11-08-2013 09:38 AM - edited 03-11-2019 08:02 PM
Hi Everyone,
I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the
show running-config access-list <acl_name>
command where
acl_name
is the name of the access-list used in the
class-map
to which the DNS inspection is applied.
This can be found by using the
show running-config class-map
and
show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit tcp any any [...]ORciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit ip any any [...] ciscoasa# show running-config class-map ! class-map DNS_INSPECT_CP match access-list DNS_INSPECT [...] ciscoasa# show running-config policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 [...] class DNS_INSPECT_CP inspect dns preset_dns_map !
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
show running-config policy-map
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>
command where acl_name
is the name of the access-list used in the class-map
to which the DNS inspection is applied.
This can be found by using the show running-config class-map
and show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit tcp any any [...]ORciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit ip any any [...] ciscoasa# show running-config class-map ! class-map DNS_INSPECT_CP match access-list DNS_INSPECT [...] ciscoasa# show running-config policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 [...] class DNS_INSPECT_CP inspect dns preset_dns_map !
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
I check my asa and ran the command
show running-config policy-map
policy-map global_policy
class inspection_default
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
inspect http
inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map map
class inspection_default
Does this confirm that this asa is vulnerabile?
Regards
Mahesh
Solved! Go to Solution.
11-08-2013 10:23 AM
Hi,
The post says this
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
It also says
Note:
Cisco ASA Software will not inspect DNS packets over TCP by default.
And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
- Jouni
11-08-2013 10:23 AM
Hi,
The post says this
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
It also says
Note:
Cisco ASA Software will not inspect DNS packets over TCP by default.
And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: