Cisco Security Advisory: Cisco PIX Multiple Vulnerabilities

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: 11/20/02

  • Next message: GreyMagic Software: "RE: (MSIE) -"dialogArguments" (extended)"
    From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
    To: bugtraq@securityfocus.com
    Date: Wed, 20 Nov 2002 08:00:00 -0800 (UTC)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

              Cisco Security Advisory: Cisco PIX Multiple Vulnerabilities

    Revision 1.0

      For Public Release 2002 November 20 at 1600 UTC (GMT)

         ----------------------------------------------------------------------

    Contents

       Summary
       Affected Products
       Details
       Impact
       Software Versions and Fixes
       Obtaining Fixed Software
       Workarounds
       Exploitation and Public Announcements
       Status of This Notice
       Distribution
       Revision History
       Cisco Security Procedures

         ----------------------------------------------------------------------

    Summary

       The Cisco PIX Firewall provides robust, enterprise-class security services
       including stateful inspection firewalling, standards-based IP Security
       (IPsec) Virtual Private Networking (VPN), intrusion protection and much
       more in cost-effective, easy to deploy solutions.

       Two vulnerabilities have been resolved for the PIX firewall for which
       fixes are available. These vulnerabilities are documented as Cisco bug ID
       CSCdv83490 and CSCdx35823. There are no workarounds available to mitigate
       the effects of these vulnerabilities.

       This advisory will be posted at
       http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml.

    Affected Products

       All PIX Firewall units running the vulnerable releases and using the
       specific features are affected by these vulnerabilities.

       No other Cisco products are currently known to be affected by these
       vulnerabilities.

       +-------------------------------------------------+
       | DDTs-Description |Affected Release |
       |-------------------------------+-----------------|
       |CSCdv83490-While processing |6.0.3 and earlier|
       |initial contact notify messages|6.1.3 and earlier|
       |the PIX does not delete | |
       |duplicate Internet Security | |
       |Authentication Key Management | |
       |Protocol Security Associations | |
       |(ISAKMP SAs) with the peer. | |
       |-------------------------------+-----------------|
       |CSCdx35823-Buffer overflow |5.2.8 and earlier|
       |while doing HTTP traffic |6.0.3 and earlier|
       |authentication using Terminal |6.1.3 and earlier|
       |Access Controller Access |6.2.1 and earlier|
       |Control System Plus (TACACS+) | |
       |or Remote Authentication | |
       |Dial-In User Service (RADIUS). | |
       +-------------------------------------------------+

       To determine your software revision, type show version at the command line
       prompt.

    Details

       CSCdv83490
               When a user establishes a VPN session upon successful peer and
               user authentication, the PIX creates an ISAKMP SA associating the
               user and his IP address.

               If an attacker is now able to block the logged-in user's
               connection and establish a connection to the PIX using the same IP
               address as that of the user, he will be able to establish a VPN
               session with the PIX, using only peer authentication, provided he
               already has access to the peer authentication key also known as
               the group pre-shared key (PSK) or group password key.

       CSCdx35823
               A user starting a connection via FTP, Telnet, or over the World
               Wide Web (HTTP) is prompted for their user name and password. If
               the user name and password are verified by the designated TACACS+
               or RADIUS authentication server, the PIX Firewall unit will allow
               further traffic between the authentication server and the
               connection to interact independently through the PIX Firewall
               unit's "cut-through proxy" feature.

               The PIX may crash and reload due to a buffer overflow
               vulnerability while processing HTTP traffic requests for
               authentication using TACACS+ or RADIUS.

       The Internetworking Terms and Acronyms online guide can be found at
       http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm. The Cisco
       Systems Terms and Acronyms online guide can be found at
       http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/cisco12.htm.

       These vulnerabilities are documented in the Bug Toolkit as Bug IDs
       CSCdv83490 and CSCdx35823, and can be viewed after 2002 November 21 at
       1600 UTC. To access this tool, you must be a registered user and you must
       be logged in.

    Impact

       +-------------------------------------------------+
       | DDTs-Description | Impact |
       |-------------------------+-----------------------|
       |CSCdv83490-While |This vulnerability can |
       |processing initial |be exploited to |
       |contact notify messages |initiate a |
       |the PIX does not delete |Man-In-The-Middle |
       |duplicate ISAKMP SA's |attack for VPN sessions|
       |with the peer. |to the PIX. |
       |-------------------------+-----------------------|
       |CSCdx35823 - Buffer |This vulnerability can |
       |overflow while doing HTTP|be exploited to |
       |traffic authentication |initiate a |
       |using TACACS+ or RADIUS. |Denial-of-Service |
       | |attack. |
       +-------------------------------------------------+

    Software Versions and Fixes

       +-------------------------------------------------+
       | DDTs-Description |Fixed Releases|
       |----------------------------------+--------------|
       |CSCdv83490-While processing |6.0.4 and |
       |initial contact notify messages |later |
       |the PIX does not delete duplicate |6.1.4 and |
       |ISAKMP SAs with the peer. |later |
       | |6.2.1 and |
       | |later |
       |----------------------------------+--------------|
       |CSCdx35823-Buffer overflow while |5.2.9 and |
       |doing HTTP traffic authentication |later |
       |using TACACS+ or RADIUS. |6.0.4 and |
       | |later |
       | |6.1.4 and |
       | |later |
       | |6.2.2 and |
       | |later |
       +-------------------------------------------------+

       The procedure to upgrade to the fixed software version is detailed at
       http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm.

    Obtaining Fixed Software

       Cisco is offering free software upgrades to address these vulnerabilities
       for all affected customers. Customers may only install and expect support
       for the feature sets they have purchased.

       Customers with service contracts should contact their regular update
       channels to obtain the free software upgrade identified via this advisory.
       For most customers with service contracts, this means that upgrades should
       be obtained through the Software Center on Cisco's worldwide website at
       http://www.cisco.com/pcgi-bin/tablebuild.pl/pix. To access the software,
       download URL http://www.cisco.com/pcgi-bin/tablebuild.pl/pix, you must be
       a registered user and you must be logged in.

       Customers whose Cisco products are provided or maintained through a prior
       or existing agreement with third-party support organizations such as Cisco
       Partners, authorized resellers, or service providers should contact that
       support organization for assistance with obtaining the free software
       upgrade(s).

       Customers who purchased directly from Cisco but who do not hold a Cisco
       service contract, and customers who purchase through third-party vendors
       but are unsuccessful at obtaining fixed software through their point of
       sale, should obtain fixed software by contacting the Cisco Technical
       Assistance Center (TAC) using the contact information listed below. In
       these cases, customers are entitled to obtain an upgrade to a later
       version of the same release or as indicated by the applicable corrected
       software version in the Software Versions and Fixes section (noted above).

       Cisco TAC contacts are as follows:

         * +1 800 553 2447 (toll free from within North America)
         * +1 408 526 7209 (toll call from anywhere in the world)
         * e-mail: tac@cisco.com

       See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
       additional TAC contact information, including special localized telephone
       numbers and instructions and e-mail addresses for use in various
       languages.

       Please have your product serial number available and give the URL of this
       advisory as evidence of your entitlement to a free upgrade.

       Please do not contact either "psirt@cisco.com" or
       "security-alert@cisco.com" for software upgrades.

    Workarounds

       There are no workarounds for these vulnerabilities. The Cisco PSIRT
       recommends that affected users upgrade to a fixed software version of
       code.

    Exploitation and Public Announcements

       The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
       described in this advisory.

       These vulnerabilities were reported to PSIRT by Cisco engineering and
       customers.

    Status of This Advisory: FINAL

       This is a final advisory. Although Cisco cannot guarantee the accuracy of
       all statements in this advisory, all of the facts have been checked to the
       best of our ability. Cisco does not anticipate issuing updated versions of
       this advisory unless there is some material change in the facts. Should
       there be a significant change in the facts, Cisco may update this
       advisory.

       A stand-alone copy or paraphrase of the text of this security advisory
       that omits the distribution URL in the following section is an
       uncontrolled copy, and may lack important information or contain factual
       errors.

    Distribution

       This advisory will be posted on Cisco's worldwide website at
       http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml.

       In addition to worldwide website posting, a text version of this advisory
       is clear-signed with the Cisco PSIRT PGP key having the fingerprint FEB1
       1B89 A64B 60BB 4770 D1CE 93D2 FF06 F236 759C and is posted to the
       following e-mail and Usenet news recipients:

         * cust-security-announce@cisco.com
         * bugtraq@securityfocus.com
         * full-disclosure@lists.netsys.com
         * first-teams@first.org (includes CERT/CC)
         * cisco-nsp@puck.nether.net
         * cisco@spot.colorado.edu
         * comp.dcom.sys.cisco
         * Various internal Cisco mailing lists

       Future updates of this advisory, if any, will be placed on Cisco's
       worldwide website, but may or may not be actively announced on mailing
       lists or newsgroups. Users concerned about this problem are encouraged to
       check the above URL for any updates.

    Revision History

       +-------------------------------------------------+
       | Revision | 2002-Nov-20 | Initial public release |
       | 1.0 | | |
       +-------------------------------------------------+

    Cisco Security Procedures

       Complete information on reporting security vulnerabilities in Cisco
       products, obtaining assistance with security incidents, and registering to
       receive security information from Cisco, is available on Cisco's worldwide
       website at
       http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
       includes instructions for press inquiries regarding Cisco security
       advisories. All Cisco security advisories are available at
       http://www.cisco.com/go/psirt.

         ----------------------------------------------------------------------

       This advisory is Copyright 2002 by Cisco Systems, Inc. This advisory may
       be redistributed freely after the release date given at the top of the
       text, provided that redistributed copies are complete and unmodified,
       including all date and version information.

         ----------------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8
    Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT

    iQA/AwUBPdu0v5PS/wbyNnWcEQLXgwCeLnUwjHIRt78mpF3gqKUtinwbA9EAoPh+
    2C0z9K2nj/WryNa1PorfZGJf
    =dluo
    -----END PGP SIGNATURE-----
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: PGP 6.5.8

    mQGiBD0HcvwRBADMNGazqD/bDWjJVBKrPrW3vSRReXB5y2HGfmZXS0C4xB/3VJGR
    d+JeTnqam4q7hbBab9kery6cNL9cdZWI+LInX8DUT/s+vlUTrIdZmAphxKtDwZLw
    W9rXKLQMeVpNfb64SrIqlcjq/DGEYAqVt3ycPXJiPl8JroDaKFSG1vKbTQCg/xJG
    Ljl1bWvPx6O602cNaX5BrmUEALMSC++ppvP587TCHSdLzhfVBWw+zbt2a+gTkahz
    t+VhymnBNWxNIlbU/U1StEaFwfBVPliVKmTj5LQwPetbIf783q+5ak0W9FM8BYy8
    9XVt8S/AYdYRw5/1YJA3OnprdIwaMDDtrQEy/dmpHYe0Vcay5tSM4M2MgOHJcVba
    hgktBACUHDDduj1qRzEybgLPSmwNS9jFpMC4PebBrw9c2O9idUufGt5A5we/ii5U
    G/0s4vpr1zGhKPbmzWaU5+jSH1XfPVg3EF8H5K7meC7LVPYwYjYi6z1ir07zhEfD
    wDRil5qve6rJNEZX5GLEysDhXYTw8hrwVv7bJSSlsJiMEqllEbRHQ2lzY28gU3lz
    dGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBz
    aXJ0QGNpc2NvLmNvbT6JAF4EEBECAB4FAj0HcvwFCQW9+IAICwMJCAcCAQoCGQEF
    GwMAAAAACgkQk9L/BvI2dZwoYwCgrFpZ5dh8IPAt4C/hkz6o+H9b6IwAoL+kvWjx
    0Ij9mhNoEH+woJJCKjh2iQBKBBARAgAKBQI9B4cLAwUBeAAKCRCKY8lJ671ScWeu
    AJ9QQeUds+YrB8knbCMdoOIizI44pwCfVsbFKOS2mnR6GuPGRHx6TYap/ieJAEYE
    EBECAAYFAj0H3ooACgkQGoGomMEqmWyzPACeMnMro1hvO4ka23G2Z6JhZldeRVEA
    oNom27aJ3+OxrhaUtBJt/SWVdVafiQBjBBARAgAjBQI9B4ieAwUBeBgGPFtePl0r
    W0AuXWNpc2NvXC5jb20+JAAACgkQcJKanG3DGCHNdwCeP+XUPnt12BVZYAf5J+6Q
    g5d9wTAAoM2XXNqrMm5Y/ScvExXoYXyk/q81iQCcBBABAQAGBQI9B4TXAAoJEMAF
    eq0PniW5vLwEALCv9TkPbxdn29NzZJkI9vAqnX4OV79LfvQsB1J+Sck3f1lsvamq
    r6kUsfqz2P4sB52KjZi8Cci3AHDP7Z5Iwl56raNiPEA00uUXh4vk1N7dTA4OfjDp
    1LSciYHYOYxh6d3v47GphnBNckOdCH9iuaWJuRX86SHtshyJvHmR+wOtiQBGBBAR
    AgAGBQI9B4ZCAAoJEOJaQ7r9SlMepRMAoPIlX+Pem9o5r1UjjpxT7aQyiFP/AKCz
    yyQzbP5/IizPfxB2GTK92QSZVYkARgQQEQIABgUCPQeGcQAKCRCXb+VkX5DhIof5
    AKC87+Znu5p+y69Z/szsL5fYv+RT2QCg6TMl/IeLDU9D+hwG6FqHBQbRyuWJAGME
    EBECACMFAj0Pq4IDBQF4GAY8W14+XStbQC5dY2lzY29cLmNvbT4kAAAKCRD4P8wi
    wv94DQX8AJ4mPJORrcEkCQxe7joRf1VJNzvITQCglE7/y1X9T0iI3tpO2zBo5uyb
    KU+JAEYEEBECAAYFAj0XzCQACgkQSQjoesB49NLGSwCdGAFWJOOBFFBBQWiUyQ3l
    7a596OIAoM/iw5ARHocvByCSsHlkYAvORdbIiQEcBBABAgAGBQI9HQOaAAoJELe9
    L3c4tW498B4H/iXMyJpr0u6hU1xaGpPklQjI9oB3TpH0ASxi/SmlGZ1Y/xNzxxrC
    RjPBnRwvPVUSPzJidlF9SGhsGGZVBAfUbMihwmnPr0kbM8SoZGNqF0Vzqraim/ds
    wiw4QUWSGw3csw8h18wtfxipNipnjP06qilHiIHipN4Q7nhuV3nQ+8o8Bz7sZvZS
    ei6JfkT21BcHCLtxfI0022jeTSoQG6GqQjs02rbIKBjOj98Qr6yt4lu4EY3LNMDW
    N9dX+usAf43e2asizF5k1ALIbktaEZQDgq2FYWwXFw1UTlB8lpl4uL5OZ78Bx18V
    NFBedZ4jqIvj8jGk8CbKA8fNOd9EIioXyqm0UENpc2NvIFN5c3RlbXMgUHJvZHVj
    dCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxzZWN1cml0eS1hbGVy
    dEBjaXNjby5jb20+iQBGBBARAgAGBQI9B3NPAAoJEJPS/wbyNnWc8bcAoL4jgdol
    jMJs8qkGV5s9L8EVHodgAJ41Pnr7cL0AV2cBvdiJjJX0UAOJnokASgQQEQIACgUC
    PQeHHwMFAXgACgkQimPJSeu9UnEShwCfUen+P64gmYXlf6aWMoBudz7/gEgAoKHP
    GMzGRTLPQ2VO27AXfM1qMqOPiQBGBBARAgAGBQI9B96TAAoJEBqBqJjBKplsY2IA
    oN/eovYSQsE34i2tfeSy/3X8vFWXAKDgnRmSe9SGdtLIDXZbPI9VshGnEIkAYwQQ
    EQIAIwUCPQeItwMFAXgYBjxbXj5dK1tALl1jaXNjb1wuY29tPiQAAAoJEHCSmpxt
    wxghLBgAn2cjBC9yOd14unFoJrXv0eKixEQaAKCsDBGsECGI+ru8keXJ2zJYSOF+
    74kAnAQQAQEABgUCPQeFBwAKCRDABXqtD54lua3JBAC+O2uyXzj8wMTThpgeoeBT
    95u4Smug8G+tPVrrkqd2SK8zXlpscAGQugklXw7drmj2Ph8bwocnQxDWQH9kCApj
    eXCWGCBLZnsehghtkaofDq0wp7fugmDwhaRApsERHnRVlCNA/8vB5FMCBfJA6xkU
    riRTvxEmHn5uwcDYgzFJB4kARgQQEQIABgUCPQeGeQAKCRDiWkO6/UpTHtTYAKCA
    8pd5aARjTMjCBfXUL5HqesgeawCgh8pF7agO1H7E6YAoDEAcQK5QNVKJAEYEEBEC
    AAYFAj0HhoQACgkQl2/lZF+Q4SJPKQCg62cLZCePXBq9fn/CUTJa0GeDepkAnjgh
    YGC24VB+E5/4T3wsy98+tsgriQBjBBARAgAjBQI9D6uhAwUBeBgGPFtePl0rW0Au
    XWNpc2NvXC5jb20+JAAACgkQ+D/MIsL/eA1YdACgp7PGp51wgiA9+nRqF8Be826b
    4GYAoN0Xz7k6Vm2wtdANIMFc+11H5gdriQBGBBARAgAGBQI9F8wuAAoJEEkI6HrA
    ePTS7KcAoLcgqYzzNY1g1WK9q/D0cIzzHstFAKDcBTGI3DNtJ6wnqzecq5WPxnmk
    D7kCDQQ9B3L8EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTp
    j0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39
    uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1Y
    TknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9
    fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCb
    AkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf/dfUAIBxFgArE2xwYooN3
    n6fkM/LIuVIzixkyNSgqH9KaOJ41cn8jncbdt31tyH++aK7mMuyQm7nkgy/B8U7w
    9xYORl1mOsgUSGylPLxo2vengnqBO+Ua5hcngfvLuDUV8N9Ai0TWPfyTveyRQSPY
    ODOapdU8uCk3dFiZpgfTBh7hqlLRiNpTXHEK8dNsEy/q2HqLx/9hTQMXWqViK17q
    CfmwRLO94W1RIk6+CTwIa6tN9+ZicthCHRvUTRxDLfuuyY7qrDa4QM6HFAO+NyN9
    Z9SeZSlbGoUN+AAEPZ9ej1T5Ca0WLCD9tF5a+ujN/GrSg2EidGUh/phZXYKYYsrh
    WYkAUgQYEQIAEgUCPQdy/AUJBb34gAUbDAAAAAAKCRCT0v8G8jZ1nP24AJ9nkeTV
    qE6/EOoOIuhxwtihvhea6wCgx6iK+imU7xZZDSGl9RudFTo08Ew=
    =UuaC
    -----END PGP PUBLIC KEY BLOCK-----



    Relevant Pages