U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-13-289-01)

Cisco ASA and FWSM Security Advisories

Original release date: October 16, 2013 | Last revised: December 17, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

On October 9, 2013, Cisco released two security advisoriesa concerning multiple vulnerabilities within software for the following components:

  • Cisco Adaptive Security Appliance (ASA) hardwareb
  • Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routersc

These devices are used by many organizations to provide essential network services, including control systems integration and operations. As such, it is essential that each organization assess their environment to determine the applicability of the risks, and apply appropriate mitigation techniques in accordance with Cisco’s guidance.

The noted vulnerabilities (denial of service (DoS) and remote authentication bypass) can directly impact the confidentiality, integrity, and availability of control systems. In addition to remediating the noted vulnerabilities, ICS-CERT advises organizations to employ multiple layers of security controls and monitoringd (defense in depth) to minimize overall risk.

Affected Products

Cisco Firewall Services Module (FWSM) software for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilitiese:

  • Cisco FWSM Command Authorization Vulnerability
  • SQL*Net Inspection Engine Denial of Service Vulnerability

Cisco Adaptive Security Appliance (ASA) software is affected by the following vulnerabilitiesf:

  • IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
  • SQL*Net Inspection Engine Denial of Service Vulnerability
  • Digital Certificate Authentication Bypass Vulnerability
  • Remote Access VPN Authentication Bypass Vulnerability
  • Digital Certificate HTTP Authentication Bypass Vulnerability
  • HTTP Deep Packet Inspection Denial of Service Vulnerability
  • DNS Inspection Denial of Service Vulnerability
  • AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
  • Clientless SSL VPN Denial of Service Vulnerability

Impact

The noted vulnerabilities are independent of each other; a software release that is affected by a particular vulnerability might not be impacted by another.

Firewall Services Module (FWSM) software for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers:

  • Successful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system.
  • Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.

Cisco Adaptive Security Appliance (ASA) hardware:

  • Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
  • Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
  • Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Vulnerability Characterization & Mitigation

Please reference the Cisco advisories for additional vulnerability details and mitigation strategies. Cisco has released software updates that address these vulnerabilities. Consult the Cisco advisories for information on obtaining upgraded software.

NCCIC/ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks:

  • Disable any unnecessary features or services within the device running configuration;
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top