PN1027 | Stratix 5950 Contains Multiple Vulnerabilities

Introduction

Description

Executive Summary

Cisco Systems, Inc. (“Cisco”) has released advisories detailing multiple vulnerabilities in Cisco Adaptive Security Appliance (“ASA”) Software that, if successfully exploited, could potentially allow a threat actor to bypass client certification to create connections to the affected device, cause an affected device to crash, or allow a threat actor to view potentially sensitive data on a device. The Allen-Bradley® Stratix® 5950 uses Cisco ASA software as its central operating system; this enables the security device to offer capabilities that include providing proactive threat defense for industrial control systems.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley® Stratix® 5950 Security Appliance
(Cisco Adaptive Security Appliance v9.6.2 and earlier)

• 1783-SAD4T0SBK9
• 1783-SAD4T0SPK9
• 1783-SAD2T2SBK9
• 1783-SAD2T2SPK9

Vulnerability Details

Vulnerability #1: Flow Creation Denial of Service Vulnerability
A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system.

The vulnerability is due to incorrect handling of an internal software lock that could prevent other system processes from getting CPU cycles, causing a high CPU condition. A threat actor could exploit this vulnerability by sending a steady stream of malicious IP packets that can cause connections to be created on the targeted device. A successful exploit could allow the threat actor to exhaust CPU resources, resulting in a DoS condition during which traffic through the device could be delayed. This vulnerability applies to either IPv4 or IPv6 ingress traffic either to or across an affected device.

CVE-2018-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to establish an SSL VPN connection and bypass certain SSL certificate verification steps.

The vulnerability is due to incorrect verification of the SSL Client Certificate. A threat actor could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the threat actor to establish an SSL VPN connection to the ASA when the connection should have been rejected.

CVE-2018-0227 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Vulnerability #3: Transport Layer Security Denial of Service Vulnerability
A vulnerability in the Transport Layer Security (TLS) library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of the affected device resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of user-supplied input. A threat actor could exploit this vulnerability by sending a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) services on an affected device. Messages using SSL Version 3 (SSLv3) or SSL Version 2 (SSLv2) cannot be be used to exploit this vulnerability. An exploit could allow the threat actor to cause a buffer underflow, triggering a crash on an affected device.

CVE-2018-0231 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4 Application Layer Protocol Inspection Denial of Service Vulnerabilities
Multiple vulnerabilities in the Application Layer Protocol Inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerabilities are due to logical errors during traffic inspection. A threat actor could exploit these vulnerabilities by sending a high volume of malicious traffic across an affected device. An exploit could allow the threat actor to cause a deadlock condition, resulting in a reload of an affected device.

CVE-2018-0240 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: Web Services Denial of Service or Potential Sensitive Information Disclosure
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but a threat actor could view sensitive system information without authentication by using directory traversal techniques.

The vulnerability is due to lack of proper input validation of the HTTP URL. A threat actor could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the threat actor to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

CVE-2018-0296 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the Stratix 5950 per the table below:

Secondary Mitigations include the following:

• #1: Flow Creation Denial of Service Vulnerability: The ASA and FTD configuration commands, set connection per-client-embryonic-max (TCP) and set connection per-client-max (TCP, UDP, and Stream Control Transmission Protocol {SCTP}), can be configured to limit the number of connection requests allowed. Using these configuration parameters can reduce the number of connections and greatly reduce the impact of the DoS attack.
• #5 Web Services Denial of Service or Potential Sensitive Information Disclosure: Cisco has released Snort Rule 46897.

General Security Guidelines