version 1.0: Final CVSS Score: Base - 6.3 Workarounds: No workarounds available Cisco Bug IDs: CSCuv70576 CVE-2016-1379 CWE-399 Summary A vulnerability in the IPsec code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause the depletion of a memory block, which may cause the system to stop forwarding traffic and result in a denial of service (DoS) condition. The vulnerability is due to an error in the implementation of ICMP error handling for IPsec packets. An attacker could exploit this vulnerability by sending crafted packets through an established LAN-to-LAN or Remote Access VPN tunnel. A successful exploit could allow the attacker to deplete available memory and cause system instability or cause the system to stop forwarding traffic. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-vpn Affected Products Cisco ASA Software is affected by this vulnerability if the system is configured for Internet Key Exchange Version 1 (IKEv1) or Internet Key Exchange Version 2 (IKEv2) LAN-to-LAN VPN or IKEv1 or IKEv2 Remote Access VPN with Layer 2 Tunneling Protocol and IPsec (L2TP-IPsec), and the set validate-icmp-errors command is configured in the crypto map. The set validate-icmp-errors command is not configured by default. To determine whether the set validate-icmp-errors command is configured, administrators can issue the show run | set validate-icmp-errors command and verify that the command returns output. Cisco ASA Software that is configured for Clientless VPN or AnyConnect SSL VPN is not affected by this vulnerability. Vulnerable Products Cisco ASA Software releases 9.0 and later are affected by this vulnerability. Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. Workarounds There are no workarounds that address this vulnerability. Fixed Software When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers should upgrade to an appropriate release as indicated in the following table. In the table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Cisco ASA Major Release First Fixed Release Prior to 9.0 Not affected 9.0 9.0(4.39) 9.1 9.1(6.9) 9.2 9.2(4.1) 9.3 9.3(3.9) 9.4 9.4(2) 9.5 9.5(1.4) 9.6 Not affected Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during the resolution of support cases. URL http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-vpn Revision History Version Description Section Status Date 1.0 Initial public release. - Final 2016-May-17 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVzvCNX6ZAP0PgtI9AQLOChAAirjzwAvDzafRT753S0X3p0ZUpUWtS91c o+pSxM6TyLfk4Sgoi3ePqmMrm+QLB9pU1jMEZs5MgiFvTaYO/3BGd1JRYDzpnXwl msS4ZnYA6lWnht6QmHjvz3FBoH0bDGCwu2+rcjwin7IPYukJX8Y84JMdLxO/j5KP tb8x3Oqvz+D00vEJqTEEpa0pvrMPYUSn7SMIorq/muxtOBrOU+JEX4bLOnRLppkW RGKzQsFp7lsAkS83F20gKGQWtDyIQe9YqAkH9T2oPsgwIMQlM2X3/2afPAi4Hy7x yzt7lC53eIPrcmpcam6sZAJcTOi5hjRnpjO7Z8UBe/7RQq+Y9AE8atuEVxyXM/nZ 3yD+6AiuXcaRaiu5u/qXfbYXVvCrm+XfyPzwzufGo/mtJCh7CtdQ91U23jlIsDzj uPEKe5rVvvyQR+Ll9hDDbAOw7rVrh0J9s9wVghzGzW+PK7u7SeP6ScQOnsj3DMt6 SEyuFicrZPbOYKVMxZba6hvXGJhDtcJMdwcR+KgiZg2UOiki75Whoti8jCEyy19H kUkLms8vXGZr5oHX7uWCTqXLtLLfm8ef/xzxkXdeDreb0LkgISm/7RGaURvJd9vz 8lvqcBs+CF6FlteyThIU2VIj5GvJePcYNR25k6b2sPd+J7YGSxbljuXf9RmQJCVP nO2TcvfMb6w= =RB3w -----END PGP SIGNATURE-----