Solved: ASA Software 8.2(5.46) upgrade advice?

mahesh18 · ‎02-11-2014

Hi Everyone,

I am going to upgrade ASA software on 5520 ASA to 8.2(5.46) --asa825-46-k8.bin. from 8.0.

I check Cisco link

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

it says this software is effected by bug

Remote Access VPN Authentication Bypass Vulnerability - CSCug83401

when i search on CSCug83401 under website -----https://tools.cisco.com/bugsearch/bug/CSCug83401

it shows

ASA Remote Access VPN Authentication Bypass Vulnerability

CSCug83401

Description

Summary

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:

IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability

These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN
Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).

Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2013-5510 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Symptom:

Conditions:

Workaround:

Further Problem Description:

Customer Visible

The resolution of this defect introduces a change in behavior, or additional functionality, over previous releases

Was the description about this Bug Helpful?

(0)

Details

Last Modified:

Feb 05,2014

Status:

Fixed

Severity:

3 Moderate

Product:

Cisco ASA 5500-X Series Next-Generation Firewalls

Under product it does not how ASA 5520 so does this mean that this software is not effected by this bug?

Need to confirm if anyone has seen any issues with Software?

With this software i do not need any NAT chnages right?

Regards

MAhesh

Jouni Forss · ‎02-12-2014

Hi Mahesh,

Reading through the Cisco document it seems that you will only be affected by that particular VPN related bug if you are using a LDAP server to authenticate the VPN users. So are you using an LDAP server? The document states that if you are using any other AAA method for the VPN users this bug/vulnerability does not apply.

The below quote from the document also states some other information that the possible attacker needs to know to exploit this bug/vulnerability. I bolded the section related to the AAA and also to the information that the user needs to have to use this exploit.

Remote Access VPN Authentication Bypass Vulnerability

A vulnerability in the authentication code of the remote access VPN feature of Cisco ASA Software could allow an unauthenticated, remote attacker to bypass the remote VPN authentication, which could allow remote access to the inside network.

The vulnerability is due to improper parsing of the LDAP response packet received from a remote AAA LDAP server when the

override-account-disable

option is configured in the general-attributes of the tunnel-group. An attacker could exploit this vulnerability by attempting to authenticate via remote VPN to the affected system. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN.

This vulnerability affects Cisco ASA Software configured for Clientless or AnyConnect SSL VPN, IKEv1 and IKEv2 Remote IPsec VPN and L2TP/IPsec VPN. Additionally an external AAA LDAP server should be in use for remote VPN authentication service. Cisco ASA Software using any other protocol for remote AAA service or local AAA server for authentication of remote VPN is not affected by this vulnerability. Cisco ASA Software configured for LAN-to-LAN VPN is not affected by this vulnerability.

For Cisco ASA Software configured with IKEv1 Remote IPsec VPN and L2TP/IPsec VPN the attacker must have knowledge of the tunnel-group password or hold a valid digital certificate in order to exploit this vulnerability. In all cases, an attacker must know a valid username to exploit this vulnerability.

The document also provides a chart which gives you both a software level need to completely avoid this bug/vulnerability or avoid all of them bugs/vulnerabilities.

The chart states that to avoid the bug/vulnerability that you are asking about you would need to upgrade to 8.2(5.46). The chart also states that to avoid all of the mentioned bugs/vulnerabilities you would have to upgrade to 8.2(5.46). So seems to me that the software level that you mention is the software needed to correct all these problems.

Updating to this software should not cause any changes to NAT configuration format.

Naturally as its with any other update, there is always a risk that some bug is present that was not present in your previous software. We for example found one such bug this morning in one of the new softwares that we use. So I don't think anyone can guarantee the correct software level of the specific environment.

I don't think you will need any memory upgrades either.

But for specific information you should read through the realease notes for Software 8.2 from this document

www.cisco.com/c/en/us/td/docs/security/asa/asa82/release/notes/asarn82.html

- Jouni

View solution in original post

Jouni Forss · ‎02-12-2014