SB2018042304 - Multiple vulnerabilities in Cisco ASA 5500-X Series

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2018-0230)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the internal packet-processing functionality due to improper validation of IP Version 4 (IPv4) and IP Version 6 (IPv6) packets after the software reassembles the packets. A remote attacker can send a series of malicious, fragmented IPv4 or IPv6 packets, trigger Snort processes to hang at 100% CPU utilization, which can cause the device to stop processing traffic, and cause the service to crash.

2) Cross-site scripting (CVE-ID: CVE-2018-0251)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists in the Web Server Authentication Required screen of the Clientless Secure Sockets Layer (SSL) VPN portal due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Cross-site scripting (CVE-ID: CVE-2018-0242)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists in the WebVPN web-based management interface due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Business logic errors (CVE-ID: CVE-2018-0240)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Application Layer Protocol Inspection feature due to logical errors during traffic inspection. A remote attacker can send a high volume of malicious traffic, trigger a deadlock condition and cause the service to crash.

5) Buffer underflow (CVE-ID: CVE-2018-0231)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Transport Layer Security (TLS) library due to insufficient validation of user-supplied input. A remote attacker can send a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) service, trigger buffer underflow and cause the service to crash.

6) Resource exhaustion (CVE-ID: CVE-2018-0228)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system. 

The weakness exists in the ingress flow creation functionality due to incorrect handling of an internal software lock that can prevent other system processes from getting CPU cycles, causing a high CPU condition. A remote attacker can send a steady stream of malicious IP packets that can cause connections to be created, exhaust CPU resources and cause the service to crash.

7) Improper certificate validation (CVE-ID: CVE-2018-0227)

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions on the target system.

The weakness exists in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature due to incorrect verification of the SSL Client Certificate. A remote attacker can connect to the ASA VPN without a proper private key and certificate pair, establish an SSL VPN connection to the ASA when the connection should have been rejected and bypass certain SSL certificate verification steps.

8) Session fixation (CVE-ID: CVE-2018-0229)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication due to there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. A remote attacker can trick the victim into clicking a specially crafted link and authenticate using the company's Identity Provider (IdP), hijack a valid authentication token, use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software and gain access to potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-fp2100
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asawvpn2
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asawvpn
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa_inspect
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa3
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa2
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnec...