CVE-2014-3394: Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if SQL*Net inspection is enabled.

To determine whether SQL*Net inspection is enabled, use the show service-policy | include sqlnet command and verify that an output is returned. The following example shows the Cisco ASA Software with SQL*Net inspection enabled:

ciscoasa# show service-policy | include sqlnet Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Note: SQL*Net inspection is enabled by default.

Cisco ASA VPN Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 and IKEv2 VPN connections. This includes LAN-to-LAN, Remote Access VPN both via the IPSec VPN client and IKEv2 AnyConnect VPN, and L2TP over IPSec VPN connections. Clientless or AnyConnect SSL VPNs are not affected by this vulnerability.

To determine if the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN connections, a crypto map should be configured for at least one interface. Administrators should use the show running-config crypto map | include interface command and verify that it returns output. The following example shows a crypto map called cmap configured on the outside interface:

ciscoasa# show running-config crypto map | include interface crypto map outside_map interface outside

Note: IKEv1 or IKEv2 VPN are not configured by default.

Cisco ASA IKEv2 Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv2 VPN connections. This includes LAN-to-LAN IKEv2 and AnyConnect IKEv2 VPN connections. To determine whether IKEv2 VPN is enabled use the show running-config crypto ikev2 | include enable command and verify that the command returns output. The following example shows a Cisco ASA with IKEv2 VPN enabled on the interface outside:

ciscoasa# show running-config crypto ikev2 | include enable crypto ikev2 enable outside

In addition to having IKEv2 enabled, the Cisco ASA needs to have a crypto map configured on the interface where IKEv2 is enabled. This can be determined by using the show running-config crypto map | include interface command and verifying that it returns output. The following example shows a crypto map called cmap configured on the outside interface:

ciscoasa# show running-config crypto map | include interface crypto map outside_map interface outside

Note: IKEv2 VPN is not enabled by default.

Cisco ASA Health and Performance Monitor Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if health and performance monitoring (HPM) for ASDM is enabled.

To determine whether HPM is enabled, use the show running-config | include hpm command and verify that an output is returned. The following example shows the Cisco ASA Software with the HPM feature enabled:

ciscoasa# show running-config | include hpm ciscoasa# hpm topn enable

Note: HPM is not enabled by default.

Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if GPRS Tunneling Protocol (GTP) inspection is enabled.

To determine whether GTP inspection is enabled, use the show service-policy | include gtp command and verify that an output is returned. The following example shows the Cisco ASA Software with GTP inspection enabled:

ciscoasa# show service-policy | include gtp Inspect: gtp, packet 0, drop 0, reset-drop 0

Note: GTP inspection is not enabled by default.

Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if SunRPC inspection is enabled.

To determine whether SunRPC inspection is enabled, use the show service-policy | include sunrpc command and verify that an output is returned. The following example shows the Cisco ASA Software with SunRPC inspection enabled:

ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0

Note: SunRPC inspection is enabled by default.

Cisco ASA DNS Inspection Engine Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if DNS inspection is enabled.

To determine whether DNS inspection is enabled, use the show service-policy | include dns command and verify that an output is returned. The following example shows the Cisco ASA Software with DNS inspection enabled:

ciscoasa# show service-policy | include dns Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0

Note: DNS inspection is enabled by default.

Cisco ASA VPN Failover Command Injection Vulnerability

Cisco ASA Software is affected by this vulnerability if the system is configured to terminate any type of VPN connections, except Clientless SSL VPN, and it is configured in high availability (HA) mode (also known as failover mode).

Administrators can use the show running-config crypto map | include interface command to verify if any type of IKEv1 or IKEv2 IPSec VPNs are configured on the system and the show running-config webvpn | include anyconnect command to verify if AnyConnect SSL VPN is configured. The following example shows a Cisco ASA with both IPSec and AnyConnect SSL VPNs configured:

ciscoasa# show running-config webvpn | include anyconnect enable anyconnect enable ciscoasa# show run crypto map | include interface crypto map outside_map interface outside

Administrators can use the show failover command and verify that the failover is ON to determine if high availability mode is configured. The following example shows a Cisco ASA with high availability mode enabled:

ciscoasa# show failover Failover On […]

Note: This vulnerability affects only HA configurations that do not use a failover key to protect failover traffic. HA and VPN are not enabled by default.

Cisco ASA VNMC Command Input Validation Vulnerability

All Cisco ASA running an affected version of software are affected by this vulnerability.

Cisco ASA Local Path Inclusion Vulnerability

All Cisco ASA running an affected version of software are affected by this vulnerability.

Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled. To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled on at least one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface:

ciscoasa# show running-config webvpn webvpn enable outside […]

Note: The Clientless SSL VPN portal is not enabled by default.

Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

Cisco ASA Software is affected by this vulnerability if the following conditions are met:

1. Clientless SSL VPN portal functionality is enabled
2. A default customization object or a newly created customization object for Clientless SSL VPN portal has to be previewed in ASDM

To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled at least on one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface:

ciscoasa# show running-config webvpn webvpn enable outside […]

There is no method to determine if a preview of a customization object has been done. The following method is used to preview a customization object. In ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION -> PREVIEW.

Additional Indicator of Compromise for Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Customers running a vulnerable configuration should verify that the portal customization has not been compromised. Customers can verify that the portal has not been compromised by exporting the customization objects and manually verifying that the objects do not include malicious code.

The new custom object and default customization object (DfltCustomization) should be analyzed. To export an SSL VPN portal customization object, use the export webvpn customization