Three new vulnerabilities in Cisco Adaptive Security Appliance
There are three vulnerabilities fixed in the Cisco product (Adaptive Security Appliance): Smart Call Home Digital Certificate Validation Vulnerability; VPN Failover Command Injection Vulnerability; Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability.
Administrators are advised to install the latest version from the manufacturer’s web site.
Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 3
CVSSv2 Rating:
(AV: A / AC: M / Au: N / C: C / I: C / A: C / E: U / RL: O / RC: C) = Base: 7.9 / Temporal: 5.8
(AV:A/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:O/RC:C) = Base:4.8/Temporal:3.5
(AV: A / AC: L / Au: N / C: P / I: P / A: N / E: U / RL: O / RC: C) = Base: 4.8 / Temporal: 3.5
CVE ID:
CVE-2014-3389
CVE-2014-3393
CVE-2014-3394
#1 System compromise in Cisco Adaptive Security Appliance (CVE-2014-3389)
VPN Failover Command Injection Vulnerability
Vector of operation: Local Network
Impact: System Compromise
Affected products:
Cisco Adaptive Security Appliance (ASA) 7.x, (ASA) 8.x, (ASA) 9.x
Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliances
Affected versions:
Cisco Adaptive Security Appliance (ASA) 7.x, (ASA) 8.x, (ASA) 9.x
Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliances
Description:
[CVE-2014-3389] This vulnerability could allow a remote user to compromise a vulnerable system.
The vulnerability is due to insufficient input data processing in interface Failover. An attacker could exploit this vulnerability by sending crafted packets directed to the failover interface IP address and execute arbitrary code on the target system.
NOTE: Successful exploitation requires that the system has been configured for routed firewall mode.
Solution: Install the latest version from the manufacturer.
References:
http://tools.cisco.com/security/center/viewAlert.x?alertId=35912
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
#2 Security Bypass in Cisco Adaptive Security Appliance (CVE-2014-3393)
Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Vector of operation: Local Network
Impact: Security Bypass
Affected products:
Cisco Adaptive Security Appliance 8.x and 9.x
Cisco Adaptive Security Appliances ASA 5500 and ASA 5500-X Series
Affected versions:
Cisco Adaptive Security Appliance 8.x, 9.x
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Adaptive Security Appliances
Description:
[CVE-2014-3393] The vulnerability allows malicious people to bypass certain security restrictions.
The vulnerability is due to an error in the mechanism of the authorization framework Clientless SSL VPN. A remote user can bypass the authentication mechanism.
Solution: Install the latest version from the manufacturer.
References:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
http://tools.cisco.com/security/center/viewAlert.x?alertId=35917
#3 Security Bypassin Cisco Adaptive Security Appliance (CVE-2014-3394)
Digital Certificate Validation Vulnerability
Vector of operation: Local Network
Impact: Security Bypass
Affected products:
Cisco Adaptive Security Appliance (ASA) 8.x, (ASA) 9.x
Cisco ASA 5500 and ASA 5500-X Series Adaptive Security Appliances
Affected versions:
Cisco Adaptive Security Appliance (ASA) 8.x, 9.x
Cisco ASA 5500 and ASA 5500-X Series Adaptive Security Appliances
Description:
[CVE-2014-3394] The vulnerability allows malicious people to bypass certain security restrictions.
The vulnerability is due to the fact that the application sets a VeriSign certificate when configuring additions Smart Call Home (SCH). This can be exploited to bypass the authentication of digital certificates.
Solution: Install the latest version from the manufacturer.
References:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
http://tools.cisco.com/security/center/viewAlert.x?alertId=35918
Manufacturer URLs (Cisco Systems, Inc):
http://www.cisco.com/…/product_data_sheet0900aecd802930c5.html
http://www.cisco.com/en/US/products/ps6120/
