ESB-2018.2978 - [Cisco] Cisco Adaptive Security Appliance: Multiple vulnerabilities 2018-10-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2978
          Multiple vulnerabilities have been identified in Cisco
                        Adaptive Security Appliance
                              4 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Adaptive Security Appliance
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15399 CVE-2018-15398 CVE-2018-15397
                   CVE-2018-15383  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-ipsec-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-syslog-dos

Comment: This bulletin contains four (4) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability

Priority:           Medium
Advisory ID:        cisco-sa-20181003-asa-acl-bypass
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvj91858
CVE-2018-15398
CWE-284
CVSS Score:         Base 5.8
CVSS:               3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

    A vulnerability in the per-user-override feature of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to bypass an access control
    list (ACL) that is configured for an interface of an affected device.

    The vulnerability is due to errors that could occur when the affected
    software constructs and applies per-user-override rules. An attacker could
    exploit this vulnerability by connecting to a network through an affected
    device that has a vulnerable configuration. A successful exploit could
    allow the attacker to access resources that are behind the affected device
    and would typically be protected by the interface ACL.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco products that are running a vulnerable
    release of Cisco Adaptive Security Appliance (ASA) Software or Cisco
    Firepower Threat Defense (FTD) Software and meet all the following
    conditions:

      - At least one interface ACL has the per-user-override feature (
        per-user-override) enabled.
      - At least one remote access VPN connection profile or site-to-site VPN
        connection profile (tunnel-group) is configured and associated with a
        group policy (group-policy) that specifies a filter ACL (vpn-filter).
      - A VPN tunnel that is associated with an affected connection profile (
        tunnel-group) is currently up.

    Note: In Cisco FTD Software, the per-user-override feature can be enabled
    via FlexConfig only.

    For information about affected software releases, consult the Cisco bug ID
    (s) at the top of this advisory.

    Determine the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco ASA
    Software Release 9.4(4):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.4(4)
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+


Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

- --------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Adaptive Security Appliance Direct Memory Access Denial of Service
Vulnerability

Priority:           High
Advisory ID:        cisco-sa-20181003-asa-dma-dos
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvj89470
CVE-2018-15383
CWE-400 
CVSS Score:         Base 8.6
CVSS:               3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the cryptographic hardware accelerator driver of
    Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat
    Defense (FTD) Software could allow an unauthenticated, remote attacker to
    cause an affected device to reload, resulting in a temporary denial of
    service (DoS) condition.

    The vulnerability exists because the affected devices have a limited amount
    of Direct Memory Access (DMA) memory and the affected software improperly
    handles resources in low-memory conditions. An attacker could exploit this
    vulnerability by sending a sustained, high rate of malicious traffic to an
    affected device to exhaust memory on the device. A successful exploit could
    allow the attacker to exhaust DMA memory on the affected device, which
    could cause the device to reload and result in a temporary DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco Adaptive Security Appliance (ASA) Software or
    Cisco Firepower Threat Defense (FTD) Software:

      - ASA 5506-X with FirePOWER Services
      - ASA 5506H-X with FirePOWER Services
      - ASA 5506W-X with FirePOWER Services
      - ASA 5508-X with FirePOWER Services
      - ASA 5516-X with FirePOWER Services

    This vulnerability also affects the preceding products if FirePOWER
    Services are not installed or enabled.

    For information about which Cisco ASA Software and Cisco FTD Software
    releases are vulnerable, see the Fixed Software section of this advisory.

    Determine the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco ASA
    Software Release 9.4(4):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.4(4)
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

      - 3000 Series Industrial Security Appliances (ISAs)
      - 7600 Series ASA Services Module
      - Adaptive Security Virtual Appliance (ASAv)
      - ASA 1000V Cloud Firewall
      - ASA 5512-X with FirePOWER Services
      - ASA 5515-X with FirePOWER Services
      - ASA 5525-X with FirePOWER Services
      - ASA 5545-X with FirePOWER Services
      - ASA 5555-X with FirePOWER Services
      - ASA 5585-X with FirePOWER SSP-10, SSP-20, SSP-40, or SSP-60
      - ASA 5505 Adaptive Security Appliance
      - ASA 5510 Adaptive Security Appliance
      - ASA 5512-X Adaptive Security Appliance
      - ASA 5515-X Adaptive Security Appliance
      - ASA 5520 Adaptive Security Appliance
      - ASA 5525-X Adaptive Security Appliance
      - ASA 5540 Adaptive Security Appliance
      - ASA 5545-X Adaptive Security Appliance
      - ASA 5550 Adaptive Security Appliance
      - ASA 5555-X Adaptive Security Appliance
      - ASA 5580 Adaptive Security Appliance
      - ASA 5585-X Adaptive Security Appliance
      - Catalyst 6500 Series ASA Services Module
      - Firepower 2100 Series Security Appliances
      - Firepower 4100 Series Security Appliances
      - FirePOWER 7000 Series Appliances
      - FirePOWER 8000 Series Appliances
      - Firepower 9300 ASA Security Module
      - Firepower Threat Defense Virtual (FTDv)

Details

  o The vulnerability described in this advisory exists because the affected
    devices have a limited amount of DMA memory and the affected software
    improperly handles resources in low-memory conditions. When the affected
    software cannot allocate DMA memory, the software may cause a device to
    crash and reload, resulting in a temporary DoS condition.

    To address this vulnerability, Cisco corrected how the software handles
    resources in low-memory conditions. Cisco also implemented a
    DMA_MEM_ALLOC_FAILED protocol stack counter that administrators can use to
    determine whether and how many DMA memory allocation failures have occurred
    on a device. Sustained periods of DMA memory allocation failures could
    adversely impact traffic that is sent through a device.

    To check the value of the DMA_MEM_ALLOC_FAILED counter, administrators can
    use the show counters privileged EXEC command in the device CLI, as shown
    in the following example:

        ciscoasa# show counters

        Protocol     Counter                                       Value   Context
        .
        .
        .
        CRYPTO       DMA_MEM_ALLOC_FAILED                              1   Summary

    If the value of the DMA_MEM_ALLOC_FAILED counter increases quickly for a
    sustained period of time, administrators should contact the Cisco Technical
    Assistance Center (TAC) for further investigation.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, consider that this advisory is part of a collection that includes
    the following advisories:

      - cisco-sa-20181003-asa-dma-dos: Cisco Adaptive Security Appliance Direct
        Memory Access Denial of Service Vulnerability
      - cisco-sa-20181003-ftd-inspect-dos: Cisco Firepower Threat Defense
        Software FTP Inspection Denial of Service Vulnerability

    In the following table(s), the left column lists releases of Cisco
    software. The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by all the vulnerabilities described in this
    collection of advisories and which release includes fixes for those
    vulnerabilities.

    Cisco ASA Software

    Cisco ASA     First Fixed Release   First Fixed Release for All Vulnerabilities
    Software      for This              Described in the Collection of Advisories
    Release       Vulnerability
    Prior to 9.1^ Not vulnerable^2      Not vulnerable^2
    1
    9.1           Not vulnerable^2      Not vulnerable^2
    9.2^1         Not vulnerable^2      Not vulnerable^2
    9.3^1         Migrate to 9.4.4.22   Migrate to 9.4.4.22
    9.4           9.4.4.22              9.4.4.22
    9.5^1         Migrate to 9.6.4.14   Migrate to 9.6.4.14
    9.6           9.6.4.14              9.6.4.14
    9.7^1         Migrate to 9.8.3.8    Migrate to 9.8.3.8
    9.8           9.8.3.8               9.8.3.8
    9.9           9.9.2.18              9.9.2.18

^1 Cisco ASA Software releases prior to Release 9.1 and Cisco ASA Software
    Releases 9.2, 9.3, 9.5, and 9.7 have reached the
    end-of-software-maintenance milestone. Customers are advised to migrate to
    a supported release that includes the fix for this vulnerability.

    ^2 Cisco ASA Software releases prior to Release 9.3 are not supported on
    Cisco ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X Appliances.

    Cisco FTD Software

    Cisco FTD     First Fixed Release   First Fixed Release for All Vulnerabilities
    Software      for                   Described in the Collection of Advisories
    Release       This Vulnerability
    6.0           Migrate to 6.1.0.7    Migrate to 6.1.0.7
    6.0.1         Migrate to 6.1.0.7    Migrate to 6.1.0.7
    6.1.0         6.1.0.7               6.1.0.7
    6.2.0         6.2.0.7 (future       6.2.0.7 (future release)
                  release)
    6.2.1         Not vulnerable        Migrate to 6.2.2.5 (future release)
    6.2.2         6.2.2.5 (future       6.2.2.5 (future release)
                  release)
    6.2.3         6.2.3.4               6.2.3.4

To upgrade to a fixed release of Cisco Firepower System Software, customers can
    do one of the following:

      - For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade and, after
        installation is complete, reapply the access control policy. The Snort
        version that is installed depends on the FMC release.
      - For devices that are managed by using Cisco Adaptive Security Device
        Manager (ASDM) or Cisco Firepower Device Manager (FDM), use the ASDM or
        FDM interface to install the upgrade and, after installation is
        complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Adaptive Security Appliance IPsec VPN Denial of Service Vulnerability

Priority:           Medium
Advisory ID:        cisco-sa-20181003-asa-ipsec-dos
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCuy57310
CVE-2018-15397
CWE-320
CVSS Score:         Base 6.8
CVSS:               3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

    A vulnerability in the implementation of Traffic Flow Confidentiality (TFC)
    over IPsec functionality in Cisco Adaptive Security Appliance (ASA)
    Software and Cisco Firepower Threat Defense (FTD) Software could allow an
    unauthenticated, remote attacker to cause an affected device to restart
    unexpectedly, resulting in a denial of service (DoS) condition.

    The vulnerability is due to an error that may occur if the affected
    software renegotiates the encryption key for an IPsec tunnel when certain
    TFC traffic is in flight. An attacker could exploit this vulnerability by
    sending a malicious stream of TFC traffic through an established IPsec
    tunnel on an affected device. A successful exploit could allow the attacker
    to cause a daemon process on the affected device to crash, which could
    cause the device to crash and result in a DoS condition.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-ipsec-dos

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following Cisco
    products:

      - Adaptive Security Appliance (ASA) Software Releases 9.6.4, 9.8.2, and
        9.9.1, prior to the first fixed release
      - Firepower Threat Defense (FTD) Software Release 6.2.2

    For the latest and most detailed information about affected software
    releases, consult the Cisco bug ID(s) at the top of this advisory.

    Determine the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco ASA
    Software Release 9.4(4):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.4(4)
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Details

  o This vulnerability affects Cisco ASA Software and Cisco FTD Software only
    if the software has been configured to accept TFC traffic by using the 
    crypto map <map-name> <map-index> set tfc-packets command.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-ipsec-dos

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Adaptive Security Appliance TCP Syslog Denial of Service Vulnerability

Priority:           Medium
Advisory ID:        cisco-sa-20181003-asa-syslog-dos
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvh73829
CVE-2018-15399
CWE-400
CVSS Score:         Base 6.8
CVSS:               3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the TCP syslog module of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to exhaust the 1550-byte
    buffers on an affected device, resulting in a denial of service (DoS)
    condition.

    The vulnerability is due to a missing boundary check in an internal
    function. An attacker could exploit this vulnerability by establishing a
    man-in-the-middle position between an affected device and its configured
    TCP syslog server and then maliciously modifying the TCP header in segments
    that are sent from the syslog server to the affected device. A successful
    exploit could allow the attacker to exhaust buffer on the affected device
    and cause all TCP-based features to stop functioning, resulting in a DoS
    condition. The affected TCP-based features include AnyConnect SSL VPN,
    clientless SSL VPN, and management connections such as Secure Shell (SSH),
    Telnet, and HTTPS.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-syslog-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Adaptive Security Appliance (ASA) Software
    and Cisco Firepower Threat Defense (FTD) Software. For information about
    affected software releases, consult the Cisco bug ID(s) at the top of this
    advisory.

    Determine the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco ASA
    Software Release 9.4(4):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.4(4)
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank J-M Roth for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-syslog-dos

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7VdoWaOgq3Tt24GAQihPRAAt7Wbujk2BkpQEBpWc5cnahImAvFUxXSD
pvNOm/7GFvk//FgKUDBB3MUsW470kcE5qf3XpmuPciQVF7DP/uzh7Al6QDllspRb
ju08pgZKMkOl0gI5UPQtwb2S+PCfp+Hz6RixsLRj44oQ6LlJHhXYoJVu9DhBxfOG
zAsaXpOld1d/IKTZFuPmn8duWzTygJ4PQJQvR/n9O5JFxigOhd4MWIdtwVImfXUI
Fg++zBO/PWoEsbGTXR5N9C//vYlTUEmYVMuPma7GUNJ9HgSREtx44s0u+21TRT5z
MzQjLsrPMjt73sROZg7/zOG33vX9mrmZvzzmSPfsy0N857AtShCFRiJu50dRfev5
Zx1Ndd/lqEPpsgKSV8cZquABTrtfDLZbA9vTos+tax96YjXsQ+v5tFXBx9B5ZIEd
P0x4yg/HfeFMth+1CHxQ017gLGC2B4ayTpKihPUHYd2UJ2sl4PW/70HiRgRaPxIU
EIBqqgl8jvfRlr1sMd/qP2SIVrUs9rbO4OdC1eB4SA1xnnFRwa/AMs7OyHnfewWx
ZKvpA5YRHv10C+5vcZ+CDycVQ8X8+BZIMPTub9/aglDYvooclQJe7+BH4q4ZwtXm
HENEbpEe+1f8bcSbKdTm3DMc8O/HWWp+p6a5iDA+VFVXEe8nK0EEqTG7qOJcz7dK
55fM+CjKrxs=
=FyYv
-----END PGP SIGNATURE-----

« Back to bulletins