In association with heise online

03 May 2007, 12:30

Cisco PIX and ASA vulnerable to DoS and unauthorized access

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Network equipment manufacturer Cisco has reported the discovery of security holes in its PIX and ASA Products that allow attackers to provoke a denial of service or gain unauthorized access to devices or the network. The manufacturer has provided software updates.

A processing path not specified in greater detail can be used to cause devices that use a server for the Lightweight Directory Access Protocol (LDAP) for authentication to give unauthorized attackers access to the network or even to the device itself. Appliances that provide IPSec tunnels via CHAP, MS-CHAPv1 or MS-CHAPv2 authentication and check authorisation via LDAP are affected. Access to the device's configuration is possible if these appliances verify user accounts for such management services as Telnet, SSH, and HTTP by means of an LDAP server.

If the appliance provides VPN Terminals, attackers can provoke a denial of service if the access passwords have an expiration date; if the attack succeeds, the device reboots. The flaw concerns both SSL-VPN connections and IPSec-VPN, but attackers have to know a valid group name and its password to exploit the hole in IPSec. Furthermore, attackers can exploit a "race condition" in the SSL-VPN-HTTP server used in the client-less SSL-VPN mode to cause the device to reboot.

Yet another DoS vulnerability concerns the function that passes on DHCP relays. If a PIX or ASA receives multiple DHCPACK replies from different servers for DHCPREQUEST or DHCPINFORM requests, an internal buffer that stores ethernet frames can overflow. The devices then reject all subsequent packets and no longer route traffic.

Cisco is providing versions 7.1(2)49 and 7.2(2)8, 7.2(2)17 and 7.2(2)19, which are no longer vulnerable to these flaws, to registered users. Cisco has also remedied the DHCP relay vulnerability as of version 7.2 (2.15) and later of its operating system software.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit