[NEWS] Cisco PIX Vulnerabilities (SNMP, VPNC)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/18/03

Next message: SecuriTeam: "[UNIX] Invision Power Top Site List SQL Injection"

Previous message: SecuriTeam: "[NT] Multiple DUWare Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Dec 2003 16:49:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Cisco PIX Vulnerabilities (SNMP, VPNC)
------------------------------------------------------------------------

SUMMARY

This advisory documents two vulnerabilities for the Cisco PIX firewall.
These vulnerabilities are documented as CSCeb20276 (SNMPv3) and
CSCec20244/CSCea28896 (VPNC)

There are workarounds available to mitigate the effects of CSCeb20276
(SNMPv3). No workaround is available for CSCec20244/CSCea28896 (VPNC).

DETAILS

Affected Products:
All Cisco PIX firewall devices running the affected Cisco PIX firewall
software, as documented below, are affected by these vulnerabilities.
* CSCeb20276 (SNMPv3) 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x
and earlier.
* CSCec20244/CSCea28896 (VPNC) 6.2.3 and earlier. 6.1.x and 5.x.x are not
affected; they do not implement the VPNC feature.

The Firewall Service Module (FWSM) is also vulnerable to the SNMPv3 issue
and is documented as
<http://www.cisco.com/warp/public/707/cisco-sa-20031215-fwsm.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20031215-fwsm.shtml. No
other Cisco products are currently known to be affected by these
vulnerabilities.

To determine your software revision, type show version at the command line
prompt.

Details:
* CSCeb20276 (SNMPv3)

The Cisco PIX firewall crashes and reloads while processing a received
SNMPv3 message when snmp-server host <if_name> <ip_addr> or snmp-server
host <if_name> <ip_addr> poll is configured on the Cisco PIX firewall.
This happens even though the Cisco PIX firewall does not support SNMPv3.

A Cisco PIX firewall configured to only generate and send traps using the
snmp-server host <if_name> <ip_addr> trap command is not vulnerable.

* CSCec20244/CSCea28896 (VPNC)
Under certain conditions, an established VPNC IPSec tunnel connection is
dropped if another IPSec client attempts to initiate an IKE "Phase I"
negotiation to the outside interface of the VPN Client configured Cisco
PIX firewall.

Only a Cisco PIX firewall configured as a VPN Client is vulnerable to this
vulnerability.

A VPNC also referred to as Easy VPN or ezVPN, connection is created when
the Cisco PIX firewall is used as a VPN client to connect to a VPN server.
An IKE Phase I negotiation is a step in the establishment of an IPSec
session.

CSCea28896 resolved this issue for the 6.3.x software releases and
CSCec20244 resolved this issue for the 6.2(3.100) and later software
releases.

The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at <http://www.cisco.com/univercd/cc/td/doc/cisintwk/>
http://www.cisco.com/univercd/cc/td/doc/cisintwk/.

These vulnerabilities are documented in the Cisco Bug Toolkit as Bug ID
CSCeb20276 (SNMPv3) and CSCec20244/CSCea28896 (VPNC). To access this tool,
you must be a registered user and you must be logged in.

Impact:
* CSCeb20276 (SNMPv3)
This vulnerability can be exploited to initiate a Denial of Service attack
on the Cisco PIX firewall.

* CSCec20244/CSCea28896 (VPNC)
This vulnerability can be exploited to initiate a Denial of Service attack
on sessions established between a Cisco PIX configured as a VPN Client and
a VPN server.

Software Versions and Fixes:
* CSCeb20276 (SNMPv3) 6.3.2 and later, 6.2.3 and later, 6.1.5 and later.

* CSCec20244/CSCea28896 (VPNC) 6.3.1 and later, 6.2(3.100) and later.

The procedure to upgrade to the fixed software version is detailed at
<http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm.

Workarounds:
* CSCeb20276 (SNMPv3)

There are two workarounds available.
o If SNMP polling to the PIX is required on a vulnerable image, one may
choose to restrict the polling access to the SNMP server to trusted
interfaces and trusted hosts by using this command:
snmp-server host <if_name> <ip_addr> poll

Note: Both Poll and Trap are enabled if one does not specifically use the
poll or trap keyword in the command above. The above command cannot
prevent a source IP spoofed SNMP request message from exploiting this
vulnerability.

o Disable the SNMP server on the Cisco PIX firewall as follows:
            clear snmp-server
            no snmp-server location
            no snmp-server contact
            snmp-server community public
            no snmp-server enable traps

Note: The Cisco PIX firewall does not allow one to remove the community
string altogether. It will always be either public or a user configured
string. show snmp will still show snmp-server community public, but this
does not mean SNMP is enabled.

More details at
<http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026423> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026423.

* CSCec20244/CSCea28896 (VPNC)

No workaround. Please upgrade.

The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] Invision Power Top Site List SQL Injection"

Previous message: SecuriTeam: "[NT] Multiple DUWare Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Cisco Pix Firewall DoS (NAT Pool Depletion)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Cisco Pix Firewall IOS
versions 6.2.2 and 6.3. ... packets on the global pool IP addresses. ... this pat
address. ... (Securiteam)
Re: Setup a SIMPLE VPN with my PIX515e
... Cisco PIX Firewall Version 6.3 ... VPN Client 3.6.0 and 4.0.1 for Windows.
... crypto ipsec TRANSFORMSET esp-3des esp-sha-hmac ... username roberson password
29afaf53d1 encypted privilege 1 ... (comp.dcom.sys.cisco)
Cisco PIX
... Does anyone know how to make a logon script pop once you signon to a network via remote
acces using VPN client for a Cisco PIX Firewall? ... (microsoft.public.windowsxp.help_and_support)