Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0376
Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability
9 February 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Adaptive Security Appliance
Publisher: Cisco Systems
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3807
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability
High
Advisory ID:
cisco-sa-20170208-asa
First Published:
2017 February 8 16:00 GMT
Last Updated:
2017 February 8 16:57 GMT
Version 1.1:
Final
Workarounds:
Yes
Cisco Bug IDs:
CSCvc23838
CVE-2017-3807
CWE-119
CVSS Score:
Base 8.8, Temporal 8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2017-3807
CWE-119
Summary
A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless
SSL VPN functionality of Cisco ASA Software could allow an authenticated,
remote attacker to cause a heap overflow.
The vulnerability is due to insufficient validation of user supplied input.
An attacker could exploit this vulnerability by sending a crafted URL to
the affected system. An exploit could allow the remote attacker to cause a
reload of the affected system or potentially execute code.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects systems configured in routed
firewall mode only and in single or multiple context mode. This
vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP
connection is needed to perform the attack. The attacker needs to have
valid credentials to log in to the Clientless SSL VPN portal.
Cisco has released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available. This advisory
is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa
Affected Products
Vulnerable Cisco ASA Software running on the following products may be
affected by this vulnerability:
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco ASA for Firepower 9300 Series
Cisco ASA for Firepower 4100 Series
Cisco ISA 3000 Industrial Security Appliance
Refer to the "Fixed Software" section of this security advisory for more
information about the affected releases.
Vulnerable Products
Cisco ASA Software is affected by this vulnerability if the Clientless SSL
VPN portal is enabled. To determine whether the Clientless SSL VPN portal
is enabled, the administrator can verify the following:
webvpn is enabled on at least one interface.
The group policy includes the ssl-clientless option configured in the
vpn-tunnel-protocol command.
To determine whether webvpn is enabled, use the show running-config webvpn
command. The following example shows a Cisco ASA with the Clientless SSL
VPN portal enabled on the outside interface:
ciscoasa# show running-config webvpn
webvpn
enable outside
[...]
To determine whether the ssl-clientless option is configured in the
vpn-tunnel-protocol command, use the show running-config group-policy
<group policy name> attributes | include vpn-tunnel-protocol command. The
following example shows a policy called Clientless with ssl-clientless
option configured the vpn-tunnel-protocol command.
ciscoasa# show running-config group-policy Clientless attributes
| include vpn-tunnel-protocol
vpn-tunnel-protocol ssl-client ssl-clientless
If the vpn-tunnel-protocol command options are not specified in the group
policy, Cisco ASA inherits the options from the default group policy called
DfltGrpPolicy. By default, the DfltGrpPolicy has the ssl-clientless option
enabled.
Note: Cisco ASA configured with a Cisco AnyConnect Essential license is not
affected by this vulnerability.
Determining the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running
on an appliance, administrators can use the show version command. The
following example shows the results of the show version command on an
appliance running Cisco ASA Software version 9.2(1):
ciscoasa# show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage
devices can locate the software version in the table that appears in the
login window or the upper-left corner of the Cisco ASDM window.
Products Confirmed Not Vulnerable
Cisco Firepower Threat Defense Software is not affected by this
vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Workarounds
It is possible to block the offending URL using a webtype access list,
which can be performed using the following steps:
1. Configure the webtype access list:
access-list bugCSCvc23838 webtype deny url https://<asa_ip_address>/+webvpn+/CIFS_R/*
access-list bugCSCvc23838 webtype permit url https://*
access-list bugCSCvc23838 webtype permit url cifs://*
The second and third access-list will allow any other HTTPS and CIFS
traffic. Administrator should review their configuration and adapt this
access list based on their access policy.
2. Apply the access list in the group policy with the filter value
<webtype acl name> command:
group-policy Clientless attributes
webvpn
filter value bugCSCvc23838
Fixed Software
In the following table, the left column lists major releases of Cisco ASA
Software. The right column indicates whether a major release is affected by
the vulnerability described in this advisory and the first release that
includes the fix for this vulnerability.
Cisco ASA Major Release First Fixed Release
Prior to 9.0^1 Affected, migrate to 9.1(7.13) or later
9.0[1] Affected, migrate to 9.1(7.13) or later
9.1 9.1(7.13) or later
9.2[2] Affected, migrate to 9.4(4) or later
9.3[1] Affected, migrate to 9.4(4) or later
9.4 9.4(4) or later
9.5[2] Affected, migrate to 9.6(2.10) or later
9.6 9.6(2.10) or later
9.7 Not affected
[1] Cisco ASA Software releases prior to 9.1 and Cisco ASA release 9.3 have
reached End of Software Maintenance. Customers should migrate to a
supported release.
[2] A fixed for Cisco ASA Software releases 9.2 and 9.5 will be available in
April 2017.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
This vulnerability was reported to Cisco by Oliver Chang, from Google
Project Zero.
Cisco Security Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa
Revision History
Version Description Section Status Date
1.1 Updated table in Fixed Fixed Final 2017-February-08
Software. Software
1.0 Initial public release. Final 2017-February-08
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
Cisco Security Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWJviD4x+lLeg9Ub1AQjADg/+J9uOCWLXFmylcRTRqapMHKsr5/FXZuHA
Ev0fhT60T4Ea7HDBXHvfc6CgRnWCLEu6OgKy4RyR3zvXwFmENI5xFc1v1Se1dUjs
M2Oh/SOHxPPMChcFE2S6A9KIMDjJyfPXe+V/JrAvtEPbHyv+fTXNuOJ/DzgoAInw
05726B5srZhhoV366iP5+tJTwwB3T0dgxFSDN2LoSRXlDDQhquUydSs/Xcjb66Ah
NpIfp0ZVENqFYkd62cqoNU5qKTuCQr5D10Dy0dDyzZ6UD2L30vXCdyKoSrMVU5mn
/SEO8nNzuo561gh+vVFKAPNUojrq4GsURXvTmV4JcYtLZU5NYCvyAxd3qbMFjJub
CNPJtp2VAuI4eWpm5iVcb4dViAANyZA/Q1gv16ZtvvXdS7pMKAFsozfLXrNUAp5G
iqxXLimTE3QOXge7uKRCsuDu80kahNOSBFOM3BUEj2tvrAEBnkhv0KC2IIOa9Q1c
ZcD8Ha0PMBqCyZ4O0Q6Ek0UpyXoDXNKKL9SadRZWhkCK2iqOdP+mg/VjteEKXNqL
aTRuRViRAipkydm6T4WChjbkLAAXf+RYw5KgaWeFx6oEE9i3566FJybjHsMI2evb
MSgplZrQdpnBHi7K1qVqOlMNXT1zwwroMKV75o3t/QH24SkqXnnVq0VX9euYzde1
58Is6/SA2i8=
=B6aT
-----END PGP SIGNATURE-----