Headline
CVE-2015-0675: Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
The failover ipsec implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1 before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before 9.3(3) does not properly validate failover communication messages, which allows remote attackers to reconfigure an ASA device, and consequently obtain administrative control, by sending crafted UDP packets over the local network to the failover interface, aka Bug ID CSCur21069.
Cisco ASA Failover Command Injection Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is configured in high availability mode (also known as failover mode) and the failover ipsec feature is configured to protect failover communications.
To determine whether Cisco ASA Software is configured for failover, use the show failover command and verify that the failover is set to ON The following example shows a Cisco ASA with failover mode enabled:
ciscoasa# show failover Failover On […]
To determine whether the failover ipsec feature is enabled, use the show running-config failover | include ipsec command and verify that it returns output.
The following example shows a Cisco ASA with the failover ipsec feature enabled:
ciscoasa# show running-config failover | include ipsec
failover ipsec pre-shared-key *****
Note: Cisco ASA configurations using the failover key command are not affected by this vulnerability. The failover ipsec feature is not enabled by default.
Cisco ASA DNS Memory Exhaustion Vulnerability
Cisco ASA Software is affected by this vulnerability if at least one DNS server IP address is configured under a DNS server group. This can be configured either as part of the configuration of the default DNS server group (DefaultDNS) or configured under a user-defined DNS server group.
To determine whether a DNS server IP address is configured, use the show running-config dns server-group command and verify that the name-server parameter includes an IP address.
The following example shows a Cisco ASA configured with a DNS server IP 192.168.1.1 as part of the DefaultDNS server group.
ciscoasa# show running-config dns server-group
DNS server-group DefaultDNS
name-server 192.168.1.1
Note: The DNS name-server value is not configured by default in any DNS server group.
Cisco ASA VPN XML Parser Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is configured for AnyConnect SSL VPN, Clientless SSL VPN, or AnyConnect IKEv2 VPN. Cisco ASA Software configured for any other type of VPN is not affected by this vulnerability.
To determine whether the system is configured for AnyConnect or Clientless SSL VPN, use the show running-config webvpn command and verify that webvpn is enabled on at least one interface. The following example shows a Cisco ASA with SSL VPN enabled on the outside interface:
ciscoasa# show running-config webvpn webvpn enable outside […]
To determine whether the system is configured for AnyConnect IKEv2 VPN, use the show running-config crypto ikev2 | include enable command and verify that the client-services parameter is present. The following example shows a Cisco ASA with AnyConnect IKEv2 VPN enabled on the interface outside:
ciscoasa# show running-config crypto ikev2 | include enable crypto ikev2 enable outside client-services port 443
Note: SSL VPN and AnyConnect IKEv2 VPN features are not enabled by default.
Determining the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a appliance running Cisco ASA Software version 9.2(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or in the upper-left corner of the Cisco ASDM window.
Cisco ASA FirePOWER Services and Cisco ASA Context-Aware (CX) Services are not affected by this vulnerability.
No other Cisco products are currently known to be affected by these vulnerabilities.