Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Jun-2015 17:10 GMT

Feedback Sign Up Unsubscribe         End-of-Sale and End-of-Life Announcements for ASA 5500-X Series Next-Generation Firewalls Title: End-of-Sale and End-of-Life Announcement for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager Description: Cisco announces the end-of-sale and end-of life Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager. The last day to order the affected product(s) is August 17, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract. Date: 18-MAY-2015 Find additional information in End-of-Sale and End-of-Life Products Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.6.1 Interim Alert Type: Obsolete File File Name: asa861-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-12-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-14-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-2-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-40-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-25-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-33-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-34-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-23-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-15-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-22-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 7.2.5 Interim Alert Type: Obsolete File File Name: asa725-10-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-12-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-2-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-8-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-7-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-4-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.0.5 Interim Alert Type: Obsolete File File Name: asa805-20-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-27-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-23-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-25-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Cisco Network Assistant Release Version: 6.2.0 Alert Type: New File File Name: cna-windows-k9-installer-6-2-0-en.exe File Description: Network Assistant English Installer File Release Date: 27-MAY-2015 Alert Type: New File File Name: cna-mac-k9-installer-6-2-0-en.zip File Description: Network Assistant English Mac Installer File Release Date: 27-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.0.5 Interim Alert Type: Obsolete File File Name: asa805-25-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-27-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-20-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-23-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-15-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-23-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-22-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-33-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-40-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-34-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-25-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 7.2.5 Interim Alert Type: Obsolete File File Name: asa725-10-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-4-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-2-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-8-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-12-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-7-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-34-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-33-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-25-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-40-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.0.5 Interim Alert Type: Obsolete File File Name: asa805-25-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-23-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-20-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-27-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-22-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-23-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-15-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 7.2.5 Interim Alert Type: Obsolete File File Name: asa725-12-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-8-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-4-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-7-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-10-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-2-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.6.1 Interim Alert Type: Obsolete File File Name: asa861-14-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-12-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-2-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Cisco Network Assistant Release Version: 6.2.0 Alert Type: New File File Name: cna-windows-k9-installer-6-2-0-en.exe File Description: Network Assistant English Installer File Release Date: 27-MAY-2015 Alert Type: New File File Name: cna-mac-k9-installer-6-2-0-en.zip File Description: Network Assistant English Mac Installer File Release Date: 27-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Cisco Network Assistant Release Version: 6.2.0 Alert Type: New File File Name: cna-windows-k9-installer-6-2-0-en.exe File Description: Network Assistant English Installer File Release Date: 27-MAY-2015 Alert Type: New File File Name: cna-mac-k9-installer-6-2-0-en.zip File Description: Network Assistant English Mac Installer File Release Date: 27-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 7.2.5 Interim Alert Type: Obsolete File File Name: asa725-10-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-7-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-2-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-12-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-4-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-8-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-22-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-23-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-15-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.0.5 Interim Alert Type: Obsolete File File Name: asa805-25-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-27-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-23-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-20-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-25-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-34-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-33-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-40-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.6.1 Interim Alert Type: Obsolete File File Name: asa861-2-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-14-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-12-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-15-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-22-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-23-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-33-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-40-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-25-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-34-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-23-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-22-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-15-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.6.1 Interim Alert Type: Obsolete File File Name: asa861-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-14-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-12-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-2-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.3.2 Interim Alert Type: Obsolete File File Name: asa832-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-34-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-33-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-40-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-25-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-41-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa832-37-k8.bin File Description: Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: Obsolete File File Name: asa847-3-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-22-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-15-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa847-23-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 7.2.5 Interim Alert Type: Obsolete File File Name: asa725-8-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-12-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-2-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-10-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-4-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa725-7-k8.bin File Description: Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.0.5 Interim Alert Type: Obsolete File File Name: asa805-23-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-27-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-25-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa805-20-k8.bin File Description: Cisco Adaptive Security Appliance Software. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.4.2 Alert Type: New File File Name: asdm-742.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, and 9.4. File Release Date: 07-MAY-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.6.1 Interim Alert Type: Obsolete File File Name: asa861-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-12-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-2-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Alert Type: Obsolete File File Name: asa861-14-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, ASA5515-x, ASA5525-x, ASA5545-x, and ASA5555-x. Please read the Release Note prior to downloading this release. Obsolete Date: 28-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 29-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.3.3 Interim Alert Type: New File File Name: asa933-1-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 22-MAY-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-4-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-MAY-2015 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Next-Generation Firewalls Bug Id: CSCua91189 Title: Traceback in CP Processing when enabling H323 Debug Description: Symptom: ASA may generate a traceback in Thread Name: CP Processing Conditions: This has been seen on ASA running 8.4.3, with the following debugs running: debug h323 gup asn debug h323 gup event debug h323 h225 asn debug h323 h225 event debug h323 h245 asn debug h323 h245 event debug h323 ras asn debug h323 ras event Workaround: No known workaround at this time Status: Fixed Severity: 2 Severe Last Modified: 02-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) Bug Id: CSCut30741 Title: ASA redirection to Scansafe tower fails with log id "775002" in syslog Description: Symptom: ASA redirection to Scansafe tower fails with log id "775002" in syslog even when the platform limit for connections was not reached. Conditions: Was noticed in version 9.0(2) but could affect any release. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 02-MAY-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.52), 100.13(21.9), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) Bug Id: CSCus78450 Title: Certificate Validation Failure after upgrade post 9.1.5(12) Description: Symptom: --Certificate Validation Failure message on user PC after upgrading the ASA to any version in 9.1.5(x) post 9.1.5(12) --The debug crypto ca 255 shows the following message: CRYPTO_PKI: Certificate validation: Failed, status: 530CRYPTO_PKI: PKI Verify Cetificate Check Cert Revocation unknown error 530 CRYPTO_PKI: PKI Verify Certificate error. No trust point found Conditions: ASA running any version above 9.1.5(12) using server-side certificate authentication with ID certificate issued by a third party CA. Workaround: --Remove all the configured trustpoints and re-build them by importing the chain. --Use a self-signed certificate Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 02-MAY-2015 Known Affected Releases: 9.1(5.16) Known Fixed Releases: 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Bug Id: CSCus91407 Title: Network Object NAT is not working when config-register == 0x41 Description: Symptom: NAT rule configured under the network object is not processed Conditions: config-register configured to 0x41 Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 02-MAY-2015 Known Affected Releases: 8.4(7), 9.0(4), 9.1(5) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3) Bug Id: CSCum35118 Title: ASA:Traceback in Thread Name: DATAPATH-23-2334 Description: Symptom: ASA (8.4.5) crashed in Thread Name: DATAPATH-23-2334 Conditions: First observed in ASA running 8.4.5. Delete of thread-detection policy while such policy is still in-used and with live traffics going through the network. This can include reconfiguration or failover synching. Workaround: Shutdown interfaces and do "clear local-host all" before making change to the thread detection policy. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 02-MAY-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.10(9.5), 100.11(4.1), 100.7(6.129), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3) Bug Id: CSCty54953 Title: ASA Continuously rebooting due to failed identification test Description: Symptom: ASA 5585 reloads because of Failed Indentification test during boot. This can cause the ASA 5585 to get stuck in a continuous boot loop. Conditions: This is issue is seen right after ASA 5585 boots up. This issue is caused by a memory corruption issue which is very difficult to reproduce and is seen extremely rarely. The root cause of this issue affects ASA 5585 platform only. Other ASA platforms are not impacted by this issue. Workaround: A power cycle of the ASA might resolve the issue and cause the ASA to boot up fine. More Info: Status: Fixed Severity: 2 Severe Last Modified: 03-MAY-2015 Known Affected Releases: 100.8(0.69), 100.8(0.85), 8.2(5.41) Known Fixed Releases: 100.7(13.66), 100.7(20.4), 100.7(21.3), 100.7(6.71), 100.8(0.105), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.8(36.1), 100.9(0.1) Bug Id: CSCur75925 Title: ASA-SM A/A fover auto MAC address change causes i/f monitoring to fail Description: Symptom: Interface monitoring stops working as expected on upgrading ASA in Active/Active failover if Standby ASA is upgraded following the zero-downtime upgrade procedure. All monitored interfaces on Standby ASA will be in either 'Normal (waiting)' or 'Failed (waiting)' state. Conditions: ASAs configured in Active/Active failover with one ASA upgraded to 8.4(6)/9.0(2) or higher. Workaround: 1)Makes ASA-SM Primary active for both the groups, and perform 'wr erase' on secondary ASA-SM followed by the reload. 2)Once ASA-SM comes back online we will configure failover commands and let it sync with the primary and bring it back as active/active. 3)Perform the upgrade with, disable interface monitoring for all the monitored interfaces, upgrade the active ASA and then re-enable interface monitoring. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 04-MAY-2015 Known Affected Releases: 8.4(6), 8.5(1), 9.1(4), 9.1(5) Known Fixed Releases: Bug Id: CSCut89307 Title: ASA crash in Checkheaps whilst updating the IPSEC SA Description: Symptom: ASA crash in Checkheaps whilst updating the IPSEC SA Conditions: ASA running code version 8.4.3 is crashing when IPSec configuration is enabled on outside interface. Workaround: No workaround Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 04-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCui19504 Title: ASA: HA state progression failure after reload of both units in HA Description: Symptom: On secondary device the failover gets disabled with 'HA state progression failed' reason. Conditions: ASA's configured as a failover pair running version 9.1.2 and IPS software module. First reload the secondary standby ASA a few seconds later, reload the primary ASA. Workaround: Enable failover manually on secondary unit after devices boot. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 04-MAY-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.12), 100.10(1.21), 100.10(2.1), 100.8(27.91), 100.8(38.33), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1), 100.8(51.1) Bug Id: CSCtk68555 Title: 1550 and 256 byte blocks may leak to 0 causing failover and data issues Description: Symptom: ASA failover will fail with one box marked as failed and the other marked as active. All syslogs will fail and all or most through the box traffic will fail. Conditions: ASA running 8.3.2 with logging standby configured while there are no standby ip addresses configured on the interface where the syslog server lives or there is no IP address configured on the ACTIVE interface off which the syslog server resides (incomplete configuration) You will see 1550 and 256 byte blocks reach zero under the "show blocks" output of the standby ASA. This is technically a misconfiguration. In the case of a failover pair, you should have standby IPs configured of you choose to configure logging standby. Workaround: Configure standby IP addresses on the active ASA. This will allow the standby ASA to communicate with the syslog server. Status: Other Severity: 2 Severe Last Modified: 04-MAY-2015 Known Affected Releases: 8.3(2), 8.4(1) Known Fixed Releases: Bug Id: CSCus06652 Title: ASA5580-20 8.4.7.23: Traceback in Thread Name: ssh Description: Symptom: Both Active and Standy ASA units traceback in Thread Name: ssh when adding an extended ACL Conditions: This was found on an Active/Standby pair of ASA5580-20 running v8.4(7)23 Workaround: Make sure that a class configured to match for an ACL should have at least single element in it. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 8.4(7.23), 9.1(5.19) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.35), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.4), 100.13(24.3), 100.7(6.138) Bug Id: CSCum60784 Title: ASA traceback on NAT assert on file nat_conf.c Description: Symptom: The ASA may traceback and reload when making changes to crypto IPSec SAs. Conditions: This issue was first observed with VPN tunnels, NAT and LDAP authentication enabled on the ASA. The problem seems to be related to a communication issue between these features. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.10(9.6), 100.7(6.128), 100.7(6.129), 100.8(38.109), 100.8(38.119) Bug Id: CSCus63993 Title: ASA - Traceback in thread name: CERT API Description: Symptom: ASA traceback with thread name CERT API when trying to connect to ASA with AnyConnect Client. Conditions: NA Workaround: NA Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.2(2.4), 9.2(3) Known Fixed Releases: 100.11(0.56), 100.12(0.115), 100.13(0.44), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Bug Id: CSCus89013 Title: Multiple Child SAs created Description: Symptom: Multiple Child SA creatted BXB-3-5520-ASA3(config)# show crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:903 Tunnel-id Local Remote Status Role 162705863 80.1.1.1/500 70.1.1.1/500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/5804 sec Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x3c02014/0x23cc61ca Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x755d4447/0x1f426716 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xb196ff93/0x9fbacd9c Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xba728d67/0x6e159e3d Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xec951076/0x4d20bdd6 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x80dc69fe/0x9a072e95 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xc719b56e/0xf1e350a3 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x4ebdbb5d/0x89d5e9c2 Conditions: Create a crypto map with two sequence number and then try to connect via 2nd sequence number. Make 1st sequence number not matching on both peers Workaround: Connect via crypto map's first sequence number Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCuq03645 Title: ASA-SM: Vlans assigned are not recognized by the configuration Description: Symptom: VLANs assigned to the ASA will be pushed down as visible in the output of "show vlan" but will not be configurable as the ASA will not recognize the vlan when attempting to configure it. Conditions: Was first noticed in an ASA-SM running 8.5(1)11 in multi-context mode. Workaround: Reload the ASA. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 8.5(1.11) Known Fixed Releases: Bug Id: CSCus62884 Title: ASA 9.1.5 does not always drop connections after receiving RST+ACK flag Description: Symptom: ASA does not always drop connections after receiving RST+ACK flag Conditions: Verify that the problem occurs when the server receives duplicate packets from the client to the server and replies to both SYN Example Server packets client -> server SYN (seq=3922308568) ------> 1st SYN client -> server SYN (seq=3922308568) --------> 2nd SYN client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ACK (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN Firewall packets client -> server SYN (seq=3922308568) client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ack (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN, which the Firewall doesn't have it In the working and not working scenario the Firewall always sends one SYN packet. Workaround: TCPbypass Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.57), 100.12(0.115), 100.13(0.46), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7), 100.14(26.2) Bug Id: CSCui55190 Title: Failover cluster traceback while modifying object groups via SSH Description: Symptom: ASA in the failover cluster crashes when trying to modify or push the object-group through SSH and also via CSM 4.4 SP1 Conditions: ASA crashes while modifying or pushing a new object group from CSM. Workaround: No known work around as of now. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 8.4(7), 9.0(2) Known Fixed Releases: 100.10(0.20), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.45), 100.8(40.29), 100.8(45.4), 100.8(46.11), 100.8(48.1), 100.8(51.1) Bug Id: CSCue90343 Title: ASA 9.0.1 & 9.1.1 - 256 Byte Blocks depletion Description: Symptom: Entry seen in logs: -------------------------- ASA-3-321007 System is low on free memory blocks of size 256 (0 CNT out of 3636 MAX) Output from"show blocks": --------------------------------------- SIZE MAX LOW CNT INUSE HIGH 0 2200 2198 2200 0 1 4 100 99 99 0 0 80 1000 998 1000 0 2 256 2100 0 0 0 2 1550 6274 6232 6271 1 40 2048 100 100 100 0 0 2560 164 164 164 0 0 4096 100 100 100 0 0 8192 100 100 100 0 0 9344 100 100 100 0 0 16384 100 100 100 0 0 Possible problems with: -------------------------------- --Stateful failover, --Syslog messages, --TCP Module --connecting to ASA with SSH, telent is working fine - issue present till power cycle, reload from CLI might not work Conditions: ASA 9.0.1 and 9.1.1 EtherChannel configured with Active mode of LACP (Link Aggregation Control Protocol) Workaround: Not known at this moment More Info: Status: Fixed Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.0(1), 9.1(1) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(60.13), 100.9(0.45), 100.9(10.1), 100.9(6.28), 100.9(7.23) Bug Id: CSCut24720 Title: AnyConnect failing to match dap record after upgrade to 9.3.2 Description: Symptom: AnyConnect failing to match dap record after upgrade to 9.3.2 from 9.3.1 Conditions: After upgrade to 9.3.2 Workaround: rename affected DAP records Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 05-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCug52259 Title: ROMMON: eUSB device not recognized by BIOS on boot Description: Symptom: ASA or IPS goes into a 'boot loop' after resetting the device, where the ASA/IPS is unable to find a boot image with errors similar to the following: Launching BootLoader... Default configuration file contains 1 entry. Searching / for images to boot. No images in / Error 15: File not found Conditions: This issue has been seen on 5585, SSP-10, and 4510/4520 devices. The problem is independent of IPS version, so any IPS version can be affected. The issue can only be corrected with a BIOS update or RMA, which TAC can provide. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 0 Known Fixed Releases: Bug Id: CSCud17993 Title: ASA-Traceback in Dispatch unit due to dcerpc inspection Description: Symptom: ASA Traceback in Dispatch unit due to DCERPC inspection. Conditions: upgrading the firewall from 8.4.3.9 to 8.4.4.5 Workaround: Downgrade to version 8.4.3.9. Status: Fixed Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 8.4(4.5), 8.4(4.9), 8.4(5) Known Fixed Releases: 100.7(13.109), 100.7(6.105), 100.8(27.30), 100.8(38.4), 100.8(50.12), 100.9(0.20), 100.9(4.1), 100.9(9.1), 8.4(5.5), 8.4(5.99) Bug Id: CSCuu13967 Title: ASA traceback while replicating configuration from active Device. Description: Symptom: ASA Standby device continuously causes a Traceback in fover_parse during the initial replication of configuration. Conditions: ASA device running in fail-over pair Workaround: None Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Bug Id: CSCus57142 Title: ASA traceback in threadname Checkheaps when it hits dhcpv6 packet Description: Symptom: ASA traceback in threadname Checkheaps when it hits dhcpv6 packet Conditions: ASA loaded with 9.1.3 and running codenomicon. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: 100.11(0.57), 100.12(0.119), 100.8(40.96), 9.2(3.101) Bug Id: CSCuf68858 Title: ASA: Page fault traceback in dbgtrace when running debug in SSH session Description: Symptom: When running debugs from 2 different SSH sessions, the ASA may generate a traceback and reload in the dbgtrace thread when one of the SSH sessions closes. Conditions: This issue occurs when 2 SSH sessions have enabled debugs and one session disconnects while the debug is still running. Workaround: Disable debugs with the 'undebug all' command before closing the SSH session. Status: Fixed Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 8.4(5), 8.4(5.7) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(40.3), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(6.17), 100.9(7.20), 8.4(6.1) Bug Id: CSCus27687 Title: ASA crashed in "Thread Name: DATAPATH-15-2550" Description: Symptom: ASA traceback in Thread Name: DATAPATH due to double block free Conditions: Workaround: Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 06-MAY-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: Bug Id: CSCut28210 Title: AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue Description: Symptom: Unable to authenticate with SDI authentication server(RSA Authentication Manager) Ex. "no response from authentication server" with [Test] in AAAServer Group on ASDM. Conditions: -Using RSA Authentication Manager 8.1 or 6.1 as AAA server with ASA 9.3(2) -The issue does NOT appear on ASA 9.2(2)8 or ASA 9.3(1) Workaround: -Using ASA 9.2(2)8. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4), 100.14(3.4) Bug Id: CSCsq92083 Title: Traceback in Checkheaps Description: Symptom: The active asa endures a crash, fails over, and creates a traceback in thread Checkheaps. Conditions: Normal use Workaround: No known workaround. Status: Terminated Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 7.2(4) Known Fixed Releases: Bug Id: CSCuu04170 Title: ASA Botnet database download failing when IPv6 is used on ASA Description: Symptom: ASA Botnet Traffic Filter failes to download database. Conditions: IPv6 configured on any ASA interface. Workaround: disable IPv6 Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: Bug Id: CSCuu16907 Title: ASA: Watchdog traceback in DATAPATH Description: Symptom: ASA Watchdog traceback after an upgrade in failover environment. Conditions: ASA in failover pair environment, upgraded to 9.1.(5)21. Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCuu16772 Title: IPv6 ICMP PTB messages not changing TCP SEQ across ASA FW Description: Symptom: Customer sees the the ICMP PTB message go over the FW, but the SEQ number does not get updated. Conditions: ICMP PTB messages being sent across the ASA, but the TCP SEQ matching the SEQ number when the ASA has enabled SNR.But cannot disable SNR as that would be a security issue. TCP sessions over the FW have the TCP Sequence number randomized by default (SNR). This is to prevent external malicious intent by calculating the next SEQ number and sending packets over the FW. As such the Inside and Outside TCP Sequence numbers are altered by the ASA, and re-written as packets flow in/out. Workaround: Disable sequence number randomization (SNR). Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 8.4(7.240) Known Fixed Releases: Bug Id: CSCue88423 Title: ASA traceback in datapath thread with netflow enabled Description: Symptom: ASA may reload with traceback in a datapath thread (such as DATAPATH-1-1241) with abort type Assert failure. Line like the below will be seen in the crashinfo output: Panic: DATAPATH-1-1241 - Message #93 : spin_lock_fair_mode_enqueue: Lock (snp_nf_block_t) is held for a long time, owner: DATAPATH-2-1242, requestor: DATAPATH-1-1241 Conditions: Netflow is configured and enabled on the ASA. Workaround: 1. Disable Netflow or... 2. Disable the flow-teardown filtering More Info: Status: Fixed Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 8.2(5.33), 8.4(4.11), 9.1(1), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.20), 100.9(0.50), 100.9(10.1), 100.9(6.28) Bug Id: CSCus75343 Title: ASA Traceback in Thread Name PIX Garbage Collector Description: Symptom: ASA 5585 Traceback in Thread Name PIX Garbage Collector Conditions: unknown Workaround: none Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCuo95074 Title: ASA AnyConnect failure or crash in SSL Client compression with low mem Description: Symptom: AnyConnect clients are able to connect, but get immediately disconnected. The following are seen in syslogs: %ASA-6-725007 SSL session with remote_device interface_name : IP_address / port terminated. %ASA-6-722023: Group group User user-name IP IP_address SVC connection terminated with compression %ASA-6-716058: Group group User user IP ip AnyConnect session lost connection. Waiting to resume. %ASA-5-722037: Group group User user-name IP IP_address SVC closing connection: Compression error. %ASA-6-722027: Group group User user-name IP IP_address SVC decompression history reset %ASA-6-716059: Group group User user IP ip AnyConnect session resumed. Connection from ip2 . %ASA-3-722021: Group group User user-name IP IP_address Unable to start compression due to lack of memory resources ASA can also crash with traceback pointing to "ssl_compress_record" when low memory is observed. Conditions: Compression is configured for AnyConnect. Workaround: Disable compression for AnyConnect. Downgrade to 8.4.6. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.10(17.2), 100.10(2.26), 100.10(7.13), 100.11(0.17), 100.11(5.21), 100.11(6.1), 100.12(11.9), 100.12(12.1), 100.12(15.2), 100.12(8.5) Bug Id: CSCup28968 Title: When ACL optimization is enabled, wrong rules get deleted Description: Symptom: ++ Access-rules getting deleted on adding or deleting a member in associated object-group Conditions: ++ ACL optimization in enabled. ++ Object-group is associated with the ACL. ++ We see an error message as below when adding a member in object-group Adding obj to object-group (OBJECT_GROUP_NAME) failed; cause access-list error Workaround: ++ If some new addresses are to be added, create separate new objects and use them to create a new access-list entry. or ++ Removing "object-group-search access-control" command when the above 'adding obj' error is not seen. Further Problem Description: When ACL optimization is enabled and we add or delete a member of an object-group used in the source or destination field of an optimized ACL, all the associated access-rules are getting deleted instead of just adding/deleting the member in the object-group. Status: Fixed Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 9.0, 9.1, 9.2 Known Fixed Releases: 100.11(0.25), 100.11(6.3), 100.12(0.13), 100.12(1.2), 100.12(11.22), 100.12(12.1), 100.12(13.7), 100.12(15.2), 100.12(16.4), 100.12(17.8) Bug Id: CSCtj09979 Title: IKEv2 traceback with 1 L2L and 1 RA tunnel Description: Symptom: Active ASA may crash inThread Name: DATAPATH-2-1403 Conditions: This was first identified on an ASA5585 failover pair running 8.2.4 code. Workaround: None at this time. Further Problem Description: The next 8.2.5(x) interim will contain the fix for this defect. Status: Fixed Severity: 2 Severe Last Modified: 07-MAY-2015 Known Affected Releases: 8.4(0.119), 8.4(0.15) Known Fixed Releases: 100.7(0.67), 100.7(0.71), 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.12), 100.7(6.15), 100.7(6.21), 100.7(8.1), 100.7(8.12) Bug Id: CSCul84216 Title: ASA - Remote access VPN sessions are not replicated to Standby unit Description: Symptom: Remote access VPN sessions are not replicated to Standby unit in failover pair when IP address assignment is configured via a group-policy. ASA-5-720012 (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit. Conditions: ASA running in Active/Standby Failover pair. Workaround: Configure your address-pools in the tunnel-groups rather than group-policies to avoid this issue. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 8.6(1.2), 8.6(1.6), 9.0(1), 9.0(2.9), 9.0(3), 9.0(4), 9.1(1), 9.1(1.4), 9.1(2.3), 9.1(4) Known Fixed Releases: 100.10(0.57), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.87), 100.8(40.55), 100.8(46.64), 100.9(10.22), 8.4(7.8) Bug Id: CSCuh75443 Title: Assertion in "ctm_daemon.c", line 764 Description: Symptom: Assertion in "ctm_daemon.c", line 764 Conditions: High DTLS session establishment rates Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 100.8(40.10), 100.8(46.3), 9.0(3.5), 9.1(2.4) Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11), 100.8(51.1), 100.9(10.12) Bug Id: CSCsy93944 Title: Traceback on ACL modify: assertion "status" at "stride_terminal_node.c" Description: Symptom: In a rare corner case, the ASA might traceback if ACL rules are pushed down from a management application, or if ACL rules are changed manually. Conditions: The access-list configuration must be changed on the firewall. Workaround: None known. Status: Fixed Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 7.2(4), 8.2(1), 8.4(0.102) Known Fixed Releases: 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.26), 100.7(8.18), 100.7(9.9), 8.2(4.3), 8.2(5), 8.3(2.14), 8.4(1.201) Bug Id: CSCun45787 Title: Duplicated CHILD SAs in 1 IKEv2 SA, traffic dropped vpn-overlap-conflict Description: Symptom: When the below condition matches, ASA may end-up creating multiple SPI-sets for a single proxy-id set. i.e. Multiple IPSec SAs or Child-SAs are created for the same local and remote Subnets/Idents. Note that this only occurs for the second or the subsequent Child-SA negotiations, barring the first Child-SA created during IKE-AUTH. When this occurs, ASA drops the traffic over this SA with "vpn-overlap-conflict" asp drop reason [show asp drop]. Conditions: ASA acting as IKEv2 L2L End-point, where we have more than one IPSec SAs negotiated. IKEv2 SA goes down, and re-negotiates due to an external comm-failure. Workaround: Clear the SA and make sure that the race condition does not occur Further Problem Description: Note that there are no duplicate crypto acl entries [aka procy-identities], and if it exists, this scenario does not apply and it is not supported Status: Fixed Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.12(30.2), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18) Bug Id: CSCtu30581 Title: ASA 5580 traceback when CSM attempts deployment Description: Symptom: ASA 5580 crashes when CSM attempt deployment SSLVPN/CSD is not enabled on the ASA firewall, however, when CSM (Cisco Security Manager) attempts to make a cofiguration deployment for the ASA (which contains configuration for the Default Group-Policy), the ASA5580 crashes! CSM version is 4.1 and ASA is 5580 on 8.4.2(11). Attached is the traceback information I could collect from the console of the firewall during the crash. Conditions: Seen only when there is a functional interaction between CSM and the ASA 5580 firewall. Workaround: None. Status: Fixed Severity: 1 Catastrophic Last Modified: 08-MAY-2015 Known Affected Releases: 8.4(2.11) Known Fixed Releases: 100.7(13.46), 100.7(14.40), 100.7(17.10), 100.7(18.4), 100.7(6.53), 100.8(0.43), 100.8(11.4), 100.8(14.2), 100.8(15.17), 100.8(19.40) Bug Id: CSCut64160 Title: ver 9.0(4)26/Inside interface failed (Autostate Down) when failover Description: Symptom: While failover with "failover active" command on ASASMs running 9.0(4)26, When customer checked the interface status, its interface inside stayed UP. But the inside interface of previous active ASASM is down for 25 seconds due to the Failed (Autostate Down). It seems that autostate function is not working correctly on ASASM version 9.0(4)26. Conditions: used with ASASMs running 9.0(4)26 Workaround: When customer run the same test with same configuration on version 9.0(3)8 and 9.0(2)241, The same issue was not observed. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 9.0(4.26) Known Fixed Releases: Bug Id: CSCty16864 Title: ASA doesn't start quick mode negotiation - stuck tunnel manager entries Description: Symptom: This bug is specific to IKEv1. 1) ASA 5505 as hardware vpn client in NEM is failing to negotiate the NEM tunnel, when using mac-address bypass option. This leads as well the reverse route not being created on the headend 2) This bug has been duplicated by CSCtq92619 which is a more generic issue with IPsec tunnels failing to come up under IKEv1 when multiple IPsec tunnels are configured for a single peer. This bug resolves both issues based on the root cause. Use "debug menu ike-common 1" to find stale entries (large Entry ages). Conditions: Has been observed with 8.4(3) Also, see CSCtq92619 for additional notes. Initially found in scenario where: 5505 HW vpnclient in NEM + mac-bypass fails negotiating the NEM tunnel. Workaround: Use 8.2 code base if possible, or disable the vpnclient mac-address bypass. Also, see CSCtq92619 for additional notes. Status: Fixed Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 8.3(2), 8.4(1.10), 8.4(2), 8.4(3), 8.6(1) Known Fixed Releases: 100.7(13.66), 100.7(20.4), 100.7(21.3), 100.7(6.71), 100.8(0.105), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1) Bug Id: CSCue40520 Title: ASA displays: %Error opening disk0:/ (File table overflow) Description: Symptom: Either dir or show flash displays: ASA-L1# dir Directory of disk0:/ %Error opening disk0:/ (File table overflow) 260034560 bytes total (155422720 bytes free) ASA-L1# sho flash: --#-- --length-- -----date/time------ path %Error opening disk0:/ (File table overflow) 260034560 bytes total (155422720 bytes free) Also can't format device: ASA-L1# fsck disk0: umount: can't umount /mnt/disk0: Device or resource busy dosfsck 2.11, 12 Mar 2005, FAT32, LFN /dev/hda1: 88 files, 25540/63485 clusters mount: mounting /dev/hda1 on /mnt/disk0 failed: Device or resource busy fsck of disk0: complete WARNING: Restoring security context mode failed. ASA-L1# format disk0: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "disk0:". Continue? [confirm] Initializing partition - done! mkdosfs: /dev/hda1 contains a mounted file system. mkdosfs 2.11 (12 Mar 2005) System tables written to disk mount: mounting /dev/hda1 on /mnt/disk0 failed: Device or resource busy Format of disk0 complete WARNING: Restoring security context mode failed. Conditions: CU noticed this after CSM deployment and ASA had a packet capture in the meantime, ASA cannot read the flash disk anymore after that. We couldn't reproduce it and we are not sure if that was a real cause of the issue. It happened second time, previously we did RMA and it reoccurred with new box, after reload all is back to normal. Workaround: Reload Status: Other Severity: 2 Severe Last Modified: 08-MAY-2015 Known Affected Releases: 8.4(2.8) Known Fixed Releases: Bug Id: CSCuu27193 Title: ASA Traceback in Thread Name: Dispatch Unit Description: Symptom: ASA 5505 running version Traceback in 'Thread Name:Dispatch Unit. Conditions: ASA 5505 running version 9.1.6 Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 09-MAY-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Bug Id: CSCur06331 Title: ASA Traceback with spin_lock in DATAPATH Description: Symptom: Hardware : ASA5585-SSP-60 Software : 9.1(4)5 Problem Description : ASA Traceback with spin_lock in DATAPATH Conditions: N/A Workaround: N/A Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 09-MAY-2015 Known Affected Releases: 9.1(4.5) Known Fixed Releases: Bug Id: CSCut76894 Title: ASA traceback in Thread Name: Unicorn Proxy Thread Description: Symptom: Active ASA in failover crashed in Unicorn Proxy Thread. The thread name is visible in "show crashinfo": : Saved_Crash Thread Name: Unicorn Proxy Thread Abort: Unknown ... Conditions: Crash is related to WebVPN. Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 09-MAY-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCur94243 Title: Active ASA Traceback in DATAPATH, Page fault: Address not mapped Description: Symptom: Active ASA may cause a traceback in failover. After the switchover, the new Active ASA may traceback as well. Conditions: traceback first observed in ASA 9.1.3 in failover. Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 09-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCul98420 Title: 'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination Description: Symptom: Adaptive Security Appliance (ASA) or ASA Services Module implicitly perform a destination route lookup for Twice NAT entries with an identity destination translation even when the route-lookup keyword is not used. Conditions: Using an identity destination translation with Twice NAT such as this: nat (inside,outside2) source dynamic 192_168_1_20 interface destination static ANY ANY service HTTP HTTP and running a software image with the fix for CSCuf71119. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 8.4(6.4) Known Fixed Releases: 100.10(9.5), 100.11(4.1), 100.7(6.129), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3) Bug Id: CSCug51375 Title: ASA SSL: Continues to accept SSLv3 during TLSv1 only mode Description: Symptom:ASA negotiates connections over SSLv3 in spite of it being configured to negotiate TLSv1. ASA(config)# sh run ssl ssl server-version tlsv1-only Conditions:Cisco ASA running release 8.2 and later. If the 'ssl server-version' or 'ssl client-version' value is modified after boot, the changes may not be applied properly. This could lead to the default of SSLv3 being enabled. Workaround:There is no workaround. More Info:Upgrade to one of the Known Fixed Release: * 8.2.5.55 or later * 8.4.7.26 or later * 8.5.1.23 or later * 8.6.1.16 or later * 8.7.1.15 or later * 9.0.4.26 or later * 9.1.5.21 or later * 9.2.3 or later * 9.3.1.1 or later Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 9.1(1.105) Known Fixed Releases: 100.10(0.6), 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(11.18), 100.13(12.41) Bug Id: CSCuc75090 Title: Crypto IPSec SA's are created by dynamic crypto map for static peers Description: Symptom: When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and setup by the dynamic crypto map instance. Conditions: This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services. The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end. Workaround: N/A PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 11-MAY-2015 Known Affected Releases: 8.2(5), 8.4(4.9) Known Fixed Releases: 100.7(13.110), 100.7(6.106), 100.8(27.30), 100.8(38.4), 100.8(50.15), 100.9(0.20), 100.9(4.1), 100.9(7.1), 100.9(9.1), 8.2(5.39) Bug Id: CSCuo93225 Title: Traceback during AnyConnect IPv6 TLS TPS Test Description: Symptom: ASA may crash in emweb/https due to the np_conn_shrlock_t lock being held for a long time. Conditions: The issue is very rare corner case that is unlikely to be encountered. Heavy SSL VPN usage may exacerbate the issue. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 100.10(7.8), 9.1(5) Known Fixed Releases: 100.10(17.2), 100.10(2.26), 100.10(7.13), 100.11(0.17), 100.11(5.21), 100.11(6.1), 100.12(11.9), 100.12(12.1), 100.12(15.2), 100.12(8.5) Bug Id: CSCur07061 Title: Traceback on standby ASA during hitless upgrade Description: Regression caused by a fix in CSCuq37448 Symptom:ASA system traceback was observed in data path. Conditions:Cisco ASA running release 9.1.5.16. Workaround:NA More Info:This issue was seen in one case when doing system test with ASAv during hitless upgrade. In another the trace indicated it might be related to using the capture feature on an ASA-SM. However, the issue is not related to failover or packet capture. In the bug fix of CSCuq37448, we added code for detecting and handling IPSec HA packets. That fix failed to handle certain corner cases and could subsequently cause a traceback. The fix removes the special handling. Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 100.12(0.56), 100.13(11.7) Known Fixed Releases: 100.11(0.50), 100.11(0.57), 100.12(0.118), 100.12(0.70), 100.12(6.20), 100.13(0.58), 100.13(0.6), 100.13(11.10), 100.13(12.16), 100.13(15.7) Bug Id: CSCus49034 Title: Tunnel default gateway no longer works in 9.3.2 Description: Symptom:Connectivity via tunnel default gateway no longer works. Conditions:ASA running 9.3.2. Workaround:A static route from the IP addresses assigned to clients to the tunnel default gateway device must be added. More Info: Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 100.14(1.1), 9.3(2) Known Fixed Releases: 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3), 100.14(2.3) Bug Id: CSCur94645 Title: ASA - Additional empty fields in RADIUS Access-Request packet Description: Symptom: In a scenario when ASA is configured to authenticate ASDM users in external database using RADIUS, the Access-Request packet has additional two fields that are empty. When ACS server is being used, the request will be dropped with below reason: RADIUS Request dropped : 11014 RADIUS packet contains invalid attribute(s) Conditions: ASA 9.1.5.12 - 9.1.5.19 Interim RADIUS protocol used to send authentication requests to external database Workaround: Change the protocol from RADIUS to TACACS+ Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 11-MAY-2015 Known Affected Releases: 9.1(5.12), 9.1(5.16), 9.1(5.19) Known Fixed Releases: 100.11(0.55), 100.12(0.109), 100.13(0.14), 100.13(1.28), 100.13(16.28), 100.13(19.8), 100.13(20.4), 100.13(21.5), 100.13(23.2), 100.13(24.1) Bug Id: CSCup43296 Title: Traceback in Thread Name: Unicorn Admin Handler whilst editing ACL Description: Symptom: ASA crashes and reboots. Conditions: When you press "apply" button in ASDM, after editing an ACL. ASDM is used to configure the ASA. Workaround: none at the moment Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 12-MAY-2015 Known Affected Releases: 9.1(2.3) Known Fixed Releases: Bug Id: CSCtf01287 Title: SSH to the ASA may fail - ASA may send Reset Description: Symptom: ssh to the box may fail even after recreating the rsa key-pair and removing and adding the ssh lines. Conditions: This was first observed on a single context ASA5580 running 8.1.1 as well another ASA5580 multiple context running 8.2.1(4) Workaround: None Further problem description: debug ssh 255 may not show any output at all captures may show the ASA sending a FIN ACK packet right after the 3-way handshake or it may send a Reset right after the 3-way handshake. Status: Fixed Severity: 2 Severe Last Modified: 12-MAY-2015 Known Affected Releases: 8.1(1), 8.2(1.4), 8.2(2) Known Fixed Releases: 100.5(5.43), 8.0(5.21), 8.1(2.49), 8.2(3.109), 8.2(3.6), 8.2(4), 8.3(2.7) Bug Id: CSCtt11835 Title: Traceback in Thread Name: tacplus_snd Description: Symptom: ASA Reloads with Traceback in Thread Name: tacplus_snd Conditions: ASA configured to use TACACS+ Workaround: Do not remove the tacacs server from the configuration while associated tacacs sessions are active Status: Fixed Severity: 2 Severe Last Modified: 12-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.43), 100.7(14.36), 100.7(17.5), 100.7(18.4), 100.7(6.51), 100.7(8.34), 100.8(0.39), 100.8(11.4), 100.8(15.17), 100.8(19.34) Bug Id: CSCut81582 Title: ha: 5585-60 9.1.6 Tback in DATAPATH, rip snp_ha_trans_alloc_muxbuf_desc Description: Symptom: ASA standby traceback in DATAPATH, rip snp_ha_trans_alloc_muxbuf_desc Conditions: ASA running 9.1.6 Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 12-MAY-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Bug Id: CSCus24884 Title: ASA: Traceback in kernal API pthread_mutex_unlock Description: Symptom: ASA device crash in Thread Name:- CP Threat-Detection Processing Conditions: ASA device configured with Threat Detection Workaround: NONE Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.2(5.51) Known Fixed Releases: Bug Id: CSCtq35045 Title: HA: Monitored interfaces fail to move out of waiting state Description: Symptom: Standby ASA in failover may show interface status as waiting. You will not be able to ping the active interface IP from the standby firewall. Conditions: This is seen in multi context mode with the same interface shared across multiple contexts. The shared interface will be in a waiting state after a failover event and will never recover. You may see spoof syslogs related to the failover IP addresses on this interface. Bug causes the standby ASA to think that it owns the active macs. So it treats packets that it generates destined to the active mac as spoof packets. Workaround: Upgrade to fixed code. Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 100.7(13.11), 8.2(4), 8.2(5), 8.3(1.100), 8.4(1.101), 8.4(1.104) Known Fixed Releases: 100.7(13.13), 100.7(14.1), 100.7(18.1), 100.7(6.42), 100.7(8.34), 100.7(9.38), 100.8(0.14), 100.8(0.31), 100.8(0.8), 100.8(10.9) Bug Id: CSCuc55719 Title: Destination NAT with non single service (range, gt, lt) not working Description: Symptom: Twice-nat with service objects for destination ports as range is not working as expected Conditions: Twice-nat with destination ports in service objects configured as range of ports. Workaround: No work-around Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 9.0(0.131), 9.1(0.1), 9.1(1) Known Fixed Releases: 100.8(27.30), 100.8(38.4), 100.8(50.12), 100.9(0.20), 100.9(4.1), 100.9(9.1), 9.0(2.1), 9.0(2.100), 9.0(3), 9.1(1.3) Bug Id: CSCta23184 Title: Traceback in Datapath-1-480 Description: Symptom: ASA may crash in thread Datapath 1-480. A message will also be seen at the bottom of the "show crash" output with the following assertion "intrin->bucket == NULL && ((intrin == intrin->next && intrin == intrin->prev) || (!intrin->next && !intrin->prev))" failed: file "../datastruct/calendar_queue.h", line 375 Conditions: ASA with traffic inspection enabled. Workaround: No known workaround. Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.1(2) Known Fixed Releases: 100.3(0.3), 100.4(0.10), 8.1(2.180), 8.1(2.32), 8.2(1.10), 8.2(2.99), 8.2(4), 8.3(0.0) Bug Id: CSCts50584 Title: ASA may reload with traceback in Thread Name scmd reader thread Description: Symptom: ASA may reload with traceback in thread name scmd reader thread. Conditions: ASA running 8.4.2, 8.6.1.2 Workaround: None at this time Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.4(2), 8.6(1.2) Known Fixed Releases: 100.7(13.65), 100.7(20.4), 100.7(21.2), 100.7(6.69), 100.8(0.95), 100.8(11.14), 100.8(27.2), 100.9(0.1), 100.9(2.1), 8.4(3.11) Bug Id: CSCuc58260 Title: ICMP to management-access interface through VPN fails Description: Symptom: Unable to ping from one ASA to another to establish a VPN session. Unable to ping the management-access interface through the VPN tunnel. Conditions: ASA setup a site to site tunnel. Affects versions 8.2 and 8.4 of ASA code. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 100.8(0.240), 8.2(5.34), 8.2(5.35), 8.4(4.100) Known Fixed Releases: 100.7(13.104), 100.7(6.104), 100.8(0.242), 100.8(11.42), 100.8(27.20), 100.8(33.27), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCuh19234 Title: Traceback after upgrade from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3) Description: Symptom: Crash happens during upgrade migration from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3). Causing bootloop. Conditions: ASA with version pre-8.3 Workaround: Manual migration of the config Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 13-MAY-2015 Known Affected Releases: 8.4(6), 9.0(3), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28) Bug Id: CSCtq86859 Title: Traceback in Thread Name: IP SLA Mon Event Processor Description: Symptom: ASA reload. Traceback in Thread Name: IP SLA Mon Event Processor Conditions: IP SLA configured on ASA. Commonly used on ASA for route-tracking feature Workaround: Disable IP SLA feature on ASA. Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.3(2.4) Known Fixed Releases: 100.7(13.31), 100.7(14.20), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.11) Bug Id: CSCua44723 Title: ASA nat-pat: 8.4.4 assert traceback related to xlate timeout Description: Symptom: Active ASA 8.4.4 crashed in failover under high load (300-500 thousands connections). Conditions: Issue seems to be related to xlate timeout expiration. Workaround: none Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.4(3), 8.4(3.9), 8.4(4) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.5), 100.9(0.12), 100.9(4.1), 8.4(5.4) Bug Id: CSCsk85428 Title: Traceback in scheduler Description: Symptom: Traceback in scheduler. This traceback could happen in any thread. Conditions: Cisco ASA/PIX running some versions of 7.0, 7.1, and 7.2. This condition is a very rare timing condition . It is not induced or affected by any configuration on the box or any external stimulus. It could happen in any release after the following releases: 007.000(006.037) 007.001(002.058) 007.002(002.027) Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 7.0, 7.1, 7.2(3), 7.2(3.8) Known Fixed Releases: 7.0(7.8), 7.1(2.67), 7.2(3.9), 7.2(4), 8.0(2.39), 8.2(0.75) Bug Id: CSCtu14396 Title: ASA has stale ASP classification entries for Anyconnect tunnels Description: Symptom: Anyconnect connects to ASA and builds a DTLS tunnel fine. Both ASA and Anyconnect shows connected. On the ASA, "show vpn-sessiondb" shows bytes RX incrementing on the DTLS tunnel, but no bytes TX. Also, ASP drop capture shows the following message. Drop-reason: (mp-svc-no-session) SVC Module does not have a session Conditions: Anyconnect stops working even though it is connected to the ASA. Workaround: Keep reconnecting and disconnecting the ASA until Anyconnect starts to work or reboot the ASA. Status: Fixed Severity: 2 Severe Last Modified: 13-MAY-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: 100.7(13.44), 100.7(13.65), 100.7(14.38), 100.7(17.8), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62), 100.8(0.42) Bug Id: CSCub05855 Title: ASA traceback due to block corruption triggered by IPsec traffic Description: Symptom: Under rare circumstances, ASA may traceback and reload. Conditions: The ASA has to be configured for IPSec VPN and a large amount of traffic must be flowing over the tunnel Workaround: none known Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 100.8(0.202), 9.1(1) Known Fixed Releases: 100.8(27.83), 100.8(40.1), 100.8(60.6), 100.9(0.38), 100.9(4.5), 100.9(6.16), 100.9(7.20), 9.0(2.100), 9.0(2.5), 9.0(3) Bug Id: CSCur54979 Title: Linux Kernel KVM Subsystem Programmable Interval Timer Emulation Denia Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3611 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3611 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCur54978 Title: Linux Kernel KVM Subsystem VM Exits Local Denial of Service Vulnerabil Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3646 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3646 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCut86775 Title: VPN traceback due to memory corruption Description: Symptom: ASA with WebVPN portal crashes Conditions: Not yet fully known Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: Bug Id: CSCuu07542 Title: ASA traceback in ipsec datapath Description: Symptom: ASA crash in ipsec datapath Conditions: Workaround: Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 9.0(3) Known Fixed Releases: Bug Id: CSCur54856 Title: XMLSoft libxml2 Entity Expansion Handling Denial of Service Vulnerabil Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0191 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0191 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCui67352 Title: ASA 9.1.1 traceback in CTM message handler thread Description: Symptom: ASA crashed in 'CTM message handler thread' Conditions: Unknown Workaround: Unknown Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 14-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: Bug Id: CSCuu23104 Title: ASA: Traceback Unicorn Proxy Thread on version 9.4.1 Description: Symptom: ASA Traceback with thread name Unicorn Proxy. Conditions: ASA running version 9.4.1 Workaround: None Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCtk10911 Title: HA replication code stuck - "Unable to sync configuration from Active" Description: Symptom: Standby ASA is stuck in "Sync Config" and is showing the following messages Detected an Active mate Unable to sync configuration from Active The issue remains after the standby is reloaded or after reconfiguring failover on the standby. Conditions: ASA pair configured for failover. Has been seen in 8.1(2) software. This is a rare occurrence. Workaround: Reload the active ASA to restore the HA function Status: Fixed Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 8.1(2.13) Known Fixed Releases: 100.5(5.55), 100.7(0.71), 100.7(11.2), 100.7(6.16), 100.7(8.3), 8.2(4.1), 8.2(5), 8.3(2.12), 8.4(1.1), 8.4(1.99) Bug Id: CSCuq20232 Title: ASA 8.2.5 CPU hog in accept/http Description: Symptom: ASDM access failure as there are hanged sessions ASDM is not able to access asdm_handler service on device It is likely the user password has expired or the maximum number of sessions has ben exceeded on the device Conditions: NA Workaround: NA Further Problem Description: ASDM access failure as there are hanged sessions ASDM is not able to access asdm_handler service on device It is likely the user password has expired or the maximum number of sessions has ben exceeded on the device Status: Terminated Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCug39080 Title: HA sync configuration stuck -"Unable to sync configuration from Active" Description: Symptom: HA sync configuration stuck -"Unable to sync configuration from Active" Conditions: Reloading the standby or reconfiguring failover on the standby does not resolve the issue. Workaround: reload the active unit. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 9.0(1) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.54), 100.9(10.1), 100.9(6.29), 100.9(7.37) Bug Id: CSCut68792 Title: ASA - Increased CPU temperature after upgrade Description: Symptom: In the show environment output the Processor temperature is going up after upgrade Conditions: Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCus32005 Title: ASA - Traceback in thread name SSH while applying BGP show commands Description: Symptom: ASA traceback in thread name SSH during performing BGP show commands. Conditions: ASA running 9.2.2.4 Workaround: not known Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.4) Bug Id: CSCue02226 Title: ASA 9.1.1 - WCCPv2 return packets are dropped Description: Symptom: When using WCCPv2, traffic returned from IronPort to ASA 9.1.1 in GRE tunnel is being dropped on ASA 1. SYN packet sent from User's PC reaches the ASA inside interface, 2. then using GRE the SYN packet is redirected from ASA to IronPort, 3. next, when the packet is returned back from IronPort to ASA in GRE, but ASA drops it with "Drop-reason: (no-route) No route to host". Conditions: ASA 9.1.1 IronPort used for http/https traffic inspection Workaround: Disable Bypass on IronPort or exclude specific traffic from ACL that redirects traffic to IronPort. or Enable management-access on ASA on the interface with highest IP address. Status: Fixed Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.8(27.63), 100.8(60.1), 100.9(0.36), 100.9(4.5), 100.9(6.11), 100.9(7.19), 9.0(2.100), 9.0(2.7), 9.0(3), 9.1(1.101) Bug Id: CSCtg41163 Title: ASA:high memory usage seen on ASA version 8.0.x onwards Description: Symptom: ASA 5510/w 256 RAM reflect high memory usage in version 8.0.x onwards Conditions: High memory usage is seen on ASA platforms with 256 MB RAM, this is only seen when ASA upgraded to 8.0.x. Workaround: Roll back to 7.2 or upgrade to 8.2 Status: Fixed Severity: 2 Severe Last Modified: 15-MAY-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.5(5.31), 100.7(0.36), 100.7(5.7), 100.7(6.3), 8.2(2.148), 8.2(3), 8.3(2.1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCug88962 Title: Hitless upgrade fails with error "Number of interfaces...not consistent" Description: Symptom: When attempting to perform a hitless upgrade of a failover pair of ASAs from a version prior to versions 8.4(6) and 9.0(2) and 9.1(1)3 to a version at or after 8.4(6) and 9.0(2) and 9.1(1)3 might fail. When the standby boots up with the new version, failover synchronization might fail and the following error might be printed to the console: "Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby." Conditions: To encounter the problem, all of the following conditions must be met: 1) The ASAs must be in a failover setup 2) A hitless upgrade must be attempted. This involves loading the new code version onto the disk of the standby ASA, then rebooting it so that it boots up running the new version, and syncs with the active ASA. 3) The active ASA running the old code must be running a version of code prior to 8.4(6), 9.0(2), or 9.1(1)3 4) The standby ASA must be rebooted and running a version of code 8.4(6) or 8.4(6)1, 9.0(2) or 9.1(2) or later Workaround: Since the synchronization of the ASAs fails due to this bug, a hitless upgrade might not work. The workaround is to configure both ASAs to boot up with the new version of code, and reload both ASAs (first the standby ASA, then 30 seconds later the Active ASA). Both units will boot up ok, and then since both units are running the same version of code they will synchronize correctly. Further Problem Description: And in the above situation i.e after the standby was reloaded and the error message ""Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby." shows up on the device console, if a failover would be performed to make the standby unit take the active role, then there could be issues with MAC address switchover between the ASA devices i.e the new active unit may not use the previous active device's MAC address or the new standby unit may not use the previous standby's MAC address. This would result in traffic flows failing through the ASA failover pair. Status: Fixed Severity: 2 Severe Last Modified: 16-MAY-2015 Known Affected Releases: 8.4(6.1) Known Fixed Releases: 100.7(6.118), 100.8(27.83), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(60.15), 100.9(0.46), 100.9(10.1), 100.9(6.28), 100.9(7.24) Bug Id: CSCtf14727 Title: ASP table entry causes FW to stop encrypting traffic Description: Symptom: The ASA stops encrypting traffic to remote peer. Conditions:The ASP classify table contains entries with the same user data that match different vpn contexts, leading to spi mis-match. Workaround:Reload the ASA Status: Other Severity: 2 Severe Last Modified: 16-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCuh44052 Title: Cisco ASA SIP Denial of Service Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2129,CVE-2014-2128 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 16-MAY-2015 Known Affected Releases: 8.4(5), 8.4(6.4) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.53), 100.9(10.1), 100.9(6.29) Bug Id: CSCut48009 Title: Traceback in thread CP Processing Description: Symptom: ASA Crashes in CP Processing Thread Conditions: -- Skinny inspection enabled. -- Skinny traffic contains StopMediaTransmission messages that are carried in the same packet as a StartMediaTransmission, StarMediaTransmissionACK, or a StartMediaAnnouncement. -- Depending on the how many of the above messages are seen the issue can take some time to happen (the more messages seen the faster the issue can happen). Workaround: Disable Skinny Inspection Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 17-MAY-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.13), 100.14(26.10), 100.14(5.14), 100.14(6.12), 100.14(7.14) Bug Id: CSCut10078 Title: Standby ASA does not apply OSPF route after config replication Description: Symptom: Standby unit was not following the OSPF routes that were replicated from the Active unit and installed in its routing table. For example, when trying to ping 10.202.7.135 from the Standby unit the ASA claimed it had no route to the host: Conditions: OSPF configured on active/standby ASA 5555 pair running 9.1.5.21 Workaround: A 'write standby' from the Active unit to force a bulk sync fixes the problem, though the routing table doesn't seem to change. I was able to reproduce the problem several times Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-MAY-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(2.25) Bug Id: CSCun43072 Title: ASA5585-SSP60 Traceback in Thread Name SSH on Capture Command Description: Symptom: Under normal operation, the ASA can crash on Thread Name SSH with tracebacks on the capture command. Conditions: ASA5585-SSP-60 ASA Code 8.4.6 SSH Capture Workaround: None Known Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.11(0.50), 100.12(0.70), 100.12(6.20), 100.13(0.6), 100.13(11.11), 100.13(12.16), 100.13(15.7), 100.13(16.2), 100.13(17.2), 100.13(18.1) Bug Id: CSCuq99821 Title: ASA/ASASM drops SIP invite packets with From field containing "" and \ Description: Symptom: ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field: "\"210*******\"" ;tag=SD7osu201-gK0d0f565b Conditions: ASA/ASASM running 9.1.4.6 with SIP inspection turned on. Workaround: disable SIP inspection. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-MAY-2015 Known Affected Releases: 9.1(4.6) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41), 100.14(5.13) Bug Id: CSCut39985 Title: Per-session PAT RST sent to incorrect direction after closing session Description: Symptom: When Per-session PAT is configured, RST,ACK is sent to Non close initiator side after closing TCP session. It should be sent to close initiator side(The device which send FIN first). xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Conditions: Per-session PAT is configured like below xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Workaround: Disable Per-session PAT xlate per-session deny tcp any4 any4 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-MAY-2015 Known Affected Releases: 9.1 Known Fixed Releases: 100.11(0.58), 100.12(0.121), 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Bug Id: CSCup47885 Title: ASA: Page fault traceback in DATAPATH when DNS inspection is enabled Description: Symptom: An ASA may generate a traceback and reload in the DATAPATH thread while processing DNS traffic when DNS inspection is enabled. Conditions: The ASA must be running 9.1.5.7 or higher. This issue will trigger when we do DNS reverse loop up with DNS inspection enabled. When a customer do reverse look up on IP addresses and receives a PTR Reply with more number of records they will hit this issue. This issue will not be seen without reverse loop up Workaround: There is no known workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-MAY-2015 Known Affected Releases: 9.1(5.7), 9.2(2) Known Fixed Releases: 100.11(0.37), 100.11(5.46), 100.11(6.8), 100.12(0.19), 100.12(1.13), 100.12(10.4), 100.12(12.4), 100.12(13.11), 100.12(15.4), 100.12(16.9) Bug Id: CSCtq92619 Title: ASA IPsec doesn't start Quick Mode for some SA with IKEv1 SA up Description: Symptom: ASA may fail to initiate a Phase 2 SA when interesting traffic arrives at the ASA. Conditions: ASA 8.4.1.10 Static Lan-to-lan connection that has been up for about 3 weeks. Phase 1 SA is still established Phase 2 SA for another line in the same crypto map entry is up and works fine. Workaround: - Reload ASA - Remove crypto map entry and re-enter it. - Upgrade to a version that includes a fix for CSCty16864 which is caused by the same underlying issue to resolve the problem. Status: Other Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 8.4(1.10), 8.4(2) Known Fixed Releases: Bug Id: CSCuu05124 Title: ASA: traceback with the message "assertion "0" failed: file "block.c" Description: Symptom: Symptom: ASA reloads by itself generating crashinfo with thread Dispatch unit and 'assertion "0" failed: file "block.c"'. Conditions: Conditions: ASA5550 running 9.1.5.21 in failover with WebVPN enabled. Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCuu20067 Title: ASA:Traceback in Thread Name: Unicorn Proxy Thread Description: Symptom: ASA Traceback with Thread Name:- Unicorn Proxy Thread Conditions: ASA device configured with VPN load balancing Workaround: NONE Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 9.1(5.12) Known Fixed Releases: Bug Id: CSCtf47041 Title: Active ASA unit tracebacks in Thread Name: ssh Description: Symptom: Active ASA unit tracebacks in Thread Name: ssh Conditions: NA Workaround: NA Status: Fixed Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.4(0.50), 100.5(5.10), 100.7(2.4), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.2), 8.4(1) Bug Id: CSCus92650 Title: Webvpn portal stops working with no data received/connection reset error Description: Symptom: After a variable period of normal operation, the WebVPN service presents a no data received/ connection reset Error , and no new clientless SSL VPN session can be opened. Conditions: Free memory reaching around 33% . Workaround: Reloading the ASA will restore the service . Further Problem Description: ASA 5540 running as a webvpn/anyconnect gateway with software version 8.4.7.23 . When the free memory reaches the value around 33% . Users start seeing problems with the portal and anyconnect . If you try to access the portal using the browser you get the following error : No data received . Connection reset . No SSL errors at the ASA . No logged memory error . I have noticed with wireshark the second time we had the issue that we open the tcp connection , we negotiate SSL . We send the first packet carrying application data and then we get a FIN packet for the conn from the ASA. Status: Open Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCuj34124 Title: Sustained high cpu usage in Unicorn proxy thread with jar file rewrite Description: Symptom: While rewriting truncated jar files Unicorn Proxy Thread may get into an infinite loop causing sustained high cpu usage. Conditions: User access a truncated jar file or the jar content gets truncated while in transport due to connection failure etc. Workaround: Reboot the box if required. On an smp platform, there are no usability issues that will warrant an immediate reboot of the ASA. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 8.4, 8.4(3), 9.0 Known Fixed Releases: 100.10(0.23), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11), 100.8(51.1) Bug Id: CSCuu21069 Title: RRI not installing the routes as per the feature functionality on ASA Description: Symptom: when the "set reverse-route" is configured, if the outside interface is down or there is no default route, the reverse routes are not created Conditions: But then if we bring the outside interface up and add the default route the reverse routes are not created until we remove the "set reverse-route" and reapply the command. Workaround: remove the "set reverse-route" and reapply the command Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: Bug Id: CSCul61939 Title: Webvpn: ASA fails to rewrite javascript tag correctly Description: Symptom: Web application bookmark url - eRostering Employee Online fails to display contents properly due to java script rewrite failure. Conditions: ASA running 8.4(2) and above. User logs in the ASA webvpn portal. Clicks on the eRostering Employee Online bookmark. Logs in into the application and then clicks on Annual Leave tab. The content is not displayed. -It works fine with AnyConnect -The issue persists with both ActiveX and Java (IE9/Mozilla/Chrome) Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 8.4(2.0) Known Fixed Releases: 100.10(0.57), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.94), 100.8(40.55), 100.9(10.22), 8.4(7.8), 9.0(4.2) Bug Id: CSCut49111 Title: ASA crashes because of TD tcp-intercept feature Description: Symptom: Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled Conditions: When threat-detection statistics tcp-intercept is enabled Workaround: Disabling TD for tcp intercept statistics stops crash. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26), 100.15(0.10) Bug Id: CSCuu28858 Title: ASA sends PIM join to both upstream neighbors Description: Symptom: ASA sends PIM join to multiple upstream neighbors when an equal cost route exists for upstream traffic Conditions: ASA configured with an equal cost route upstream Workaround: configure a static route or configure dynamic routing to force one route over the other. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 18-MAY-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: Bug Id: CSCur98502 Title: ASA: 'no monitor-interface service-module' command gone after reload. Description: Symptom: 'no monitor-interface service-module' gone from configuration. Conditions: ASA 9.3(1) with failover configuration. 'no monitor-interface service-module' configured and ASA reloaded. Workaround: Avoid reloading ASA or put the command manually after reload. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(16.31), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) Bug Id: CSCut01856 Title: ASA dropping traffic with TCP syslog configured in multicontext mode Description: Symptom: ASA dropping traffic in multiple-context mode with TCP syslog server unreachable. Conditions: -ASA in multiple context mode -TCP syslog server configured on one of the contexts. -"no logging permit host-down" configured on a context. Workaround: On removing and adding the context , which is having the issue,back the issue goes away. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Bug Id: CSCtn56501 Title: ASA may generate crypto archive with IPSec Ring timeout crash type Description: Symptom: Crashes seen on ASA crypto engine: Syslog messages 402125-402127 indicating crypto chip crash and soft-reset, on multiple occasions, which leads to a situation where: 1. Packets that should be serviced by the crypto engine [SSH, IPSec] are dropped 2. Crypto Archive files are generated: #show flash:/crypto_archive 1 590756 Oct 11 2012 19:06:28 crypto_archive/crypto_eng0_arch_1.bin 2 590756 Oct 11 2012 19:07:04 crypto_archive/crypto_eng0_arch_2.bin 3. Syslog such as: ASA-4-402125 CRYPTO: The ASA hardware accelerator Ipsec ring timed out (Desc= 0xC83DC7D8, CtrlStat= 0xB000, ResultP= 0xC5AEE8B0, ResultVal= 11, Cmd= 0x30, CmdSize= 0, Param= 0x0, Dlen=232, DataP= 0xC5AEE7D4, CtxtP= 0xC635A570, SWReset= 7) ASA-4-402126 CRYPTO: The ASA created Crypto Archive File < disk0:/crypto_archive/crypto_eng0_arch_1.bin > as a Soft Reset was necessary. Please forward this archived information to Cisco. Conditions: ASA with Crypto Services enabled [IPSec, SSH] Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 8.2, 8.2(5) Known Fixed Releases: 100.7(13.43), 100.7(14.36), 100.7(17.7), 100.7(18.4), 100.7(6.51), 100.8(0.40), 100.8(11.4), 100.8(15.17), 100.8(19.35), 100.8(2.30) Bug Id: CSCuu14764 Title: [ASA] sysopt connection timewait; conn dropped for RST packet Description: Symptom: Based on the Command Reference guide "the ASA holds on to the connection for 15 seconds after receiving the last packet (either FIN/ACK or RST) of the connection when ?sysopt connection timewait? is enabled: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s8.html#wp1517744 Problem description: - With and without the "sysopt connection timewait" command enabled the connection is dropped once the RST packet is received. - Based on Command Reference guide the connection should be up for 15 more seconds when RST or FIN/ACK packet is received ( "sysopt connection timewait" enabled) - Connection is changed to TIME-WAIT state for 15 seconds just after the FIN/ACK packet. Conditions: Working fine(per Command Reference guide) until ASA version 8.2.5.20. Starting from 8.2.5.21 this behaviour was changed. Workaround: N/A Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 8.2(5.21), 9.2(2.4) Known Fixed Releases: Bug Id: CSCue59676 Title: ASA shared port-channel subinterfaces and multicontext traffic failure Description: Symptom: An ASA configured in multi context mode, with port-channels divided into subinterfaces, may experience an issue where traffic to certain contexts will fail if the port-channel has more than one active interface member. Conditions: To confirm you are hitting this bug, check the output of 'show controller ' for each physical member of the port channel. Affected ASAs will show only the first member in Promiscuous mode and the rest in Disabled. Out of the 'show controller' depends on the platform of ASA. Some of the platforms show the output below. show controller GigabitEthernet 0/0 | i Promiscuous Mode Unicast Promiscuous Mode: Enabled (5) <---- show controller GigabitEthernet 0/1 | i Promiscuous Mode Unicast Promiscuous Mode: Disabled (0) <---- And some of the platforms show the output below. show controller GigabitEthernet 0/0 | i RX Control RX Control: 0x00007fff18536100 = 0x0440800a show controller GigabitEthernet 0/1 | i RX Control RX Control: 0x00007fff18536100 = 0x04408002 First bit of a(1010) means Promiscuous, and 2(0010) means Not Promiscuous. Traffic failure observed when number of MAC addresses allocated to each interface exceeded the count of RX address array. RX address array can be seen via "show controller" output. Workaround: Reduce the number of contexts or subinterfaces so as count of mac addresses allocated to interfaces not exceed the count of RX address array. Deleting the context experience the problem and reconfiguring it sometimes resolves the issue for that context, but the problem may then move to another context. Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 19-MAY-2015 Known Affected Releases: 8.4(4.6), 8.4(5) Known Fixed Releases: 100.7(13.111), 100.7(6.110), 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.4(5.7) Bug Id: CSCue67198 Title: Crypto accelerator resets with error code 23 Description: Symptom:Crypto chip resets observed with IPSec traffic on multi core platforms. These are generated due to packets that have a bad inner ip header. %ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (HWErrAddr= 0x7693AB40, Core= 0, HwErrCode= 23, IstatReg= 0x40008, PciErrReg= 0x0, CoreErrStat= 0xC3, CoreErrAddr= 0x8EC19940, Doorbell Size[0]= 2048, DoorBell Outstanding[0]= 0, Doorbell Size[1]= 0, DoorBell Outstanding[1]= 0, SWReset= 3) Conditions:Seen on ASA5585 running 9.1.1.2 Workaround:None. Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 8.4(0.3), 9.1(1.2) Known Fixed Releases: 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.38), 100.9(4.5), 100.9(6.16), 100.9(7.20), 9.0(2.100), 9.0(2.9), 9.0(3) Bug Id: CSCts18026 Title: ASA 5520 8.2.5 : traceback at thread name snmp Description: Symptom: Primary firewall had high memory utilization over 80% and crashed with info in traceback thread snmp, after few days secondary also crashed with the same info in traceback. Conditions: Few months ago the bug CSCti09288 has been solved so the firewalls were upgraded from 8.2.3.5 to 8.2.5. Workaround: There is no workaround. Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.7(8.34), 100.8(0.30), 100.8(0.36), 100.8(0.46), 100.8(0.54) Bug Id: CSCus27650 Title: TLS Proxy + Cut Through proxy not working correctly with TLS1.2 Description: Symptom: Cut Through Proxy and TLS Proxy may fail to function when using TLS1.2. Conditions: Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 100.13(1.32), 9.3(2) Known Fixed Releases: Bug Id: CSCus92856 Title: ASA traceback in DATAPATH Thread due to Double Block Free Description: Symptom: ASA reloads and generates crashinfo inThread DATAPATH Issue is specific to cluster with multi-context and interface sharing. Issue was exposed by fragmentation happening in shared interface Conditions: Clustering is enabled on ASA Workaround: Avoid using loopback/shared interface Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9) Bug Id: CSCuo58411 Title: ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5) Description: Symptom: -ASA stops passing IKEv2 packets for certain identities. -ASA prints "Duplicate entry in tunnel manager", while "debug menu ike-common 1" shows stale IKEv2 entries. -"debug menu ike-common 1" reveals IKEv2 identities that are very old (stale) Conditions: -ASA is running 9.1.5 or later -ASA is configured for IKEv2 L2L Workaround: Issue "debug menu ike-common 10" to remove the stale IKEv2 entries (this will delete all current IKEv2 connections) Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 19-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.21), 100.11(6.1), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10), 100.12(8.11), 100.8(40.78), 9.1(5.13), 9.2(2.1) Bug Id: CSCtk10198 Title: Dispatch unit BLOCK DOUBLE FREE traceback Description: Symptom: ASA reloads by itself generating crashinfo with thread Dispatch unit and 'assertion "0" failed: file "block.c"'. Conditions: Possibly related to packet encryption. Workaround: none Status: Other Severity: 2 Severe Last Modified: 19-MAY-2015 Known Affected Releases: 8.2(3.5) Known Fixed Releases: Bug Id: CSCum55917 Title: ASA Traceback in Thread Name: fover_fail_check Description: Symptom: ASA may run into a 1550 block depletion and trigger a assert traceback in thread name: fover_fail_check Conditions: ASA running release 9.0.3 (specific conditions are under investigation) or release 9.1.4 with DHCP relay enabled. Workaround: In the case where DHCP relay is configured, disabling DHCP relay may keep the issue from occurring. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: Bug Id: CSCts48937 Title: Memory leak in DP udp host logging resulting in 1550 byte blocks leak Description: Symptom: When the command "management-access" is configured, in conjunction with a UDP syslog server destination, the ASA might exhaust the available blocks of memory used for processing traffic; this could cause the ASA to fail to pass traffic or de-stabilize a redundant failover pair of ASAs. If this problem is encountered, the following syslog might be logged by the ASA: %ASA-3-3321007: System is low on free memory blocks of size ( CNT out of MAX) And the output of 'show block' could show the available blocks of a size has gone to 0, like in the output below: ciscoASA# show blocks SIZE MAX LOW CNT 0 400 383 400 4 100 98 99 80 403 377 403 256 1200 1165 1195 1550 6479 6384 6476 2048 1200 0 123 <---- Problem here 2560 264 263 264 4096 100 100 100 8192 100 100 100 16384 102 102 102 65536 16 16 16 ciscoASA# Conditions: To encounter this problem, all of the following conditions must be met: 1) The ASA must have the command 'management-access' configured, with an interface specified for that access. For example, to enable the management-access feature on the inside interface, the command would be 'management-access inside' 2) The ASA must be configured to send UDP syslogs to a syslog server located out the same interface as defined in the 'management-access' command. For example: 'logging host inside 10.1.2.3' Workaround: Remove the management-access command, or disable UDP syslogging. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 8.3(2), 8.4(1) Known Fixed Releases: 100.7(13.31), 100.7(14.21), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.25), 100.8(10.35), 100.8(12.32), 100.8(15.5), 100.8(19.14) Bug Id: CSCeh46345 Title: Dynamic L2L could pass clear text traffic when tunnel terminates Description: Symptom: Traffic that should go into an IPSec tunnel could be sent in cleartext after the tunnel goes down, and continue to be sent in clear after the tunnel is up again. Conditions: This only affects traffic sent from behind a PIX/ASA configured with a dynamic crypto map, and that has a default route configured on the encrypting (usually outside) interface. This also affects dynamic crypto maps that have an access-list configured. Workaround: Remove the default route from the encrypting interface when possible. If facing the issue the flows can be cleared with the command clear local-host. Traffic will be encrypted after that command is issued. Further Problem Description: When the tunnel goes down the traffic will go out in the clear, and will continue being sent in the clear after the tunnel is re-established by the VPN peer. This was observed for UDP traffic using fixed source and destination ports and addresses. Other type of connections are less subjected to the issue, as the PIX/ASA internal flow will not live long after the tunnel goes down. New flows created after the tunnel comes back up will be correctly encrypted. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(0.107), 7.0(2) Known Fixed Releases: 7.0(5) Bug Id: CSCei18370 Title: Error processing SQLNet packet Description: Symptom: PIX firewall may crash if crafted SQLNet packets are inspected as part of an allowed TCP connection Conditions: The crafted SQLNet packets must be part of an allowed TCP connection and the destination for the allowed connection must be a server running SQLNet. Workaround: Allow SQLNet connections only between legitimate SQLNet clients and servers. This is accomplished by configuring explicit access-list entries that allow clients to connect to servers on TCP port 1521. If SQLNet connections are allowed from untrusted clients, disable the SQLNet inspection engine by using the command "no inspect sqlnet" in class configuration mode. Class configuration mode is accessible from policy map configuration mode. This example show disabling SQLNet in the default class and policy: pixfirewall(config)# policy-map global_policy pixfirewall(config-pmap)# class inspection_default pixfirewall(config-pmap-c)# no inspect sqlnet pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# exit pixfirewall(config)# exit pixfirewall# Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(1.2) Known Fixed Releases: 7.0(1.4), 7.0(2), 7.0(2.0), 7.0(3.1) Bug Id: CSCeg49143 Title: traceback in websns:_process_wip+35 ( url filtering with Websense ) Description: Symptom: PIX or ASA reloads with Thread Name: Dispatch Unit. Condition: URL filtering is enabled using a URL server and the URL server is configured to use UDP. Workaround: Deny ICMP port unreachable packets sourced from the IP address of the Websense server by using the command: icmp deny 255.255.255.255 unreachable . URL filtering could also be disabled using the command no filter url. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(0.77) Known Fixed Releases: 7.0(2.3) Bug Id: CSCeg20559 Title: WebVPN:function URL entry disabled..Go button URL entry still there Description: Symptom: When configuring WebVPN disabling URL entry does not prevent go button from appearing in pages opened from homepage. Conditions: WebVPN with URL entry turned off Workaround: Enabling Web ACL prevents access. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(81.169) Known Fixed Releases: 7.0(0.66), 7.0(1.0) Bug Id: CSCsk96804 Title: Traceback in Thread Name: Dispatch Unit with inspect h323 Description: Symptom: PIX/ASA may crash while running 7.2(3) on Thread Name Dispatch Unit Conditions: - Software versions 7.2(3.12) and 8.0(3) H.323 inspection Lot of H323 setup requests. Workaround: None available. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.2(3) Known Fixed Releases: 7.0(7.13), 7.1(2.70), 7.2(4.1), 8.0(103.13), 8.0(3.12), 8.1(1.3) Bug Id: CSCeh81774 Title: un-NATed ACK packets sent on outside interface Description: Symptom: The PIX Security Appliance is sending Acknowledgement (ACK) packets to an outside host when the TCP data stream from the outside host is out of order. The ACK that the PIX sends erroneously contains the real IP address of the internal host instead of the NAT address. Conditions: PIX Security Appliance running version 7.0.1. PIX versions prior to 7.0.1 are not affected. Having NAT enabled and one or all of the following features could trigger the problem: inspect ftp inspect smtp inspect rpc filter java ... filter activex ... filter http ... filter ftp ... filter https ... Workaround: Disable the features listed above or block packets with seperate firewall on outside interface. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(1) Known Fixed Releases: 7.0(1.2), 7.0(2), 7.0(2.0), 7.0(3.1) Bug Id: CSCei15053 Title: IKE test suite causes multiple reboots in 7.0(1) Description: Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service. Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. This advisory is posted at http://www.cisco.com/warp/customer/707/cisco-sa-20051114-ipsec.shtml. Status: Fixed Severity: 2 Severe Last Modified: 20-MAY-2015 Known Affected Releases: 7.0(1) Known Fixed Releases: 7.0(1.4), 7.0(2), 7.0(2.0) Bug Id: CSCso53162 Title: Traceback in DTLS with TLS fragment handling Description: Symptom: ASA crashes in DTLS fragment handling code. Conditions: SVC and DTLS is used. Workaround: Disable DTLS Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3.9) Known Fixed Releases: 8.0(103.17), 8.0(3.14), 8.1(1.4) Bug Id: CSCsq45636 Title: Potential Information Disclosure in Clientless SSL VPNs Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(2), 8.0(3.12) Known Fixed Releases: 8.0(103.27), 8.0(3.16), 8.1(1.6), 8.2(0.127) Bug Id: CSCsm26841 Title: Watchdog failure: TLS fragmented client hello message.allocb+185 Description: Summary: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3.6), 8.1(0.157) Known Fixed Releases: 8.0(3.9), 8.1(0.185), 8.1(1.1) Bug Id: CSCsm67466 Title: Apply Control-plane ACL fail, need clear/apply it again to work properly Description: Summary: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Applying a 'control-plane' ACL to an interface after applying interface ACL does not work the first time, we have to clear it and then apply it again to the interface for it to work properly. Example ASA(config)# access-group test in interface outside ASA(config)# access-group test in interface outside control-plane ASA(config)# sh run | inc access-group access-group test in interface outside control-plane I can connect using VPN client without issues, the 'control-plane' ACL is not working, then I do this: ASA(config)# no access-group test in interface outside control-plane ASA(config)# access-group test in interface outside control-plane ASA(config)# Now the 'control-plane' ACL is working, and I can't connect with VPN client to the ASA Conditions: - Apply a control-plane ACL to restrict traffic to-the-box Workaround: Clear the control-plane ACL and then apply it again to the interface for it to work properly (second time around). Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 8.0(3.9), 8.1(0.180), 8.2(0.95) Bug Id: CSCsl83577 Title: ASA traceback when running Codenomicon Radius suite Description: <B>Symptom:</B> ASA reloads. <B>Conditions:</B> ASA configured to use a RADIUS AAA server. <B>Workaround:</B> None. <B>Further Information:</B> This issue happens when an ASA processes malformed RADIUS attributes sent by a RADIUS server. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3), 8.1(0.138) Known Fixed Releases: 7.0(7.11), 7.1(2.70), 7.2(3.16), 7.2(4), 8.0(3.6), 8.1(0.151), 8.2(0.87) Bug Id: CSCsl95286 Title: Control-plane feature not working for https traffic to-the-box Description: Symptom: Control-plane feature won't restrict https traffic to-the-box Conditions: If we want to restrict access to webvpn portal based on IP address, we create access-lists matching https traffic going to-the-box. By using these access-lists and control-plane feature under access-group, we should be able to restrict access. Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0 Known Fixed Releases: 8.0(3.9), 8.1(1.1), 8.2(0.98) Bug Id: CSCsq19457 Title: ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 may break webvpn or ASDM Description: Symptom: Webvpn or http access stops working after modifying the webpn or http server port. The following error may appear during boot up OR when modify the webvpn or http port parameters. It may also occur when enabling/disabling webvpn or the http server: ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists Conditions: The following error may appear during boot up OR when modify the webvpn or http port parameters. It may also occur when enabling/disabling webvpn or the http server: ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists This error may occur during bootup if both webvpn and http server are enabled on the same ports. Workaround: If webvpn access fails after modifying the http server port or webpn port then disabling/re-enabling webpn should fix the problem. For example: no webvpn enable outside webvpn enable outside If ASDM access fails after modify the http server port or the webvpn port then disabling/re-enabling the http server should fix the problem. For example: no http server enable port xxxx http server enable port xxxx Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3.12), 8.0(3.26), 8.0(4), 8.1(1.107) Known Fixed Releases: 8.0(4.7), 8.0(5), 8.1(2.2), 8.2(0.163), 8.2(0.164), 8.2(1) Bug Id: CSCso66472 Title: Crypto memory leak causing Clientless SSL VPNs to hang Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3), 8.0(3.10), 8.0(3.7) Known Fixed Releases: 7.2(4.2), 8.0(103.16), 8.0(3.14), 8.1(1.4) Bug Id: CSCsm02939 Title: Memory leak while processing SSL transactions Description: Symptom: There is a memory leak when SSL connections are established. Conditions: When the ASA is used as an SSL server, when WebVPN is configured. Workaround: Only allow HTTPS connections to the Cisco ASA from trusted hosts. Further Problem Description: The issue is exacerbated on 8.0 because of the smaller memory pool used for SSL. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.2(2.20) Known Fixed Releases: 7.2(3.21), 7.2(4), 8.0(3.10), 8.1(1.2), 8.2(0.100) Bug Id: CSCuu16764 Title: ASA traceback in Dispath Unit; Page fault: Address not mapped Description: Symptom: ASA running 8.2(5)52 standby unit may traceback. Conditions: Standby unit. Workaround: No known workarounds. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCsq07867 Title: Memory corruption with traceback in SIP inspection code Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.0(7.12) Known Fixed Releases: 7.0(7.15), 7.1(2.70) Bug Id: CSCso60605 Title: ISAKMP : ASA installs permit rule with the interface network mask Description: Symptom: When isakmp is enabled on the interface, the ASA installs incorrect permit rule with the interface mask instead of a host mask. Conditions: crypto isakmp enable command is enabled in the configuration. Workaround: Disable crypto isakmp enable command. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 7.2(4.9), 8.0(103.11), 8.0(3.12), 8.1(1.3) Bug Id: CSCso22981 Title: Traceback in Thread Dispatch unit related to IM inspection Description: Summary: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.2, 8.0(2), 8.1 Known Fixed Releases: 7.2(3.23), 7.2(4), 8.0(103.5), 8.0(3.10), 8.1(1.2) Bug Id: CSCsq03893 Title: Segmented HTTP GET request are not parsed by Filtering and HTTP inspect Description: Symptom: An ASA or PIX firewall configured to do URL filtering may not filter requests that have the HTTP GET request segmented over multiple TCP packets. Conditions: This occurs on ASA and PIX firewalls running code version 8.0 with URL filtering configured. Workaround: None at this time. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.0, 8.0(3.10) Known Fixed Releases: 7.0(7.13), 7.1(2.70), 7.2(4.3), 8.0(103.24), 8.0(3.14), 8.1(1.4) Bug Id: CSCth41811 Title: Crash due to page fault Description: Symptom: ASA reloads. Conditions: Crash was seen on ASA running 8.3.1.4 Workaround: None known so far. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(1.4) Known Fixed Releases: Bug Id: CSCtg74172 Title: Can get around dynamic-filter by using caps in domain name Description: Symptoms: Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names. Conditions: Configuring whilte and black lists for BTF Workaround: Not known PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.12) Known Fixed Releases: Bug Id: CSCtc79922 Title: MU sunrpc test for dump.call with truncated body cause traceback on Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.5(0.49) Known Fixed Releases: 100.3(0.21), 100.4(0.24), 7.2(4.100), 8.2(1.106), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.5) Bug Id: CSCsu85188 Title: ASA 7.2.4.15 traceback at Thread Name: IKE Daemon Description: Symptom: ASA running 7.2.4.15 may crash at Thread Name: IKE Daemon Conditions: Workaround: Further Problem Description: Crashed can happen one or multiple times. Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 7.2(4.15) Known Fixed Releases: 7.2(4.17), 8.0(4.8), 8.0(5), 8.1(2.2), 8.2(0.166), 8.2(1) Bug Id: CSCth63101 Title: ASA HTTP response splitting on /+CSCOE+/logon.html Description: Symptom: ASA is vulnerable to HTTP response splitting in certain URLs. HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server. Detail on HTTP response splitting defects : http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.owasp.org/index.php/HTTP_Response_Splitting Conditions: This is default behavior for the ASA. Workaround: There are no workarounds for this issue. Further Problem Description: The following Cisco Applied Mitigation Bulletin titled: Understanding Cross-Site Scripting (XSS) Threat Vectors provide several best practices and information that can be used to mitigate these type of issues: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-3285 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.5(5.31), 100.7(0.36), 100.7(5.7), 100.7(6.3), 8.2(2.148), 8.2(3), 8.3(2.1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCth29346 Title: Traceback in Thread Name: Dispatch Unit Description: Symptom: ASA Crashed due to a Traceback in Thread Name: Dispatch Unit Conditions: Unknown Workaround: This bug is possibly related to the sip inspection. Disabling 'inspect sip' from your service-policy may alleviate the issue. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(5.17) Known Fixed Releases: Bug Id: CSCsw83282 Title: Watchdog failure in fover_FSM_thread Description: Symptom: The ASA crashes with thread fover_FSM_thread when configured in a failover pair running RIP. Conditions: This will occur when a large number of RIP dynamic routes are located in the routing table. Workaround: If this occurs route summarization will need to be done so that the amount of routing table entries is reduced. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3), 8.2(0.195) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 7.2(4.26), 8.0(4.24), 8.0(5), 8.1(2.14), 8.2(0.206), 8.2(4) Bug Id: CSCtb07060 Title: ASA bootloops with 24 or more VLANs in multimode Description: Symptom: When booting an ASA in multi-context mode with more than 24 VLAN interfaces configured the ASA loads up to the ciscoasa> prompt. However, it doesn't respond to any input entered, and about 2 seconds later prints "Rebooting..." and drops back to ROMMON or says in a boot loop until you break into ROMMON. Conditions: ASA configured in multi-mode with 24 more more VLANs configured. Workaround: Break into ROMMON and change the config register to ignore the startup configuration rommon #1<confreg 0x41 After the device boots up copy the startup configuration to the running configuration copy start run Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.2, 8.2(0.1) Known Fixed Releases: 8.0(4.43), 8.0(5), 8.1(2.34), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) Bug Id: CSCtf81810 Title: OpenSSL Record of death Description: Symptom: The device may be affected by an OpenSSL vulnerability. This vulnerability is tracked as CVE-2010-0740 In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL. Conditions: Device configured with any feature that uses SSL. Workaround: Not available Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0, 8.3(1) Known Fixed Releases: 100.4(0.54), 8.0(5.17), 8.1(2.44), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.2), 8.4(1) Bug Id: CSCsw51809 Title: sqlnet traffic causes traceback with inspection configured Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4.12), 8.0(4.7), 8.1(2.7), 8.2(0.177), 8.2(0.184) Known Fixed Releases: 7.0(8.7), 7.2(4.26), 7.2(4.35), 8.0(4.22), 8.0(4.220), 8.1(2.12), 8.2(0.198), 8.2(4) Bug Id: CSCtf20547 Title: Cmd authorization fails for certain commands on fallback to LOCAL db Description: Symptom: Certain commands like 'show running-config', 'show interface' are allowed to be executed by users with lower privilege-level when fallback has occured. Conditions: 1. Fallback to LOCAL is configured 2. All ASA commands are assigned their default privilege levels in LOCAL db. 3. Users with lower privilege-level than 15 login into privileged-exec mode and execute 'show running-config' or 'show interface' commands, and some config commands. Workaround: none. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.0/5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-0358 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.5(5.57), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 7.0(8.12), 7.2(5.2), 8.0(5.23), 8.1(2.49) Bug Id: CSCtd54252 Title: traceback in checkheaps during backup of asa with smartcare appliance Description: Symptom: ASA reloads when given a file name that is too long. Conditions: This happens when using Smart Care appliance to take a backup of the ASA. This is due to the mechanism that Smart Care uses to specify the file name. The Smart Care Appliance simply specifies the source and target protocol in the copy command, and is then prompted for the rest: asa# copy startup-config tftp Address or name of remote host [10.1.1.1]? 10.2.2.2 Destination filename []? this-is-a-very-long-filename-that-is-used-as-a-negative-example.txt The filename is limited to 63 characters, and will be properly truncated, but then the ASA appends a realm parameter consisting of the interface name (+5 characters), and that causes the filename to exceed the buffer and cause a checkheaps failure, but only if it is using the last path structure in the array (there are 8 elements in the array). Workaround: Don't take a backup of the ASA with the Smart Care appliance. Specify the destination filename on the command line, and it will be truncated but not cause a crash: asa# copy startup-config tftp://10.2.2.2/this-is-a-very-long-filename-that-is-used-as-a-negative-example.txt This will also fail (because the filename above is more than 63 characters), but it will not crash and will permit the full use of 63 characters unlike prompting for the filename. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.4(0.29), 7.2(4.45), 8.0(5.6), 8.1(2.39), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.13) Bug Id: CSCue30158 Title: Traceback while editing objects attached to NAT Description: Symptom: While modifying ASA NAT configuration, device may reload. Conditions: ASA 8.4 NAT changes. Workaround: N/A Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.7(6.117), 8.4(6.1), 8.4(6.99), 8.4(7) Bug Id: CSCtc81874 Title: Traceback: CTM message handler - L2TP and crypto reset - stack overflow Description: Symptom: A Cisco Adaptive Security Appliance (ASA) crashes at a random interval with a nested traceback in thread Checkheaps. L2TP and crypto processes will reset. Conditions: L2TP traffic must be seen by the ASA. Workaround: No known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2012-5998 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1), 8.2(1.11), 8.2(2) Known Fixed Releases: 100.4(0.44), 8.0(5.12), 8.1(2.41), 8.2(2.7), 8.2(2.99), 8.2(4), 8.3(1.1), 8.3(1.100), 8.4(1) Bug Id: CSCtd01979 Title: Oversize SNMP poll may cause slow memory leak Description: Symptom: Certain UDP packets may cause a slow memory leak when device is configured for SNMP. Conditions: Cisco ASA/PIX configured for SNMP Workaround: Only allow trusted hosts to communicate via SNMP to the ASA/PIX. The following example allows only 192.168.1.123 to communicate with the ASA/PIX: snmp-server host management 192.168.1.123 poll community somerandomcommunity Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(5) Known Fixed Releases: 7.2(4.45), 8.0(5.5) Bug Id: CSCua99091 Title: ASA: Page fault traceback when copying new image to flash Description: Symptom: Under rare conditions, the ASA may generate a traceback and reload when copying a new system image to flash from a TFTP/FTP server. Conditions: This occurs under normal operation when copying an image to flash. Workaround: There is no known workaround at this time. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2.9), 8.6(1.2), 9.1(1), 9.5(1) Known Fixed Releases: 100.7(13.102), 100.7(6.102), 100.8(0.240), 100.8(11.40), 100.8(27.20), 100.8(33.25), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCtb34362 Title: Traceback in Dispatch Unit with snp_asdp_prepare_to_divert Description: Symptom: An ASA firewall may reload unexpectedly citing the thread name 'DIspatch Unit' as the crashing thread. Conditions: This has been seen on ASA firewall code version 8.2.1.3 but may also exist on other builds as well. The crash indicates that there was some interaction with an installed AIP/CSC module during the crash so the presence of such a module in the ASA may be part of trigger of this bug. Workaround: None at this time. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1.3) Known Fixed Releases: Bug Id: CSCsv86258 Title: Crafted ESP packet may reload ASA Description: <B>Symptom:</B> Box will crash due to an assert with a malformed IPSEC ESP packet is received. Under rare circumstances, if an ASA 5580 firewall receives a malformed ESP packet from a valid IPSec peer the device might reload. <B>Conditions:</B> All of the following conditions must be met to be succeptible to this bug: 1) The VPN terminating device must be a ASA 5580 2) The 5580 must receive a malformed ESP packet <B>Workaround:</B> None Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.1(2) Known Fixed Releases: 8.1(2.7), 8.2(0.181), 8.2(1) Bug Id: CSCtc77774 Title: MU Get port with null opaque length causes traceback on sunrpc byteorder Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisor y has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/war p/public/707/cisco-sa-20100804-fwsm.shtml. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.5(0.49) Known Fixed Releases: Bug Id: CSCsz87306 Title: assertion "ip->ip_version == IP_VERSION_6" failed Description: Symptom: ASA gives an error "assertion "ip->ip_version == IP_VERSION_6" failed", resets continously and saves a crashinfo. Conditions: When ASA starts learning external routes, it crashes. Workaround: Implement static and default routes. Further Problem Description: The external routes to the destintions have ipv6 enabled traffic. Status: Other Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: Bug Id: CSCtc85753 Title: ASA traceback on inspect_sunrpc.c when fuzzing call request Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.5(0.49) Known Fixed Releases: 100.3(0.20), 100.4(0.23), 8.0(5.2), 8.1(2.37), 8.2(1.105), 8.2(1.16), 8.2(4), 8.3(0.5) Bug Id: CSCtg63992 Title: standby running out of 1550 blocks after multicast traffic Description: Symptom: When ASA-5580 is in active/standby failover mode, and is configured in single, routed mode to process multicast traffic through it (with very simple config), the standby unit exhausts all the memory in 1550 blocks and experienced a reboot. This issue only affects the secondary/standby device. It does not affect the primary unit. Traffic was never dropped in the primary unit or experienced any performance degradation. Conditions: This has occurred only once and never seen afterwards. When this happened, there was no configuration change or any show/clear commands issued. There is multicast traffic through the box continuous and goes through the primary device properly. This issue has been reproduced only once and later attempts to recreate this issue in the lab has not been successful. Workaround: Not available. The standby unit rebooted and appeared fine afterwards. Traffic is not affected as primary unit held up fine. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.99) Known Fixed Releases: Bug Id: CSCtb18913 Title: Assert ctm_ipsec_process_outbound_pkt+485 ... mp_counter.h:124 Description: Symptoms: Crash occurs during stress testing with IPsec sessions in network extension mode using cert authentication. Conditions: IPsec with certificate authentication. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5739 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.5(0.21), 100.5(0.34), 100.5(0.35), 8.2(1), 8.2(2), 8.2(2.17) Known Fixed Releases: 100.4(0.54), 100.5(5.1), 8.2(2.99), 8.2(4), 8.3(0.5), 8.3(1), 8.4(1) Bug Id: CSCte15240 Title: Port openssl DTLS fragment memory leak Description: Symptom: Cisco ASA may experience a memory leak when receiving a specific sequence of DTLS messages. Conditions: Authentication is needed before this can take place. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1) Known Fixed Releases: 100.4(0.32), 8.0(5.7), 8.1(2.40), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1) Bug Id: CSCte46507 Title: ASA crash observed during isakmp testing with Codenomicon tool Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.4(0.46), 100.7(2.1), 7.2(4.100), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(4), 8.3(1.1), 8.4(1) Bug Id: CSCsv27829 Title: ASA 5580 stops forwarding traffic while checking CRL Description: Symptom: The ASA stop forwarding all traffic to and through the box (clear text and encrypted) if a CRL check has to be done when an IPSec or L2TP connection is established. The outage last 1-3 seconds. Conditions: IPSec or L2TP connection established using rsa-sig authentication Workaround: Disable crl checking PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.1(2), 8.2, 8.2(0.188), 8.2(0.229) Known Fixed Releases: 7.0(8.6), 7.1(2.81), 7.2(205.1), 8.2(1) Bug Id: CSCtc77567 Title: MU portmap suite causes ASA to tracekback with call credentials null Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.5(0.49) Known Fixed Releases: 100.3(0.19), 100.4(0.23), 7.2(4.100), 8.0(5.2), 8.1(2.37), 8.2(1.105), 8.2(4), 8.3(0.5) Bug Id: CSCtd02193 Title: Heap memory head magic verification failed on asdm access Description: Symptom: Traceback on asdm access Conditions: multi routed mode Workaround: none Further Problem Description: Memory corruption with Reason: Heap memory head magic verification failed and the box crashes on entering the url for accessing asdm. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5741 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.12), 8.3(0.3) Known Fixed Releases: 100.5(5.1), 100.5(5.30), 100.7(0.34), 8.2(2.147), 8.2(2.20), 8.3(0.7), 8.3(1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCtf55259 Title: AAA : Traceback on authenticating a https user Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.4(0.43), 8.0(5.12) Known Fixed Releases: 100.7(2.1), 8.0(5.13), 8.1(2.42), 8.2(2.8), 8.2(2.99), 8.2(4), 8.3(1.1), 8.3(1.100), 8.4(1) Bug Id: CSCtg61810 Title: standby unit crashes under multicast traffic Description: Symptom: A Cisco ASA may experience a device reload when configured for failover. Only the standby ASA is affected. ** This was only experience during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA 5580-20 configured for failover. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.99) Known Fixed Releases: 100.5(5.15), 100.7(0.15), 100.7(6.1), 8.2(2.104), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCte21953 Title: ASA may allow authentication of an invalid username for NT auth Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.0, 7.1, 7.2, 8.0, 8.1, 8.2(1), 8.2(1.18) Known Fixed Releases: 100.4(0.31), 7.0(8.10), 7.2(4.45), 8.0(5.7), 8.1(2.40), 8.2(2.1), 8.2(4), 8.3(0.19) Bug Id: CSCtg66583 Title: RIP denial of service vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1), 8.3(1) Known Fixed Releases: 100.5(5.31), 100.7(0.35), 100.7(5.7), 100.7(6.3), 8.2(2.148), 8.2(3), 8.3(2.1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCsx94423 Title: Possible reload of http server thread Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 8.0(4.161), 8.0(4.27), 8.0(5), 8.1(2.165), 8.1(2.18), 8.2(1.5), 8.2(4) Bug Id: CSCte39708 Title: Encoded error message issue in /+CSCOE+/logon.html Description: Symptom: Cisco ASA / CSCOE /logon.html URL contains an encoded error message that may lead to a cross site scripting (XSS) attack. This issue was reported to Cisco by A.Kadir Altan from Accenture Prague Information Security Team. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. Conditions: Cisco ASA configured for SSL VPN. Workaround: None Refer to the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors at the following link, for a better understanding of XSS and mitigation information: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2, 8.2(2) Known Fixed Releases: 100.4(0.35), 100.7(2.1), 8.0(5.10), 8.1(2.40), 8.2(2.5), 8.2(2.99), 8.2(4), 8.3(0.23), 8.4(1) Bug Id: CSCuc98398 Title: ASA writes past end of file system then can't boot Description: Symptom: After upgrading the ASA OS the device does not boot successfully, and will continually loop the unsuccessful boot sequence. The following will be seen on the console of the ASA (The ASA and image file will vary): ----------------------------------------------------------------------------------- Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008 Platform ASA5505 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Launching BootLoader... Boot configuration file contains 1 entry. Loading disk0:/asa844-9-k8.bin... Booting... Platform ASA5505 Loading... IO memory blocks requested from bigphys 32bit: 9672 ## APPLIANCE REBOOTS AUTOMATICALLY HERE ## ----------------------------------------------------------------------------------- Conditions: Cisco ASA where the disk (Compact Flash) is already close to full or is fragmented from frequent use and a new version of the OS is saved on the disk (without removing any files) and the new file is made the boot file in the configuration. Workaround: Delete the bad file from flash, as well as any other images that are no longer in use to free up more space on the flash. Then, re-download the new file to flash - or - 1) Copy all the files off of the ASA's disk 2) Format the disk: 3) Copy the files back onto the disk, starting with the OS image you wish the ASA to boot. The second procedure (involving the re-format) is the preferred workaround, as it places the ASA image towards the beginning of the filesystem, making the chances of encountering this problem much less. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.7(6), 8.4(2.8), 8.4(4.1), 8.4(5), 8.4(6) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.25), 100.9(0.27), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.4(5.6) Bug Id: CSCtg32918 Title: ESMTP Inspection Deficiencies Description: Symptom: In ESMTP inspection the AUTHELO and QUITURN commands should be sanitized in a more efficient manner. Conditions: Cisco ASA configured for ESMTP inspection. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.7(0.18), 8.0(5.18), 8.1(2.45), 8.2(2.114), 8.2(2.17), 8.3(1.100), 8.3(1.6), 8.4(0.99), 8.4(1) Bug Id: CSCti26874 Title: Control-plane feature not working for https traffic to-the-box Description: Symptom: Control-plane feature won't restrict webvpn traffic (tcp port 443) to-the-box. Conditions: If we want to restrict access to webvpn portal based on IP address, we create access-lists matching https traffic going to-the-box. By using these access-lists and control-plane feature under access-group, we should be able to restrict access. # access-group in interface control-plane Workaround: Apply access-list on next-hop router from webvpn enabled interface. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3.39), 8.0(4), 8.2(2), 8.3(1) Known Fixed Releases: 100.5(5.56), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 8.2(4.5), 8.2(5), 8.3(2.12), 8.4(1.4) Bug Id: CSCta20344 Title: DH group 5 freezes IKE processing for about 80ms Description: <B>Symptom:</B> If too many EZVPN clients/IPSEC peer are trying to connect to an ASA at the 'same time', none is able to complete IKE phase I <B>Conditions:</B> IKE proposal with DH5 is used <B>Workaround:</B> 1] Reduce the concurrent IKE phase I limiter to a reasonable value. Use cmd: "debug ike 28 2 10" to set the value to 10 concurrent sessions. 2] Use DH2 instead of DH5 Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.4(0.30), 8.0(5.6), 8.1(2.39), 8.2(2.1), 8.2(2.99), 8.3(0.19), 8.3(1) Bug Id: CSCth70492 Title: Traceback in thread Dispatch Unit when many SSL sessions are created Description: Symptom: The ASA crashes and returns a crash info file with a thread name Dispatch Unit. Conditions: All factors are unknown at this time. It seems to occur when a high number of Secure Sockets Layer(SSL) sessions are created to the ASA itself. Workaround: Limit hosts able to connect to the Advance Security Device Manager(ASDM) socket on the ASA. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.12) Known Fixed Releases: Bug Id: CSCti24526 Title: Flood of random IPv6 router advertisements causes high CPU and DoS Description: SYMPTOMS: A flood of random IPv6 router advertisements easily causes 100% CPU utilization which ultimately results in 100% packet loss of packets routed through the ASA and other system instabilities. CONDITIONS: ASA is configured with ''ipv6 address autoconf''. WORKAROUNDS: Not using IPv6 auto-configuration may be used as a workaround. FURTHER INFORMATION: The ASA checks for the hop limit field in incoming Neighbour Discovery messages and packets received with a hop limit not equal to 255 are discarded. This means that the flood of ND messages has to come from a host that is directly connected to the ASA. PSIRT EVALUATION: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2010-4670 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 7.2, 8.0(4.33), 8.2(2.17) Known Fixed Releases: 100.5(5.38), 100.7(0.50), 100.7(5.16), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.48), 8.2(3.102), 8.2(3.4), 8.2(4) Bug Id: CSCth58048 Title: Assert Failure caused Traceback in Thread Name: Dispatch Unit Description: Symptom: ASA experiences a crash due to an Assert Failure. The ASA will generate a crashinfo file and reload. Conditions: The 'show crashinfo' output will show a recent traceback in Thread Name: Dispatch Unit. It will also read "Abort: Assert failure". Workaround: Unknown Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.17), 8.2(3), 8.2(3.5) Known Fixed Releases: 100.7(13.15), 100.7(13.65), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(18.9), 100.7(19.8), 100.7(6.42), 100.7(6.62), 100.7(8.34) Bug Id: CSCth36592 Title: 5580-20 crash after running 10000 session ipsec L2L test. Description: Symptom: A Cisco ASA 5580-20 may experience a device reload after running 10000 session ipsec L2L test. ** This was only experience during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA 5580-20 configured for IPSec site to site tunnel. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.130), 8.2(2.18), 8.3(1.100) Known Fixed Releases: 100.5(5.25), 100.7(0.26), 100.7(5.2), 8.2(2.134), 8.2(2.19), 8.3(1.101), 8.3(1.8), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCth02291 Title: FTP Inspection Command Tailgating Description: Symptom: A vulnerability exists in the Cisco ASA FTP inspection engine where an unauthenticated attacker could bypass security checks by sending certain FTP commands. Conditions: Cisco ASA configured for FTP inspection. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-0930 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.5(5.35), 100.7(0.47), 100.7(8.1), 7.2(5.2), 8.1(2.48), 8.2(3.100), 8.2(3.240), 8.2(3.3), 8.2(4), 8.3(2.2) Bug Id: CSCsx59014 Title: ASA allows VPN user although Zonelabs Integrity firewall rejects Description: Symptom: When Cisco ASA is configured to communicate with a zonelabs integrity Firewall server to validate VPN clients, it might be that the ASA is still permitting users to have network access despite not having the right policies and being rejected by the Firewall server. Conditions: unknown Workaround: no workaround currently available Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 7.2(4.29), 8.0(4.161), 8.0(4.27), 8.0(5), 8.1(2.165), 8.1(2.18), 8.2(1.10), 8.2(4) Bug Id: CSCsz06748 Title: ASA traceback in inspect Skinny Description: Symptoms: Cisco ASA may experience a reload when receiving malformed Skinny packets. The perceived malformed packet may actually be a valid SCCPv17 message. Condition: The issue was happened in client-mode Ezvpn situation.The client is IOS device and the server is ASA. As soon as an SCCPv17 phone try to Registering on CM. This issue is only experienced when inspect skinny is enabled. Workaround: 1. Disable Skinny inspection or 2. downgrade phone to a phone load version that supports an SCCP version earlier than SCCPv17, basically any phone load 8.3 or lower. Note this is only a temporary workaround. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4), 8.0(4.27), 8.0(4.29) Known Fixed Releases: 100.3(0.2), 8.0(4.161), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) Bug Id: CSCtg54992 Title: SSL VPN Portal +CSCO+ input validation issue Description: Symptom: When a user logs-in to SSL-VPN, he/she is directed to home page with RDC(rdp)links to customer's terminal servers. User can easily copy and manipulate these links by adding different machine names or commands into the URL.. The ASA fails to stop the request and instead lunches the RDC access to different machine. For example; the following url can connect remote user from their "personal PC" at home to another workstation.. T https://ASA_IP/+CSCO+0075676763663A2F2F2E637968747661662E+ +/rdp/index.html?target=rdp%3A%2F%2FWS00164129A7F4%2F%3Fgeometry%3D900x5 +50%26domain%3Dtospwsib%26csco_lang%3Den https://ASA_IP/+CSCO+0075676763663A2F2F2E637968747661662E+ +/rdp/index.html?target=rdp%3A%2F%2F10.216.2.17%2F%3Fgeometry%3D900x550% +26domain%3Dtospwsib%26csco_lang%3Den This is not a vulnerability and the CIsco ASA is acting as expected. Access from the browser to ASA is URL-based. Portal's bookmarks and the prompt box do not provide any additional security. Therefore, using URL's with parameters different than parameters specified in the bookmark is not access violation. Webtype ACLs shall be used to control access to network resources and applications. Conditions: Cisco ASA configured for WEBVPN / Clientless SSL VPN. Workaround: Configure Webtype ACLs to control access to network resources and applications. Status: Terminated Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCsv52239 Title: ASA may traceback with certain HTTP packets Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 7.2(4.100), 8.0(4.25), 8.0(5), 8.1(2.15), 8.2(0.212), 8.2(4) Bug Id: CSCtf26648 Title: Traceback when triggering failover with high IPSec tunnel count Description: Symptom: When triggering failover on an ASA pair that has a large number of active IPSec tunnels (~1000), the previously active unit may crash producing a traceback, while all active tunnels are lost on the newly active ASA. Conditions: Issuing the "failover active" command on the secondary of an ASA pair configured for failover running 8.0(5) with a large number of active IPSec tunnels. Workaround: Downgrade to 8.0(4) Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(5), 8.0(5.11), 8.2(3) Known Fixed Releases: 100.7(0.49), 100.7(5.15), 100.7(6.6), 100.7(8.1), 100.7(9.1), 8.4(0.99), 8.4(1), 8.5(0.99), 8.5(1), 8.6(0.0) Bug Id: CSCtf66116 Title: ASA: May crash in Thread Name: Dispatch Unit Description: Symptom: ASA may crash in Thread name Dispatch Unit Conditions: This was first identified on an ASA running 8.2.2 Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2012-5743 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCsr40360 Title: iPhone 2.0 SW requires that ASA/PIX 7.x+ address mask is 255.255.255.255 Description: Symptom: Third Party VPN connection may cause unintended VPN interruption for other connected users. Conditions: The following ASA/PIX versions are impacted by this: Cisco Adaptive Security Appliance models 5505-5550 - All releases prior to 8.0.4 Cisco Adaptive Security Appliance model 5580 - All releases prior to 8.1.1.8 (Customers must contact the Cisco TAC for access to this version) Cisco PIX Security Appliance - All 7.x and 8.x releases prior to 8.0.4 With IPsec enabled on the ASA/PIX not running the minimum versions listed above, it is possible to cause a VPN interruption if one of the following configuration steps are not taken. Workaround: For customers unable to upgrade to the minimum versions listed above, a workaround option is available for administrators who intend to allow access from the iPhone/iPod Touch 2.0 VPN Clients. This issue has been resolved with the iPhone/iPod Touch 2.1 release. ----------------------------------------------------------- Allow iPhone/iPod Touch VPN connections (ASA/PIX 7.x+): We recommend creating a new VPN group specifically for iPhone/iPod touch users if there is a mask set for your existing address pool or if DHCP address assignment is in use. A special group will also allow you to set customized security policies, such as providing these mobile users access to specific resources. For the new group created for the iPhone, ensure that an address pool is utilized and either no mask command is set or if a mask is set, that it is set to 255.255.255.255. Example: asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254 OR asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254 mask 255.255.255.255 You may also set up a permit rule to limit this access to this group to iPhones. In the group policy, enable the following rule: client-access-rule 10 permit type iPhone* version * For any groups that have an appropriate address pool mask assigned to them or are set up for DHCP address assignment, you should follow the instructions in the field notice to deny connections to these groups. ----------------------------------------------------------- If corporate policy is to restrict VPN access from the iPhone and iPod Touch 2.x, please use the configuration settings below. Deny iPhone/iPod Touch VPN connections (ASA/PIX 7.x+): In the group policy, enable the following rule: client-access-rule 10 deny type iPhone* version * client-access-rule 20 permit type * version * Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(3.33), 8.1(1.100), 8.1(101.5), 8.2(0.140) Bug Id: CSCtx38105 Title: DTLS session may flap due to malformed packets Description: Symptom: Upon receiving malformed packets the ASA may drop the DTLS session for a user connected via Anyconnect. This does not affect the overall TLS channel that keep stays up. Conditions: User use Anyconnect and DTLS to connect to the ASA Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-0336 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.93), 100.7(6.88), 100.8(0.201), 100.8(11.31), 100.8(27.19), 100.8(34.1), 100.8(35.3), 100.8(36.1), 100.9(0.1), 100.9(3.2) Bug Id: CSCtk12352 Title: Possible to browse flash memory when CA is enabled Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:U/RC:C CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.19), 100.7(8.4), 8.0(5.23), 8.1(2.49), 8.2(4.1), 8.2(5), 8.3(2.13) Bug Id: CSCtn80920 Title: LDAP Authorization doesn't block AccountExpired VPN RA user session Description: <B>Symptom:Active Directory/LDAP has user with account expired. In the case where LDAP authentication is used for a VPN RA session , the session is blocked/prevented to establish with reason=Account expired. When LDAP authorization is being used,however, such as would be the common case when using certificates authentication and LDAP authorization, the session is not blocked and allowed to be establish. </B> <B>Conditions:Active Directory/LDAP has user with account expired. In the case where LDAP authentication is used for a VPN Remote access session , the session is not allowed to establish with reason=Account expired.</B> <B>Workaround:the Active Directory/LDAP admin needs to disable the account. In this case , LDAP authorization will block/prevent VPN RA session establishment.</B> Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.7(13.3), 100.7(14.1), 100.7(15.3), 100.7(6.38), 100.7(8.34), 100.7(9.24), 100.8(0.3), 100.8(10.3), 100.8(12.2), 100.8(2.1) Bug Id: CSCub38407 Title: Add text section to coredump Description: Symptoms: CiscoFireSIGHT contains a stored XSS vulnerability Conditions: none Workaround: Additional mitigation at: http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59), 100.8(56.17) Bug Id: CSCua50160 Title: ASA: Page fault traceback in lu_rx with failover and GTP inspection Description: Symptom: Under certain conditions, the ASA may generate a traceback and reload in the ''lu_rx'' thread. Conditions: The ASA must be configured for both failover and GTP inspection. Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5728 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5.30) Known Fixed Releases: 100.7(13.87), 100.7(6.85), 100.8(0.182), 100.8(11.28), 100.8(27.19), 100.8(33.12), 100.8(34.1), 100.8(35.1), 100.8(36.1), 100.9(0.1) Bug Id: CSCtw95487 Title: ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields. Description: Symptom: Slow memory leak on ASA Conditions: ASA configured as EZVPN server with certificate authentication. Clients trying to connect with expired or invalid certificates Workaround: Prevent EZVPN clients from connecting with invalid or expired certs PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5733 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(3), 8.4(2.18) Known Fixed Releases: 100.7(13.51), 100.7(14.47), 100.7(17.12), 100.7(18.4), 100.7(6.59), 100.8(0.51), 100.8(0.55), 100.8(11.5), 100.8(11.7), 100.8(14.3) Bug Id: CSCtl04756 Title: IM Namelist Add Buffer Issue Description: Symptoms: This bug is to enhance the Cisco ASA IM inspection by fixing an issue that incorrectly calculates the length of the source buffer in IM inspection code. Conditions: Cisco ASA with IM inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.21), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49), 8.2(4.3) Bug Id: CSCto83156 Title: ASA Sequence of ACL changes when changing host IP of object network Description: Symptom: Changing the the ip of the object network makes that the access-list changes the sequence of the ACE to a lower sequence number Conditions: ASA 8.4.1 ASA 8.3.2 Access-list with object network and remarks in the ACL Workaround: Change manually the sequence of the access-list to previous one: E.g: Access-list line permit tcp host A host B or do not use remarks PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-1641 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(2), 8.4(1) Known Fixed Releases: 100.7(13.9), 100.7(14.1), 100.7(18.1), 100.7(6.40), 100.7(8.34), 100.7(9.33), 100.8(0.14), 100.8(0.6), 100.8(10.6), 100.8(12.15) Bug Id: CSCts05840 Title: ASA may reload with traceback in thread name DATAPATH-10-1856 Description: Symptom: ASA running 8.4.x may reload with trace back in thread name DATAPATH-10-1856. Conditions: ASA running 8.4.x Workaround: None at this time. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Bug Id: CSCts68257 Title: ASA: May crash in Thread Name: Dynamic Filter VC Housekeeper Description: Symptom: ASA may crash in Thread name Dynamic Filter VC Housekeeper Conditions: This was first identified on an ASA running 8.4.2 Workaround: Disable botnet filter if possible. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Bug Id: CSCtj72716 Title: ASA - Traceback in Thread Name: IKE Daemon Description: Symptom: ASA crashing in Thread Name: IKE daemon Conditions: When connecting from Cisco IPsec VPN client. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(3.6) Known Fixed Releases: 100.5(5.49), 100.7(0.68), 100.7(6.13), 100.7(8.1), 8.2(3.112), 8.2(3.8), 8.2(4), 8.3(2.9), 8.4(0.99), 8.4(1) Bug Id: CSCts14130 Title: 100% CPU Object Group Search under low traffic due to spin_lock Description: Symptom: When running traffic on a multi-core SA such as an ASA 5580 or 5585, if Object-group-search is enabled, the CPU may spike to 100% preventing traffic from passing. Conditions: This is seen with very large ACL configurations and object-group search enabled: 'object-group-search access-control' is present int he configuration. Workaround: If possible, disable the object-group-search and allow the ACL to compile. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5735 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5), 8.3(2), 8.4(2) Known Fixed Releases: 100.7(13.29), 100.7(14.17), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.8(0.23), 100.8(10.32), 100.8(12.30), 100.8(15.5), 100.8(19.8) Bug Id: CSCtw75613 Title: ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM Description: Symptom: In rare circumstances, the ASA may generate a traceback and reload after making changes to the DAP configuration via ASDM. The traceback will be in the Unicorn Admin Handler thread. Conditions: The ASA must be running an affected software version and an administrator must be making changes to the DAP configuration via ASDM at the time of the reload. Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5734 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.51), 100.7(14.47), 100.7(17.13), 100.7(18.5), 100.7(6.59), 100.8(0.46), 100.8(11.5), 100.8(14.2), 100.8(15.18), 100.8(19.45) Bug Id: CSCtw45576 Title: TCP sequence space check ignored in some cases Description: Symptoms: In some cases, the Cisco ASA is allowing 'spoofed' packets on an already established TCP flow even when the sequence number is way outside of the sequence space (window). Conditions: The packets must match an existing 5-tuple. Only the TCP sequence check can be partially bypassed by using this vulnerability. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-4648 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(1), 8.4(2), 8.4(2.18) Known Fixed Releases: 100.7(13.50), 100.7(13.65), 100.7(14.46), 100.7(17.12), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.58), 100.7(6.62), 100.8(0.50) Bug Id: CSCtq58884 Title: AC 3.0x - LDAP Secondary Auth successfully connects with blank password Description: Symptom: Users successfully authenticate if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. Conditions: User connects to a profile with Double Authentication. Primary credentials are entered successfully and secondary password is left blank. LDAP is used for Secondary Authentication Workaround: Do not use LDAP for Secondary Authentication PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-2054 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.40), 100.8(0.10), 100.8(0.31), 100.8(10.10), 100.8(12.8) Bug Id: CSCtv19854 Title: Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user Description: Symptom: Incorrect MPF connection counts can cause %ASA-3-201011 Connection limit exceeded messages and lead to DoS condition for users. It was noticed that when TCP connections timeout, the ''current conns'' MPF counter is not decremented, if those TCP connections were created when TCP Intercept was active on ASA. The ''current conns'' counter accumulates and this eventually leads to inevitable DoS condition for users, provided that ''set connection conn-max'' or ''set connection per-client-max'' is configured. For example: policy-map outside-policy class outside-class-test set connection conn-max 30000 embryonic-conn-max 50 per-client-max 100 per-client-embryonic-max 10 set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 0:15:00 reset dcd 0:05:00 2 And show conn count 9020 in use, 24050 most used %ASA-3-201011: Connection limit exceeded 30000/30000 for input packet from 172.x.x.x/50342 to 10.1.8.91/4000 on interface outside Conditions: This defect was found in an 8.4 ASA interim release. Other versions are also affected. Workaround: None. With ''set connection conn-max'' all traffic that goes into the MPF class is affected. With ''set connection per-client-max'' only specific senders are affected. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-0378 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2), 8.4(2.8) Known Fixed Releases: 100.7(13.47), 100.7(13.65), 100.7(14.42), 100.7(17.12), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.55), 100.7(6.62), 100.8(0.46) Bug Id: CSCtk13473 Title: URL Filtering incorrectly uses "host:" substring in non Host HTTP header Description: SYMPTOM: URL Filtering may not correctly parse the HOST parameter from the HTTP GET correctly resulting in incorrect URL classification. CONDITIONS: This is seen on version 8.3.3.7 and 8.0.5 and presumably earlier versions of ASA code as well. WORKAROUND: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-2481 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3(2.7) Known Fixed Releases: Bug Id: CSCty33480 Title: Clientless vpn: Accessing Citrix bookmark reveals DAP configuration Description: <B>Symptom:</B> Accessing Citrix server bookmark over clientless vpn cause DAP configurations or other random error messages to appear on the bottom of the webpage. Same is observed on Internet Explorer and Firefox. <B>Conditions:</B> ASA Software version 8.4.1 & 8.4.3 Citrix Server bookmark configured with DAP <B>Workaround:</B> None as of now PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.66), 100.7(20.4), 100.7(21.3), 100.7(6.71), 100.8(0.104), 100.8(0.105), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.9(0.1) Bug Id: CSCtq57697 Title: ILS inspection traceback on malformed ILS traffic Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(17.5), 100.7(18.1), 100.8(20.1), 100.8(21.1), 7.0(8.13), 7.2(5.4), 8.0(5.25), 8.1(2.50), 8.2(5.6), 8.3(2.23) Bug Id: CSCts39634 Title: Syslog Message 305006 Denial of Service Vulnerability Description: Symptom: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: this bug (CSCts39634) corresponds to ''Cisco ASA Syslog Message 305006 Denial of Service Vulnerability'' in the above Cisco Security Advisory. Original Release Notes for this bug follow, but refer to the above Cisco Security Advisory for additional information. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Cisco has released free software updates that address this vulnerability. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2), 8.4(2.190) Known Fixed Releases: 100.7(13.31), 100.7(14.20), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.11) Bug Id: CSCtl04699 Title: HTTP Header Bypass Description: Symptoms: The ASA has a set of rules or maps that can be configured to match on particular headers, and those headers' attributes. If a header has a space or tab between the header name and ':', it will cause the inspection not to be effective. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.8/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.22), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49) Bug Id: CSCtk55047 Title: ASA Crashes in ctm_verify_signature operation Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may experience a crash when an AnyConnect connection is being established. Conditions: Large CRL being downloaded during connection establishment. Workaround: None known. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5996 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(3.9), 8.4(0.104) Known Fixed Releases: 100.5(5.58), 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.18), 100.7(8.4), 8.2(4.1), 8.2(5), 8.3(2.13), 8.4(0.113) Bug Id: CSCtt42405 Title: AnyConnect fails authentication for some passwords with brackets Description: Symptom: Authentication for users that have some combination of brackets ("[" or "]") in their password will fail when using AnyConnect. Conditions: - ASA 8.4.2 (this has been seen as well with some of the 8.4.1 interim builds) - This seems to happen if you have a closing bracket that is not the first character of the password, for example: "c]sco" Workaround: - downgrade to 8.3 - or use the clientless portal to authenticate - or don't use brackets in your password Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1), 8.4(2) Known Fixed Releases: 100.7(13.43), 100.7(14.36), 100.7(17.5), 100.7(18.4), 100.7(6.50), 100.8(0.39), 100.8(11.2), 100.8(15.12), 100.8(19.32), 100.8(2.30) Bug Id: CSCtq21535 Title: ASA traceback when connecting with Android L2TP/IPsec client Description: Symptom: ASA may crash in Thread Name IKE Daemon Conditions: The ASA is configured to accept L2TP/Ipsec connection and an Android clients tries to connect. Workaround: If possible disable L2tp/ipsec PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2011-4653 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.13), 100.7(14.1), 100.7(18.1), 100.7(6.42), 100.7(9.38), 100.8(0.31), 100.8(0.8), 100.8(10.8), 100.8(12.7), 100.8(15.1) Bug Id: CSCua87170 Title: Interface oversubscription on active causes standby to disable failover Description: Symptom: Interface oversubscription on active causes standby to disable failover Conditions: A huge amount of traffic may exhaust interface blocks, which in turn may cause firewall to drop failover messages and go to disabled HA state Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-3914 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1), 8.4(3), 8.4(4.2) Known Fixed Releases: 100.7(13.101), 100.7(6.99), 100.8(0.239), 100.8(11.39), 100.8(27.20), 100.8(33.24), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.4) Bug Id: CSCts30839 Title: ASA5510, 8.4(2) - page fault traceback accessing a bookmarked DFS share Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may have a page fault crash when accessing DFS shares through WebVPN. Conditions: The Windows network that the ASA is connected to has DFS enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5995 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.8(0.22), 100.8(10.31), 100.8(12.29), 8.4(1), 8.4(2.0), 8.6(0.106) Known Fixed Releases: 100.7(13.32), 100.7(14.23), 100.7(18.2), 100.7(6.44), 100.8(0.26), 100.8(10.38), 100.8(12.33), 100.8(15.7), 100.8(19.15), 100.8(2.15) Bug Id: CSCtq06046 Title: SunRPC inspection large port overwrite Description: Symptoms: The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. SunRPC inspection may be bypassed when certain sequences of SunRPC packets are sent. Conditions: Device configured for SunRPC inspection. To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from show sunrpc-server active command: hostname# show sunrpc-server active LOCAL FOREIGN SERVICE TIMEOUT ----------------------------------------------- 1 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 2 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 3 209.165.200.5/0 192.168.100.2/647 100005 0:30:00 4 209.165.200.5/0 192.168.100.2/650 100005 0:30:00 Workaround: No workarounds are available other than disabling SunRPC inspection if not needed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2572 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(6.44), 100.7(9.58), 100.8(0.19), 100.8(0.32), 100.8(10.25), 100.8(12.26), 100.8(15.5) Bug Id: CSCut86523 Title: ASA: Silently Drops packets with SFR Module installed. Description: Symptom: Traffic through ASA with SFR module Redirection enabled is dropped Conditions: Destination MAC address of the Packet begins with the following. 00:23 00:20 00:0d Workaround: Change the destination MAC address of the Packet to begin with something other than 00:23, 00:20,00:0d Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9) Bug Id: CSCup35713 Title: ASA tmatch_summary_alloc block leak in binsize 1024 Description: Symptom: The Adaptive Security Appliance (ASA) suffers from a memory leak. After about two weeks of operation all memory will be depleted and the ASA will stop passing traffic. Conditions: ASA running 9.1.5 or above. Workaround: None at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.41), 100.12(0.29), 100.12(10.17), 100.12(15.7), 100.12(21.1), 100.12(6.1), 100.12(9.9), 100.7(6.134), 100.8(40.82), 8.4(7.23) Bug Id: CSCtt76391 Title: SNMPv3 Information Disclosure Vulnerability Description: Symptoms: When configuring SNMPv3 using the ''snmp-server'' command, the passwords used for authentication and encryption are found in clear text in the log files when the ''snmp-server'' command uses the plain text version of the passwords. Conditions: SNMPv3 enabled with the plain text version of the passwords. Workaround: N/A PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.42), 100.7(14.36), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.7(8.34), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.30) Bug Id: CSCty01099 Title: ASA 8.2.5 traceback after running verify /md5 command Description: Symptom: In a rare corner case, if an image is uploaded into the ASA's disk0:/ file system and the name of the image is renamed, when the 'verify /md5 flash:' command is run, the ASA might traceback and reload Conditions: The exact cause of this problem is unknown. Workaround: None known. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCth18720 Title: Thread Name: lu_rx Page fault: Address not mapped Description: Symptom: Crash with Thread Name: lu_rx Page fault: Address not mapped Conditions: ASA 8.2.2(15) Workaround: none Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.15), 8.3(1.6) Known Fixed Releases: 100.7(0.25), 8.2(2.132), 8.2(2.19), 8.2(2.190), 8.2(2.205), 8.3(1.101), 8.3(1.8), 8.4(0.99), 8.4(1) Bug Id: CSCty22380 Title: USG-IPv6 / ReadyLogo P2 Conformance Bug NA changes Running Config Description: Symptom: An unauthenticated attacker may be able to overwrite static IPv6 neighbor entries on an affected device by sending a series of IPv6 packets. Conditions: Cisco ASA configured for IPv6. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-2509 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(2.10) Known Fixed Releases: 100.7(6.130), 100.8(38.124), 100.8(40.63), 100.8(56.31), 100.8(63.2), 100.8(64.5), 100.8(65.4), 100.8(66.5), 8.4(7.12), 9.0(4.8) Bug Id: CSCtr24705 Title: Traceback seen while running packet-tracer due to Page fault Description: Symptom: Adaptive Security Appliance (ASA) crashes in Thread name Telnet/ci. Conditions: 1) Adding 'match access-list' command to a class-map that is already configured with 'match default-inspection-traffic'. 2) The class-map mentioned in 1) is used in a policy-map that is enabled via 'service-policy'. Workaround: - Before doing step 1) above, remove the 'service-policy'. - Do step 1) above. - Add back the 'service-policy' PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.7(13.12), 8.4(2), 8.5(1) Known Fixed Releases: 100.7(13.82), 100.7(21.8), 100.7(6.82), 100.8(0.160), 100.8(11.25), 100.8(27.19), 100.8(33.9), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCub58996 Title: Cisco ASA Clientless SSLVPN CIFS Vulnerability Description: Symptoms: Cisco ASA reload. The show crashinfo command shows that the crash happened in Thread Name: Unicorn Proxy Thread Conditions: The crash is due to a race condition while accessing resources via CIFS. Cisco ASA needs to be configured for Clientless SSL VPN and allow CIFS traffic. Workaround: CIFS traffic can be filtered by using webvpn filter command Further Problem Description: A vulnerability in the implementation of the rewriter module of the Clientless SSL VPN could allow an authenticated, remote attacker to cause the reload of the affected system. The vulnerability is due to a race condition while accessing resources via Common Internet File System (CIFS) protocol. An attacker could exploit this vulnerability by creating multiple Clientless SSL VPN session and trying to recreate the race condition. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-1199 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1199 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4, 8.4(4) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.27), 100.9(0.30), 100.9(4.1), 100.9(6.2), 100.9(7.1), 100.9(8.1), 100.9(9.1) Bug Id: CSCut70248 Title: ASA SIP inspection breaks Telepresence content share Description: Symptom: Telepresence conference are unable to share content when going through ASA Conditions: Telepresence end-points are behind ASA firewall configured with SIP inspection, when end-point tries to share content users will only see a black screen. Audio and Video work without any issue. Workaround: This issue is only seen when SBC is configured with two IP address one for signaling and another for media. Only known workaround is to use same IP for both signaling and media Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(3.9) Known Fixed Releases: Bug Id: CSCtt29762 Title: ASA reloads with traceback in Thread Name : Dispatch Unit Description: Symptom: ASA reloads with traceback in Thread Name : Dispatch Unit Conditions: This was first identified on an ASA running 8.2.5 Workaround: None Further Problem Description: Disable sip inspection if possible. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCty17074 Title: ASA memory leak in chunk:channel Description: <B>Symptom:</B> ASA may run out of free memory and traffic will fail to pass. <B>Conditions:</B> ASA running 8.x. You will see the chunk:channel memory structure increment over time You can monitor this increase by looking at the output of: show resource usage detail | grep channel <B>Workaround:</B> Actively monitor the ASA in question and proactively reload it when free memory goes less than 10%. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: Bug Id: CSCub14196 Title: FIFO queue oversubscription drops packets to free RX Rings Description: Symptom: When the ASA sees a certain traffic profile that oversubscribes a single RX Ring, this will put back pressure on the FIFO queue. When the FIFO queue is filled, traffic destined to available RX Rings could be dropped. This causes a scenarios where exhaustion of a single RX Ring can cause device wide traffic failure. Conditions: For the 5585 series of ASA, oversubscription on the Internal-Data0/0 or Internal-Data0/1 interfaces can cause this situation. Workaround: The workaround is to rate limit the oversubscription traffic before it arrives on the ASA. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.7(13.96), 100.7(6.92), 100.8(0.228), 100.8(0.240), 100.8(11.35), 100.8(11.40), 100.8(27.19), 100.8(27.20), 100.8(33.19), 100.8(33.24) Bug Id: CSCtx86924 Title: ASA: Traceback in purgatory in release of DSH (datastructure handle) Description: Symptom: Under rare circumstances, the ASA may generate a traceback in the DATAPATH thread and reload. Conditions: This has been seen on an ASA 5580 running 8.2(5). Other versions may also be affected. Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.4/3.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5993 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5), 8.2(5.11) Known Fixed Releases: 100.7(13.77), 100.7(6.79), 100.8(0.139), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCub53850 Title: ASA-SM Traceback as conn points to an invalid sibling conn Description: Symptom: The ASA may crash and reload in thread: Thread Name: DATAPATH-5-2266 Page fault: Invalid permission The logs on the switch will show that the ASA-SM had an application crash: *Aug 7 2012 14:03:56.146 ARIZONA: %CAT6000_SVC_APP_HW-SW1_SPSTBY-6-APP_RESTART_REASON: Switch 1, module 9 : Application has crashed *Aug 7 2012 14:03:56.146 ARIZONA: SW1_SPSTBY: The service application in slot 9 is shutting down. Please wait ... *Aug 7 2012 14:16:46.104 ARIZONA: SW1_SPSTBY: Service application shutdown completed for module 9 *Aug 7 2012 14:16:56.416 ARIZONA: %C6KPWR-SW1_SPSTBY-4-DISABLED: power to module in slot 9 set off (Reset) Conditions: This issue occurs when the traffic is passing through the ASA. Workaround: None currently. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.5(1.9) Known Fixed Releases: Bug Id: CSCtz63143 Title: ASA sip inspect - duplicate pre-allocate secondary pinholes created Description: Symptom: ASA is creating many duplicate pre-allocated secondary pinholes. The show local is being filled with duplicate pinhole entries: UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti In some cases this may cause the CPU utilization to suddenly increase. Conditions: - ASA running with sip inspection. - Sip traffic that does not establish the secondary connection. Workaround: none at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-2472 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.79), 100.7(21.7), 100.7(6.80), 100.8(0.146), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCtz04453 Title: ASA: Nested traceback in CP Midpath Processing thread Description: Symptom: The ASA may generate a traceback and reload in the CP Midpath Processing thread. Conditions: This was first seen on 8.2.3.9. Other software versions may also be affected. This issue only affects multi-core ASAs (5580 and 5585). Workaround: There is no known workaround at this time. Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(3.9) Known Fixed Releases: Bug Id: CSCtx36026 Title: VPN session failure due to auth handle depletion Description: Symptoms: In an IPsec remote access environment, the ASA headend device may fail to properly clean up auth handles during IKE negotiation when it receives a mode config request while it is expecting xauth reply. This can subsequently cause new VPN sessions to fail to establish due to session limit exceeded. Conditions: This problem occurs when the VPN peer device incorrectly sends mode config request instead of xauth reply. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2.9) Known Fixed Releases: 100.7(13.52), 100.7(14.47), 100.7(17.13), 100.7(18.5), 100.7(6.59), 100.8(0.53), 100.8(11.6), 100.8(14.4), 100.8(15.22), 100.8(19.64) Bug Id: CSCtq52661 Title: Cisco ASA Local Path Inclusion Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:P/RL:OF/RC:C CVE ID CVE-2014-3391 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(5), 8.4(1), 8.7(1) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.43), 100.8(0.11), 100.8(0.14), 100.8(0.31), 100.8(10.11) Bug Id: CSCus62863 Title: Kenton 5516: Interface dropping ARPs after flapping under traffic load Description: Symptom: 5506 drops packets under load. Conditions: 5506 running 9.4.1 may experience interface flaps under load, resulting in packet loss. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 100.13(0.16), 9.4(0.53), 9.4(1) Known Fixed Releases: 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30), 100.15(0.11), 100.15(1.5) Bug Id: CSCut16988 Title: ASA Traceback in Thread Name: EIGRP-IPv4 Description: Symptom: ASA 9.2 tracebacks in Thread Name: EIGRP-IPv4. Conditions: ASA running 9.2.3 with eigrp using encrypted keys. Workaround: Do not use encrypted keys. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 9.2(1), 9.2(2) Known Fixed Releases: Bug Id: CSCtj01814 Title: page fault traceback in IKE Daemon Description: <B>Symptom:</B> Crash in IKE Daemon. Page fault: Address not mapped. <B>Conditions:</B> IKE PKI authentication AAA authorization. Only with specific client hardware/software. <B>Workaround:</B> Disable PKI, do not use AAA authorization, use different client hardware/software. Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.5(5.43), 100.7(0.60), 100.7(5.24), 100.7(6.9), 100.7(8.1), 8.2(3.109), 8.2(3.6), 8.2(4), 8.3(2.7), 8.4(0.99) Bug Id: CSCtq06065 Title: SunRPC inspection arithmetic overflow in portmap code Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(9.58), 100.8(0.19), 100.8(10.25), 100.8(12.26), 100.8(15.5), 100.8(19.1), 100.8(2.9) Bug Id: CSCto84937 Title: Potential Dynamic NAT TCP Handshake Race Condition Description: Symptom: ASA configured to use dynamic NAT appears to allow an inbound TCP handshake to complete under certain circumstances: 1) ACL that permits TCP traffic from outside to inside. 2) This packet sequence: Host A inside firewall, Host B outside firewall * Host A sends a SYN packet from port X to Host B. * Host B replies with a RST/ACK to Host A. * Host B sends a SYN to Host A on port X. * Host A replies with a SYN/ACK to Host B. Conditions: Cisco ASA configured with NAT. Workaround: This is NOT a bug. NAT on ASA is used to do address/port translation. It does *not* do access-control. Access-list on the ASA is used to do L2-L4 access-control. TCP normalizer is used to do protocol enforcement. I want to mention this to ensure we don't muddle NAT, access-control, and protocol enforcement. Two, the observed behavior in CSCto84937 is known as ''endpoint independent''. To see a justification, see RFC4787. It is pretty heavy reading, so let me see if I can make it simpler. Using the '': / notation, assume the *first* inside session creates this PAT binding. source ''inside:I/i'' translates into source ''outside:G/g'' This binding will live on the ASA for at least 30 seconds. A host on the outside can connect outside:G/G and have such connection be translated to ''inside:I/i'' *only* *only* if such connection is permitted by access-list. This is nearly identical in the case of no NAT; except that the first packet must be from the inside. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Bug Id: CSCto23713 Title: ASA uses a case-sensitive string compare with IBM LDAP server Description: Symptom: When the ASA reads the LDAP Server RootDSE record, the following attributes are requested: defaultNamingContext vendorName supportedLDAPPolicies supportedLDAPVersion supportedSASLMechanisms The IBM LDAP server responds with the following attributes: supportedsaslmechanisms supportedldapversion vendorname When the ASA processes the response message, it does not match any of the requested attributes since it uses a case-sensitive string compare while searching the reply attributes. This results in the ASA not assigning any SASL mechanisms for the connection since it thinks that the server doesn't support SASL. Conditions: authentication between ASA and IBM LDAP server Workaround: There is no workaround PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.34), 100.7(8.28), 100.7(9.20), 100.8(0.2), 100.8(10.1), 100.8(12.1), 100.8(2.1) Bug Id: CSCua92556 Title: ASA sip inspect - Pre-allocate SIP NOTIFY TCP secondary channel Description: Symptom: ASA Creates multiple duplicate secondary pinholes TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:00:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:02:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:04:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:06:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:08:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:10:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:12:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:14:20, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:16:19, bytes 0, flags Ti TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:18:19, bytes 0, flags Ti Conditions: Sip inspection should be enabled on ASA Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.2(4.4) Known Fixed Releases: 100.7(13.95), 100.7(6.91), 100.8(0.223), 100.8(11.34), 100.8(27.19), 100.8(33.18), 100.8(34.1), 100.8(36.3), 100.9(0.1), 100.9(3.3) Bug Id: CSCtz88975 Title: IPv6 ACLs can be bypassed with crafted packets Description: Symptoms: IPv6 packets can be crafted to bypass layer 4 IPv6 ACLs. The packets must contain one or more unknown extension headers. Conditions: Default configuration. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(4.247) Known Fixed Releases: Bug Id: CSCto92380 Title: SunRPC inspection DUMP reply crash Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 21-MAY-2015 Known Affected Releases: 8.4(0.1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.58), 100.8(0.19), 100.8(10.25), 100.8(12.26), 100.8(15.5) Bug Id: CSCuf31666 Title: Linux Kernel epoll Subsystem eventpoll.c Local Denial of Service Vulne Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1082 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1082 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31814 Title: Linux Kernel pipe.c Local Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-3547 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-3547 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31842 Title: Linux Kernel taskstats.c Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2484 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2484 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31675 Title: Linux Kernel Kernel-Based Virtual Machine Local Denial of Service Vuln Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-2287 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-2287 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31740 Title: Linux Kernel LDM Partition Tables Handling Buffer Overflow Vulnerabili Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1017 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1017 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31788 Title: Linux Kernel napi_reuse_skb() Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1576 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1576 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuu46551 Title: ASA CA with Name Constraints of type URI and DNS can't be imported Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: CA certificate contains Name Constraints x509 extension with URI or DNS constraint Workaround: Unknown Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: Bug Id: CSCug34469 Title: ASA OSPF LSA Injection Vulnerability Description: Summary Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.8/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:U/RC:C CVE ID CVE-2013-0149 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(13.115), 100.7(6.118), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(46.17), 100.8(60.15), 100.9(0.46), 100.9(10.1) Bug Id: CSCuf31835 Title: Linux Kernel KVM Local Denial of Service Vulnerability Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0309 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0309 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.51), 100.8(40.87), 9.2(3.101) Bug Id: CSCuf31571 Title: Linux Kernel Memory Management Quota Handling Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-2133 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-2133 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31846 Title: Linux Kernel PERF_COUNT_SW_CPU_CLOCK Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2918 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2918 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 Known Fixed Releases: Bug Id: CSCuf31853 Title: Linux Kernel setup_routing_entry() KVM Function Local Buffer Overflow Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-2137 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-2137 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31727 Title: Linux Kernel inet_diag_bc_audit() Local Denial of Service Vulnerabilit Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2213 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2213 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31652 Title: Linux Kernel-Based Virtual Machine Local Denial of Service Vulnerabili Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-4031 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-4031 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31444 Title: Linux Kernel compat_put_timeval() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-4467 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-4467 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31547 Title: Linux Kernel Clone() Function clone_io Local Denial of Service Vulnera Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-0879 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-0879 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31621 Title: Linux Kernel KVM Programmable Interrupt Timer Denial of Service Vulner Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-4622 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-4622 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31742 Title: Linux Kernel ldm_get_vblks Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1012 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1012 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31859 Title: Linux Kernel SELinux mmap_min_addr Local Privilege Escalation Vulnerab Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-2695 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-2695 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCui04520 Title: Cisco ASA WebVPN Information Disclosure Vulnerability Description: Symptoms: A vulnerability in the WebVPN Portal of the Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to view sensitive information from the affected system. The vulnerability is due to improper input validation in the WebVPN portal. An attacker could exploit this vulnerability by providing a specially crafted javascript file to an authenticated WebVPN user. Conditions: ASA configured with WebVPN support. Workaround: Upgrade the ASA appliance to the latest software version. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2014-2151 has been assigned to document this issue. http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2151 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(2), 9.1(4) Known Fixed Releases: 100.10(0.40), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.126), 100.8(38.68), 100.8(40.44), 100.8(46.35), 100.8(51.7) Bug Id: CSCui40499 Title: ICMP inspection closes TCP conns with "Flow closed by inspection" Description: Symptom: This DDTS is a Duplicate of CSCuh13899 The ASA might tear down TCP connections with this syslog: Jul 31 2013 10:45:27: %ASA-6-302014: Teardown TCP connection 163 for outside:10.1.100.4/62750(LOCAL\cisco) to dmz:14.36.103.220/5901 duration 0:00:05 bytes 1382784 Flow closed by inspection (cisco) Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(5.7), 9.0(2.3), 9.1(1.5) Known Fixed Releases: Bug Id: CSCuf31536 Title: Linux Kernel inotify_init() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4250 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4250 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31760 Title: Linux Kernel Block Layer IOCTL Request Processing Denial of Service Vu Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4162 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4162 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCui27773 Title: Intermittently users not allowed to login due to hostscan data limit Description: Symptom: Intermittently users are not allowed to login due to Host Scan data limit. The following error may be displayed on the ASA: ASA-3-716601 Rejected 35KB Hostscan data from < IP> . System-wide limit on the amount of Hostscan data stored on ASA reached the limit of 100000KB Conditions:<;/B> The ASA must be configured to perform Host Scan. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.9), 100.10(1.10), 100.7(6.122), 100.8(27.89), 100.8(38.29), 100.8(40.19), 100.8(41.2), 100.8(60.36), 100.9(10.4), 100.9(6.33) Bug Id: CSCuf31660 Title: Linux Kernel binfmt_elf.c regset Handling Local Denial of Service Vuln Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-1097 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-1097 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31618 Title: Linux Kernel Multicast IPv4 Traffic on HiperSockets Device Denial of S Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4251 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4251 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31585 Title: Linux Kernel Remote Operations Service Element Protocol Implementation Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3310 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3310 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31712 Title: Linux Kernel irqchip_in_kernel() Function Local Denial of Service Vuln Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-1601 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-1601 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31607 Title: Linux Kernel Invalid fs and gs Registry KVM Denial of Service Vulnerab Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3698 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3698 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1), 100.13(17.1) Bug Id: CSCuf31577 Title: GNU glibc LD_AUDIT Local Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3856 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3856 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31475 Title: Linux Kernel KVM Device Assignment Page Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2012-2121 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2012-2121 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCui50798 Title: Linux Kernel tcp_read_sock() Function Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2128 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-2128 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31824 Title: Linux Kernel Transparent Huge Pages Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-0999 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-0999 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31798 Title: Linux Kernel wait_for_unix_gc() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4249 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4249 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCus49662 Title: ASA5580-20 8.2.4 - Traceback in DATAPATH Description: Symptom: HW: ASA5580-20 SW: 8.2.4.(2) Conditions: Workaround: Further Problem Description: ASA traceback in DATAPATH Status: Terminated Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Bug Id: CSCuf31804 Title: Linux Kernel Transparent Interprocess Communication Protocol Local Den Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-1187 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-1187 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31665 Title: Linux Kernel execve() Memory Allocation Local Denial of Service Vulner Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4243 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4243 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31441 Title: Linux Kernel PER_CLEAR_ON_SETID Local Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-1895 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-1895 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31870 Title: Linux Kernel execve() Local Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-2848 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-2848 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCut49034 Title: ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal Description: Symptom: CPU on standby ASA spikes to 100% Conditions: Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN. Stateful failover configured on an active-standby failover pair. Workaround: None Further Problem Description: High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled. Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN. When this particular connection goes through the ASA, we find that the active ASA builds a single connection. standby ASA builds numerous connections with same source and destination ports. Connection on the primary/active: act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO Connections on secondary:(close to 2500) stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO We see a lot of connection teardown on the standby for this connection. Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O We also see a lot of reset packets in asp drops in the standby ASA. 1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54 66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738) Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop. We see overruns on the failover interface of the standby unit. stby/sec/alan3usv01# show int gig0/3 Interface GigabitEthernet0/3 "failover1", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 5475.d091.518f, MTU 1500 IP address 10.99.101.114, subnet mask 255.255.255.248 432217782 packets input, 556229026142 bytes, 0 no buffer Received 556 broadcasts, 0 runts, 0 giants 204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort And we see a lot of packets being transferred from active to standby ASA. In the failover debugs we only find the following messages in the debugs of fover rx. lu_rx: HA TRANS: receive message for client vpnfo, length 48 lu_rx: HA TRANS: receive message for client vpnfo, length 72 lu_rx: HA TRANS: receive message for client vpnfo, length 72 The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA. Status: Open Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: Bug Id: CSCuf31705 Title: Linux Kernel set_ftrace_filter Local Denial of Service Vulnerability Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3079 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3079 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.43), 100.12(0.37), 100.12(10.35), 100.12(15.10), 100.12(21.3), 100.12(6.4), 100.8(40.82), 9.2(2.100), 9.3(1.99), 9.3(2) Bug Id: CSCuf31701 Title: Linux Kernel create_pit_timer() Function Denial of Service Vulnerabili Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-4622 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-4622 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31786 Title: Linux Kernel page_count Parameter Processing Local Buffer Overflow Vul Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1746 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:UC The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1746 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31673 Title: Linux Kernel inotify_init() Double Free Error Denial of Service Vulner Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1479 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1479 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31805 Title: Linux Kernel VLAN Tag Remote Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4263 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4263 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuh47484 Title: Kernel KVM kvm_set_memory_region() Function Local Escalation of Privil Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-1943 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-1943 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCts50723 Title: ASA: Builds conn for packets not destined to ASA's MAC in port-channel Description: Symptom: When the ASA is configured with a port-channel interface, the firewall may process and build conns for packets not destined to its interface MAC address that are received on that port-channel. In certain scenarios, this could cause flooded packet storms in the network. Conditions: The ASA must be configured with all of the following conditions: 1) At least 1 port-channel interface 2) The 'same-security-traffic permit intra-interface' command Workaround: If the ASA does not need to hairpin traffic, disable 'same-security-traffic permit intra-interface'. Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.95), 100.7(13.96), 100.7(6.90), 100.7(6.92), 100.8(0.228), 100.8(11.35), 100.8(11.49), 100.8(27.19), 100.8(27.25), 100.8(33.19) Bug Id: CSCuf31658 Title: Linux Kernel nfs_readdata_release() and nfs_writedata_release() Functi Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-4325 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-4325 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31791 Title: Linux Kernel next_pidmap() Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1593 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1593 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31632 Title: Linux Kernel SET_PERSONALITY Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0307 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0307 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31654 Title: Linux Kernel GUID Partition Tables Handling Arbitrary Code Execution V Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1776 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1776 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.12(10.47), 100.8(40.84), 9.0(4.25), 9.1(5.100), 9.1(5.20), 9.2(2.100), 99.1(2.27), 99.1(3.9) Bug Id: CSCuf31838 Title: Linux Kernel mremap() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2496 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2496 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31726 Title: uLinux Kernel agp_generic_remove_memory() Local Privilege Escalation Vu Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2022 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2022 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.50), 100.12(0.70), 100.12(6.20), 100.13(0.6), 100.13(11.11), 100.13(12.16), 100.13(15.7), 100.13(16.2), 100.13(17.2), 100.13(18.1) Bug Id: CSCuf31741 Title: Linux Kernel sys_move_pages Local Denial of Service and Information Di Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0415 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0415 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31803 Title: Linux Kernel nfs_wait_on_request() Local Denial of Service Vulnerabili Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-1087 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-1087 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31448 Title: Linux Kernel futex_lock_pi() Denial of Service Vuln CVE-2010-0623 Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0623 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0623 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 Known Fixed Releases: Bug Id: CSCuf31541 Title: Linux Kernel setup_arg_pages() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3858 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3858 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuh88058 Title: Linux Kernel splice(2) Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-1961 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2009-1961 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 Known Fixed Releases: Bug Id: CSCuh88056 Title: Linux Kernel fuse_direct_io() Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2009-4021 Cisco has analyzed these vulnerabilities and concluded that the product is not impacted Conditions: Not applicable Workaround: Not applicable Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 Known Fixed Releases: Bug Id: CSCuf31564 Title: Linux Kernel mmap and mremap Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0291 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0291 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31447 Title: Linux Kernel wake_futex_pi() Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0622 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0622 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCuf31612 Title: Linux Kernel mprotect_fixup() Memory Corruption Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4169 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4169 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCun45520 Title: Cisco ASA DHCPv6 Denial of Service Vulnerability Description: Symptom: ASA crash in Thread Name: DHCPv6 Relay when processing a DHCPv6 packet Conditions: DHCPv6 relay should be enabled. To verify if this feature is enabled use the show run ipv6 dhcprelay and verify that it is enabled at least on one interface ipv6 dhcprelay enable DHCPv4 relay is not affected by this issue. Workaround: There is no workaround other then disabling the DHCPv6 relay feature Further Problem Description: A vulnerability in DHCP code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of an affected system. The vulnerability is due to insufficient validation of crafted or malformed DHCP version 6 (v6) packets. An attacker could exploit this vulnerability by sending a crafted DHCPv6 packet to the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2014-2182 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2182 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.10(0.95), 100.10(12.8), 100.10(17.1), 100.10(2.18), 100.10(6.0.40), 100.10(7.8), 100.11(0.7), 100.11(3.1), 100.11(4.3), 100.11(5.2) Bug Id: CSCuh41688 Title: 5585X-SSP60 8.4(5)6 Secondary unit crash Description: Symptom: ASA 5585X-SSP60 transparent firewall in A/A failover environment crashed Conditions: Normal operation Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(5.6) Known Fixed Releases: Bug Id: CSCun78551 Title: Cisco ASA Information Disclosure Vulnerability Description: Symptom: An unprivileged user could access information on the ASA filesystem. This includes running configuration if stored on the flash or disk Conditions: This happens in single or multi context, however when in multi context only user from the admin context could exploit this issue. The attacker needs to have valid credentials, however any privilege level associated with that credential can cause the issue. For example privilege 0 or 1 Workaround: none Further Problem Description: A vulnerability in authorization code of Cisco ASA Software could allow an authenticated, remote attacker to access information stored on the file system of the affected system. The vulnerability is due to improper implementation of authorization controls when an unprivileged user try to access file stored on the file system. This vulnerability can be exploited after authentication and only if HTTP server is enabled.. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. If the Cisco ASA is configured in multi context mode, only user of the admin context will be able to exploit this vulnerability. An exploit could allow the attacker to access files stored on the device file system which may include the running configuration. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:C/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-2181 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2181 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.10(0.87), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(5.1), 100.7(6.132), 100.8(40.67), 100.8(56.44), 100.8(64.12), 100.8(65.9) Bug Id: CSCum00360 Title: ASA - DHCP Discover Sent out during boot process Description: Symptom: On the ASA 5500-X platform the second highest port will send out a DHCP Discover request during the pre-boot process from IPMI. If a DHCP server responds, the ASA will obtain the offered IP, but it will not be visible in the running configuration. However, users able to connect to this IP address can potentially shutdown the device or cause it to reload. An attacker needs to be layer-2 adjacent to the device in order to hijack the DHCP request. Conditions: Cisco ASA 5500-X during the pre-boot process from IPMI. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID TBD has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.6(1.5) Known Fixed Releases: 100.10(0.96), 100.10(12.8), 100.10(17.1), 100.10(2.19), 100.10(7.12), 100.11(0.7), 100.11(3.4), 100.11(5.4), 100.11(6.1), 100.8(40.69) Bug Id: CSCun26772 Title: Invalid user names are logged in syslogs Description: Symptom: ASA logs invalid user name in their logs when user attempt to authenticate with incorrect user-id. Conditions: AAA and logging enabled Workaround: Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.2(0.2) Known Fixed Releases: 100.10(9.6), 100.11(2.1), 100.8(38.125), 100.8(40.63), 100.8(56.31), 100.8(65.4), 9.0(4.25), 9.1(5.15), 9.2(0.99), 9.2(1) Bug Id: CSCuj28861 Title: Cisco ASA Malformed DNS Reply Denial of Service Vulnerability Description: Symptoms: ASA crash in thread name: dns_process Conditions: This may happen when a the network object configuration includes both a IPv4 & IPv6 fqdn defined and in use and the ASA triggers a DNS request for these object Workaround: do not map the same fqdn to v6 and v4 Further Problem Description: A vulnerability in DNS code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the reload of an affected system. The vulnerability is due to improper handling of DNS error cases when the Cisco ASA Software receive a DNS reply packet under particular configuration of the system. An attacker could exploit this vulnerability by either owning a DNS server or making sure that the reply to a DNS request coming from an affected system is malformed. An exploit could allow the attacker to cause the reload of the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-6696 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6696 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(7), 9.0(2) Known Fixed Releases: 100.10(0.33), 100.10(1.21), 100.10(2.2), 100.10(9.1), 100.7(6.138), 100.8(38.59), 100.8(40.38), 100.8(45.8), 100.8(46.28), 100.8(52.2) Bug Id: CSCuq34226 Title: OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln Description: Symptom: The Cisco Adaptive Security Appliance (ASA) Software version 8.2 and later includes a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: * DTLS memory leak from zero-length fragments (CVE-2014-3507) This bug has been opened to investigate and address the potential impact on this product. Conditions: Cisco ASA running release 8.2.1 or later with a default configuration. Workaround: None. Further Problem Description: This bug is one of 9 disclosed by the OpenSSL organization as part of their August advisory (see https://www.openssl.org/news/secadv_20140806.txt for details). 1. Double Free when processing DTLS packets (CVE-2014-3505) 2. DTLS memory exhaustion (CVE-2014-3506) 3. DTLS memory leak from zero-length fragments (CVE-2014-3507) 4. Information leak in pretty printing functions (CVE-2014-3508) 5. Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) 6. OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) 7. OpenSSL TLS protocol downgrade attack (CVE-2014-3511) 8. SRP buffer overrun (CVE-2014-3512) 9. Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html Only numbers 1 and 3 were found to be vulnerabilities in the ASA and were resolved with bugs: CSCuq34213 Double Free when processing DTLS packets CSCuq34226 OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln The remaining issues had bugs created but have been junked as the ASA was found to be not vulnerable. Cisco Adaptive Security Appliance (ASA) Software v9.0.4 and later is NOT impacted by this bug. Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains. Cisco recommends that customers upgrade to a fixed release. Cisco Adaptive Security Appliance (ASA) Software v7.x is NOT impacted by these vulnerabilities. PSIRT Evaluation: The Cisco PSIRT has assessed these vulnerabilities using the Base and Temporal CVSS scores from the National Vulnerability Database (NVD). Details about the third-party software vulnerabilities listed above, as well as their CVSS score can be found at the following URL: http://web.nvd.nist.gov/view/vuln/search Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 100.12(10), 8.2(5.50), 8.3(2.41), 8.4(7.22), 8.6(1.14), 8.7(1.12), 9.1(5.11), 9.2(2.4), 9.3(1) Known Fixed Releases: 100.11(0.42), 100.12(10.32), 100.12(21.2), 100.12(9.13), 100.7(6.134), 100.8(40.83), 15.2(2.6.25)EA, 8.3(2.43), 9.0(4.22), 9.1(5.13) Bug Id: CSCuo26918 Title: ASA traceback in Thread Name: IKE Receiver due to 'Address not mapped' Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3383 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Other Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCuq41510 Title: Cisco ASA VNMC Input Validation Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/6.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3390 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.44), 100.12(0.38), 100.12(10.37), 100.12(15.10), 100.12(21.3), 100.12(6.4), 9.2(2.7), 9.3(1.1), 9.3(1.99), 9.3(2) Bug Id: CSCuu16887 Title: ASA 9344 block depletion after a stress test Description: Symptom: An ASA5585 had 9344 block depletion after a stress test. Jumbo-frame reservation was enabled. asa# show blocks SIZE MAX LOW CNT 0 1450 1444 1448 4 900 899 899 80 5000 4935 4960 256 6400 6387 6394 1550 21274 21157 21228 2048 4100 4100 4100 2560 7320 7320 7320 4096 100 100 100 8192 100 100 100 9344 10000 0 0 <-- 16384 210 210 210 65536 16 16 16 While blocks 9344 were depleted traffic was affected. There were packet drops and packet delays. Conditions: Workaround: Reload the ASA Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 8.4(7.26) Known Fixed Releases: Bug Id: CSCul70099 Title: ASA SSL VPN Privilege Escalation Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2127 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.10(0.63), 100.10(2.4), 100.10(9.1), 100.7(6.127), 100.8(38.95), 100.8(40.56), 100.9(10.23), 8.2(5.48), 8.3(2.40), 8.4(7.8) Bug Id: CSCun69561 Title: ASA Crafted Radius DoS Vulnerability Description: Symptom: ASA crash in thread name radius_rcv_auth Conditions: ASA receives a RADIUS packet with a crafted attribute value during a radius exchange. Knowledge of the shared key is needed in order to exploit the vulnerability Workaround: none Further Problem Description: A vulnerability in the implementation of the RADIUS code of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of the affected system. The vulnerability is due to insufficient validation of RADIUS packets including crafted attributes. . An attacker could exploit this vulnerability by sending crafted RADIUS packets to the affected system. The attacker needs to know the RADIUS shared secret and inject the crafted packet while a RADIUS exchange is in progress. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3264 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3264 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.0(1), 9.1(1), 9.2(0.3) Known Fixed Releases: 100.10(0.87), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(2.1), 100.11(5.1), 100.8(38.133), 100.8(40.68), 100.8(56.47), 100.8(64.14) Bug Id: CSCuq29136 Title: Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3392 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(5.3) Known Fixed Releases: 100.11(0.42), 100.12(0.31), 100.12(10.21), 100.12(15.8), 100.12(21.1), 100.12(6.2), 100.12(9.9), 100.7(6.134), 100.8(40.82), 8.2(5.51) Bug Id: CSCuq14540 Title: ASA traceback in "fover_tx" while running port scan. Description: Symptom: ASA traceback in ''fover_tx'' with assertion ''assertion ''0'' failed: file ''block.c'', line 3067'' Conditions: ASA traceback in ''fover_tx'' while performing port scan on ASA using NMAP. Workaround: none. Further Problem Description: ASA traceback in ''fover_tx'' with assertion ''assertion ''0'' failed: file ''block.c'', line 3067'' while performing port scan on ASA using NMAP. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 22-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCut29845 Title: Linux Kernel Netlink Message Security Bypass Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0181 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 1.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0181 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCut29837 Title: cURL and libcurl Certificate Field Wildcard Value Processing Spoofing Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0139 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:TF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0139 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 8.7(1), 9.2(1), 9.3(2.200), 9.4(1), 99.1 Known Fixed Releases: Bug Id: CSCus95290 Title: Cisco ASA VPN XML Parser Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to. The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2015-0677 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.0(4.20) Known Fixed Releases: 100.11(0.56), 100.12(0.113), 100.13(0.35), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Bug Id: CSCuu48197 Title: ASA: Stuck uauth entry rejects AnyConnect user connections Description: Symptom: Intermittently, the User VPN sessions fail to establish due to a stuck uauth entry associated with the same Pool/to-be-Assigned IP address of the new User. Syslog: %ASA-5-722010: Group User IP SVC Message: 16/ERROR: Detected internal error in SSL connection.. %ASA-4-113019: Group = , Username = , IP = , Session disconnected. Session Type: SSL, Duration: 00:00m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested - While debugging, we see the following: debug webvpn anyconenct: webvpn_cstp_accept_address: 192.168.1.10/255.255.255.0 ''snip'' vpn_put_uauth failed! webvpn_cstp_send_error: 503 Service Unavailable sh ip local pool : shows that the address 192.168.1.10 is available. debug pix uauth: vpn_putuauth: ERR: uxlate collision for ip 192.168.1.10 user USER-B on interface OUTSIDE show uauth: remote access VPN user 'USER-A' at 192.168.1.10, authenticated <<< Stuck entry for "another user" show vpn-sessiondb anyconnect filter name USER-A : no entries here, notice that the address that is being assigned to USER-B is 192.168.1.10, and this is available in the local pool I.e. This address was assigned to another user [USER-A] in the past. This user does not show up in the vpn-sessiondb indicating that he has already logged off. Conditions: ASA running on OS version [Ex: 9.2(1)] that has the fix for: CSCuh08432 Anyconnect sessions do not connect due to uauth failure This ASA is acting as AnyConnect SSLVPN Server. Workaround: None. Either reload the ASA or failover to the standby ASA. Or Start using a new IP address pool for the Connection entry Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: Bug Id: CSCut29848 Title: Linux Kernel syscall Tracing Functionality Local Denial of Service Vul Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-7825 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-7825 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCut29840 Title: Glibc wordexp Function Command Substitution Arbitrary Command Executio Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-7817 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 3.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-7817 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 99.1 Known Fixed Releases: Bug Id: CSCut29843 Title: cURL and libcurl Connection Reuse Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0138 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0138 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 8.7(1), 9.2(1), 9.3(2.200), 9.4(1), 99.1 Known Fixed Releases: Bug Id: CSCtw75734 Title: tmatch compile thread assertion in "stride_terminal_node.c" Description: Symptom: In a rare corner case, the ASA might traceback when there are ACL related functions being processed. This is similar to CSCsy93944 but the traceback condition is due to a different root cause. Conditions: The traceback condition is related to the access-list structures stored on the ASA. Workaround: None known. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 100.8(46.4), 8.2(5), 8.4(5.2), 8.6(1.6) Known Fixed Releases: 100.10(0.36), 100.10(1.21), 100.10(2.2), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.40), 100.8(45.8), 100.8(46.28) Bug Id: CSCut29842 Title: Linux Kernel Memory Fault Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9322 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9322 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCut29844 Title: cURL and libcurl NTLM Authentication Reuse Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0015 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0015 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCsc91983 Title: DOC: set connection-type originate-only breaks vpn tunnel Description: Symptom: Using set connection-type originate-only config command on a LAN to LAN tunnel, causes the tunnel negotiation to fail. Conditions: Setting a tunnel (crypto map) to "originate-only" Workaround: Use "bidirectional" or "answer-only" Further Problem Description: Using this config causes incorrect proxy-id's to be negotiated. Status: Fixed Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 7.0(4.4) Known Fixed Releases: Bug Id: CSCug66457 Title: ASA : "ERROR:Unable to create router process" & routing conf is lost Description: Symptom: Standby ASA reports below error messages and loses dynamic routing configuration. Conditions: ASA running 9.x or higher Workaround: Issue is only seen during startup/reload of ASA. Issuing "write mem" or "write standby" resolves the issue. Further Description ASA(config)# Beginning configuration replication from mate. ERROR: Unable to create router process, cleanup in progress ASA(config)# sh run | inc router ASA(config)# More Info: Status: Fixed Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.0(2), 9.1(1.8) Known Fixed Releases: 100.10(0.6), 100.8(38.18), 100.8(40.7), 100.8(41.2), 100.8(60.16), 100.9(0.48), 100.9(10.1), 100.9(6.24), 100.9(7.26), 9.0(2.101) Bug Id: CSCus91445 Title: BGPv6: Error when changing AS Number with ASDM Description: Symptom: When changing the AS Number for BGP routing, a syntax error occurs on the 'router bgp' command. This is the ASDM error: [OK] no router bgp 109 [ERROR] router bgp 6501 router bgp 6501 ^ ERROR: % Invalid input detected at '^' marker. router bgp 6501 After this, all of the existing BGP configuration is lost and the user will need to reenter it manually. Conditions: There is IPv6 configuration for BGP. Workaround: Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCut44082 Title: EIGRP configuration not being correctly replicated between failover ASAs Description: Symptom: We have found that the 'no passive-interface (interface-name)' and the 'distribute-list (distr-list-name) out interface (interface-name)' commands are not being correctly replicated between a pair of ASA firewalls configured in failover. Conditions: This issue occurs just when the active FW is replicating the configuration to the standby unit in the following two scenarios: 1.- When issuing the 'write standby' in the active FW. OR 2.- When after rebooting the standby unit, the active unit automatically replicates the configuration to the standby unit. (ASA-1/pri/act# Beginning configuration replication: Sending to mate. End Configuration Replication to mate) NOTE: In the recreation lab just disappears the distribution list but in the production environment one of the 'no passive-interface' commands disappears too. Workaround: While running ASA codes 9.2(2)4, 9.2(3) and 9.3(2): 1.- Avoid using the 'write standby' command in the active ASA and just use the 'write memory' or the 'copy running-config startup-config'. 2.- If for whatever reason the standby unit is being rebooted, then you will need to manually add the EIGRP missing configuration lines in the active unit in order to allow the standby unit to receive the whole needed EIGRP configuration. I already confirmed this EIGRP replication issue is not happening when running codes 8.6(1), 9.1(1) and 9.1(5), then downgrading to these ASA codes is another workaround. Further Problem Description: Here the detail EIGRP configuration for our testing: ASA-1/pri/act(config)# router eigrp 7 ASA-1/pri/act(config-router)# no auto-summary ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# network 10.1.4.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.50.16 255.255.255.248 ASA-1/pri/act(config-router)# network 10.1.94.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.97.0 255.255.255.128 ASA-1/pri/act(config-router)# network 10.6.254.128 255.255.255.128 ASA-1/pri/act(config-router)# network 198.209.254.0 255.255.255.0 ASA-1/pri/act(config-router)# network 198.209.255.0 255.255.255.0 ASA-1/pri/act(config-router)# passive-interface default ASA-1/pri/act(config-router)# no passive-interface outside ASA-1/pri/act(config-router)# no passive-interface inside ASA-1/pri/act(config-router)# no passive-interface dmvpndmz ASA-1/pri/act(config-router)# no passive-interface stldcdmz ASA-1/pri/act# sh run router router eigrp 7 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stldcdmz network 10.1.4.0 255.255.254.0 network 10.1.94.0 255.255.254.0 network 10.1.97.0 255.255.255.128 network 198.209.254.0 255.255.255.0 network 198.209.255.0 255.255.255.0 network 10.1.50.16 255.255.255.248 network 10.6.254.128 255.255.255.128 passive-interface default no passive-interface inside no passive-interface dmvpndmz no passive-interface stldcdmz no passive-interface outside ASA-1/pri/act# sh run all router router eigrp 7 no auto-summary distance eigrp 90 170 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stl Status: Fixed Severity: 2 Severe Last Modified: 24-MAY-2015 Known Affected Releases: 9.2(2.4), 9.2(3), 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Bug Id: CSCur30351 Title: CSC-SSM : Evaluation of SSLv3 POODLE vulnerability Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: For CSC web console, we suggest disabling SSLv3 and enabling TLS on browser or CSC web server (tomcat). To disable the SSLv3, you need change the server.xml: (/opt/trend/isvw/common/Tomcat/conf/) (1)remove the attribute sslProtocol="TLS", (2)add attribute sslProtocols="TLSv1,TLSv1.1,TLSv1.2" For example, it is like: SSLEnabled="true" maxThreads="150" secure="true" keystoreFile="/opt/trend/isvw/config/.keystore" keystorePass="changeit" keystoreType="JKS" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" Then restart the UI service. (/opt/trend/isvw/script/ISui restart) Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3566 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 24-MAY-2015 Known Affected Releases: 6.6, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 99.1 Known Fixed Releases: Bug Id: CSCuf85524 Title: Traceback when NULL pointer was passed to the l2p function Description: Symptom: A crash occurs and the console at the time of the crash should say: " Panic: DATAPATH-0-2764 - _mempool_dma_l2p: Invalid laddr 0x21a0 passed in. DMA pool 0 starts 0x___________ ends 0x_________ DMA pool 1 starts 0x__________ ends 0x__________ " Conditions: Establishing AnyConnect DTLS connections. Crash occurs after ~1000. Workaround: There are no workarounds. More Info: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 100.9(0.34), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(38.13), 100.8(40.3), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(6.17), 100.9(7.20) Bug Id: CSCtq06062 Title: SunRPC inspection arithmetic overflow in parse_transport_address Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Other Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.58), 100.8(0.19), 100.8(10.25), 100.8(12.26), 100.8(15.5) Bug Id: CSCuq76847 Title: ASA:Page fault traceback ACL FQDN Object-group Description: Symptom: An ASA generated a traceback while updating an FQDN object group. Conditions: An ASA must reference FQDN ACLs Workaround: no known workaround at this time Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 100.12(10.30), 9.1(2.3), 9.2(1), 9.2(2.4) Known Fixed Releases: 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.12(6.7), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) Bug Id: CSCsh91747 Title: SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE Description: Symptom: 1)SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE 2)SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure and ASA will not response to any SSL VPN or ASDM connection problem Conditions: -Continuous running through many Web VPN or ASDM connections for couple days. Workaround: 1)Reload the ASA 2)Re-enable the WebVPN. Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 7.2(1), 7.2(3.8), 8.0(0.208), 8.0(0.220), 8.0(2), 8.0(3) Known Fixed Releases: 7.2(4.1), 8.0(103.9), 8.0(3.11), 8.1(1.2) Bug Id: CSCut92194 Title: ASA crash in Thread Name: CP Processing Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35) Bug Id: CSCus51748 Title: ASA: SIP inspect failure to translate SDP contents Description: Symptom: Unidirectional audio when a DECT phone is directly connected to the DECT Slave base unit. ASA is not translating IP addresses in SDP part of SIP packet even with SIP inspection enabled. Conditions: Owner/Creator is different from Connection Information in SDP part of packet. Workaround: Connect phone to master base unit. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 9.1(4.5) Known Fixed Releases: Bug Id: CSCut95793 Title: ASA: Anyconnect IPv6 Traceroute does not work as expected Description: Symptom: Traceroute does not work as expected while connected with anyconnect vpn client to ASA running software version 9.0(4)30. Traceroute completes but does not show intermediate hops, rather we see aestrick "*" for intermediate hops. Conditions: Anyconnect 3.1.05170 ASA 9.0.4(30), 9.1(4) Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 9.0(4.30) Known Fixed Releases: Bug Id: CSCtc90935 Title: WebVPN Configuration: ASA 5505 crash during config restoration from ASDM Description: Symptom: 5505 may traceback when using restore configuration thru ASDM Conditions: When ASDM was sending the restore commands to restore the configuration , the CPU usage went to 99% and after sometime it crashed. Workaround: Workaround Using ASDM - Workaround for downgrade to 8.2.1 is either through ASDM CLI tool and follow instruction below or go to A) Configuration>Device Management> System Image/Configuration >Boot Image/Configuraiton and only select 8.2.1 boot image. B) After this Reload using Tools > System Reload Panel. Wait for ASA to come up and then Go to Tools>Restore Configurations and select 8.2 backed up files. The workaround through CLI - 1) Downgrade image to 8.2.1 2) Restore the config clear config all copy flash:8_2_1_startup_cfg.sav running-config What works - 8.2 image with 8.2 config restore works. 8.3 image with 8.3 config restore works. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.2(1), 8.3(0.1) Known Fixed Releases: 100.3(0.22), 100.4(0.24), 8.2(1.107), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.6), 8.3(1) Bug Id: CSCtq69173 Title: configuration causes ASA upgrade to go into traceback/boot loop Description: Symptom: System crashes in the malloc package when the 'http' configuration is applied. Conditions: ASA 5585-40 or 5585-60 with a IPS-SSP Workaround: Do not use the 'http' configuration Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.2(5.14), 8.4(1.105) Known Fixed Releases: 100.7(13.16), 100.7(14.2), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.44), 100.8(0.11), 100.8(0.14), 100.8(10.11), 100.8(12.11) Bug Id: CSCtx98456 Title: Time-based license takes over permanent license Description: Symptoms: When you activate a time-based license, then features from both permanent and time-based licenses combine to form the running license. It is possible for a user to increase the validity period of a time-based license by reapplying the same license on the Cisco ASA. Conditions: Cisco ASA with time based licenses. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: Bug Id: CSCtx65353 Title: ASA: 8.4 Page fault traceback while displaying "sh run threat-detection" Description: Symptom: ASA may traceback in Thread Name ssh when ''sh run threat-detection'' command is run. Conditions: This was observed in 8.4(2) release. The trigger is not known yet. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.57), 100.7(18.10), 100.7(19.8), 100.8(0.61), 100.8(11.10), 100.8(14.8), 100.8(24.31), 100.8(30.6), 100.8(32.3), 100.9(0.1) Bug Id: CSCub53088 Title: Arsenal:twice NAT with service type ftp not working. Description: Symptom: with many to few static pat, first ftp data transfer is sucessful and second time it will fail.but after 30 sec it will work. Conditions: When the first time data transfer ('ls' or any other data command) is done, it will try to augment the static policy . When again the new data request comes, the pat-xlate cannot match because the ports will be different, and so it will again try to augment the parent policy, which yields the same address. Because it is nat-pool, we cannot give back the address when it is used, so the pool allocation will be failed. Workaround: configure 1:1 static nat instead of many to few. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 100.8(0.208), 9.0(1), 9.2(1) Known Fixed Releases: 100.11(0.47), 100.12(0.48), 100.12(6.7), 100.13(0.3), 100.13(11.2), 100.13(12.3), 100.13(13.1), 100.13(14.2), 100.13(15.1), 100.13(16.1) Bug Id: CSCuh08432 Title: Anyconnect sessions do not connect due to uauth failure Description: Symptom: Anyconnect sessions are randomly rejected, both from standalone client and from portal Conditions: This is seen randomly after upgrading to 9.0.2. debug webvpn reports: vpn_put_uauth failed! Workaround: Issue is not seen on 8.4 More Info: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.23), 100.8(40.14), 100.8(41.2), 100.8(60.29), 100.9(0.53), 100.9(10.1), 100.9(6.29), 100.9(7.36) Bug Id: CSCtx68075 Title: ASA WebVPN breaking when Windows Patch KB2585542 is applied Description: Symptom: After applying windows security update KB2585542, WEBVPN funtionality on ASA can be broken in different ways : not being able to log in at all to the portal, not being able to authenticate to OWA ... Conditions: Accessing the portal through WEBVPN with a windows PC having KB2585542 installed. Workaround: Disable that update for now, follow http://support.microsoft.com/kb/2643584 for directions on that. At the time of this writing Firefox does not exhibit the same behaviour, but this is expected to change in the future PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.2(5.20), 8.4, 8.4(3) Known Fixed Releases: 100.7(13.59), 100.7(18.10), 100.7(19.8), 100.8(0.65), 100.8(11.10), 100.8(14.9), 100.8(24.35), 100.8(30.6), 100.8(32.5), 100.9(0.1) Bug Id: CSCtz46866 Title: Traceback in Dispatch Unit thread: Address not mapped Description: Symptom: ASA unexpectedly reload with Traceback in Dispatch Unit thread due to Page fault: Address not mapped. Conditions: none Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: Bug Id: CSCtn40707 Title: assert traceback for ifc cfg removal with same-security intra-interface Description: Symptom: Tracebacks seen on standby ASA in thread name: fover_parse when write standby was issued Conditions: Active/Standby failover. This crash will be hit if there are any flows with egress and ingress interface based on same interface (i.e. same-security intra-interface configured) and clear config interface was issued on that ifc either directly or through config replication... Write standby was issued on active firewall when standby crashed. Workaround: none at this time PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 100.8(0.60), 100.8(2.22), 8.2(5.5), 8.3(1.6), 8.4(2) Known Fixed Releases: 100.7(13.59), 100.7(18.11), 100.7(19.9), 100.7(20.2), 100.7(6.64), 100.8(0.68), 100.8(11.11), 100.8(14.10), 100.8(24.36), 100.8(32.5) Bug Id: CSCtu39738 Title: ASA 5585 reloads with traceback in Thread Name: NIC status poll Description: <B>Symptom:</B> ASA 5585 may go into a boot loop with traceback in Thread Name: NIC status poll Before the box enters the traceback you will see several messages on the console that look like this: INFO: MIGRATION - Saving the startup configuration to file INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_4_0_startup_cfg .sav' *** Output from config line 4, "ASA Version 8.2(4) " .....Failed to change interface status: cannot get channel *** Output from config line 442, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 443, " shutdown" Failed to change interface status: cannot get channel *** Output from config line 448, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 449, " shutdown" .Failed to change interface status: cannot get channel *** Output from config line 454, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 455, " shutdown" Failed to change interface status: cannot get channel <B>Conditions:</B> ASA 5585 only. Running 8.4.2 with an IPS SSP installed in slot 1 <B>Workaround:</B> Remove the IPS SSP from the chassis and the boot loop should end. The trigger for this behavior is related to using the switch on the PSU to power cycle the box. If you have an IPS blade in the chassis and you power cycle the 5585 via the switch on the PSU you may see this behavior. Call TAC to get your IPS SSP replaced. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 25-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Bug Id: CSCui53710 Title: ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups Description: Symptom: When upgrading an Adaptive Security Appliance (ASA) from 8.2 and earlier software to 8.3 and later software, Access Control List (ACL) entries which reference object groups may be fully expanded even when the object group in question is not directly referenced in NAT policies. As the result, ACL sizes may increase significantly and the convenience of using object-groups for rule set management is lost. Conditions: A member of the object group is referenced within NAT and/or ACL policies. Workaround: Rebuild the ACLs to use object groups after the migration. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 8.3(2), 8.4(1), 8.4(1.50), 8.4(6), 9.0(3), 9.1(2) Known Fixed Releases: 100.10(0.51), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.79), 100.8(40.51), 100.8(46.53), 100.8(51.13), 100.8(56.1), 100.8(56.10) Bug Id: CSCuq02741 Title: ASA traceback on clearing FQDN entry used in ACL and object-group-search Description: Symptom: The ASA might traceback and reload if a FQDN (DNS) object is cleared from the ASA's DNS cache, and the command 'object-group-search access-control' is removed from the configuration. Conditions: The ASA must be configured with the following features to be susceptible to this problem: 1) An ACL that uses a network object that contains a fqdn entry 2) The command 'object-group-search access-control' must be enabled in the configuration Workaround: Disable object-group-search Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 25-MAY-2015 Known Affected Releases: 9.1, 9.2 Known Fixed Releases: Bug Id: CSCts13848 Title: ASA may traceback in dns_process Description: Symptom: Cisco ASA may crash in dns_process Conditions: The crash is due to improper handling of DNS queries generated by the ASA. Condition for the crash to happen is to have a DNS server configured on the ASA ex: dns server-group DefaultDNS domain xxx and the ASA is triggering a DNS resolution request to the server. Workaround: Removing the DNS server command can workaround this issue PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-4651 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.8, 8.4(2.10), 8.4(2.7), 8.4(2.8) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.31), 100.8(0.36), 100.8(0.46), 100.8(0.54) Bug Id: CSCso58622 Title: IPv6: IP services are reachable from the "far side of the box" Description: Symptom: Users can connect to, and interact with the FW via an interface that they are not logically connected to. Conditions: PIX or ASA device running 7.x or higher code. Using IPv6 routing and IPv6 enabled services (SSH, Telnet, HTTP, ICMP). Workaround: Restrict access to services by IPv6 subnet. (i.e. no '' ::/0 '' type config) Further Problem Description: Cisco FW products are designed to be ''through the box'' type appliances. IPv6 should behave the same way IPv4 does. You should only be interacting with the box via the interface that you are logically connected to. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2009-4913 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 8.0(103.17), 8.0(103.18), 8.0(3.14), 8.1(1.4) Bug Id: CSCty18976 Title: ASA sends user passwords in AV as part of config command authorization. Description: Symptom: User passwords appear in ACS logs. Conditions: A Cisco ASA when configured with AAA TACACS Config Command Authorization, will transit the user password as entered in any Config CLI command that requires both the username and password in the command authorization AVs as part of the command authorization request. Example of CLI commands: username password The is sent as part of the data for config command authorization. Workaround: Disable configuration command authorization. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(0) Known Fixed Releases: 100.7(13.101), 100.7(13.102), 100.7(6.100), 100.7(6.101), 100.7(6.102), 100.8(0.240), 100.8(11.39), 100.8(11.40), 100.8(27.20), 100.8(33.24) Bug Id: CSCsu11575 Title: Cisco ASA may reload after receiving certain IPv6 packets Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Windows NT Domain Authentication Bypass Vulnerability * IPv6 Denial of Service Vulnerability * Crypto Accelerator Memory Leak Vulnerability Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(101.8) Known Fixed Releases: 7.2(4.11), 8.0(4.5), 8.0(5), 8.1(1.100), 8.2(0.151) Bug Id: CSCts33180 Title: Security Issue in Apache Description: Summary A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server. Multiple Cisco products could be affected by this vulnerability. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024 This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:U/RC:C CVE ID CVE-2011-3192 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 108.2(144.4) Known Fixed Releases: Bug Id: CSCsz21934 Title: ASA AAA should treat RA username as case-insensitive Description: Symptom: Session management in ASA does case-sensitive string comparisons. If the AAA server treats usernames as case-insensitive (eg. RADIUS/ACS), then users can log on multiple times with the same username and different capitalization, regardless of the vpn-simultaneous-logins setting. Conditions: ASA using external AAA server that treats username as case-insensitive. Workaround: Use a AAA server that differentiates between same usernames with different capitalizations. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2554 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.8(0.52), 100.8(0.55), 100.8(11.6), 100.8(11.7), 100.8(14.4), 100.8(15.21), 100.8(15.22), 100.8(19.63), 100.8(24.23), 100.8(24.26) Bug Id: CSCsq19369 Title: URI Processing Error in Clientless SSL VPN connections Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(3.13), 8.3 Known Fixed Releases: 8.0(103.24), 8.0(3.15), 8.1(1.5) Bug Id: CSCtg33872 Title: EIGRP Secure Coding Issue Description: Symptoms The Cisco ASA EIGRP code needs to be improved to follow Secure C best practices. Conditions Not Applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.3(1) Known Fixed Releases: 100.5(5.53), 100.7(0.71), 100.7(11.2), 100.7(6.14), 100.7(8.3), 8.4(0.117), 8.4(1), 8.4(1.99), 8.4(2), 8.5(0.99) Bug Id: CSCts44777 Title: ASA: Traceback in ci/console when changing to multiple context mode Description: Symptom: After running the 'mode multiple' command, the ASA may generate a traceback and reload in the ci/console thread. Conditions: A user must execute the 'mode multiple' command. Workaround: There is no known workaround. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.12) Known Fixed Releases: Bug Id: CSCtw35765 Title: Threat Detection Denial Of Service Vulnerability Description: Symptom: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) may be affected by some of the vulnerabilities above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Cisco has released free software updates that address this vulnerability. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4.4) Known Fixed Releases: 100.7(13.44), 100.7(13.55), 100.7(13.65), 100.7(14.38), 100.7(17.8), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62) Bug Id: CSCta56639 Title: ASA5580: Traceback in Thread Name: DATAPATH-2-604 due to SIP Description: Symptom: Cisco ASA 5580 may experience a crash in rare circumstances with software version 8.1.2(23). This is experienced after receiving a series of SIP messages. Note: The crash is no longer experienced after the customer moved to 8.1.2(29). Conditions: Cisco ASA 5580 running software version 8.1.2(23) and configured for SIP inspection. Workaround: The crash is no longer experienced on software release 8.1.2(29) or later. Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2.23) Known Fixed Releases: Bug Id: CSCsy22484 Title: Cisco ASA may traceback after processing certain TCP packets Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.2 Known Fixed Releases: 7.0(8.6), 7.1(2.81), 7.2(4.30), 8.0(4.28), 8.1(2.162), 8.1(2.19), 8.2(0.228), 8.2(4) Bug Id: CSCtn62697 Title: ACL bypassed when NAT/PAT is configured on external interface Description: Symptoms: Customer reports that ACLs are bypassed when NAT/PAT is configured on external interface. The TAC filed this bug to track this issue. After further troubleshooting with the development team. It has been found that this was a misconfiguration. Conditions: Cisco ASA with default configuration. Not a bug - false positive. Workaround: Not applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: Bug Id: CSCuq77655 Title: Cisco ASA DNS Memory Exhaustion Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to. The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-0676 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.11(0.48), 100.12(0.52), 100.12(22.1), 100.12(6.8), 100.13(0.3), 100.13(12.6), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) Bug Id: CSCuc88741 Title: Cisco ASA 1000V Firewall H.323 Inspection DoS Vulnerability Description: A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130116-asa1000v Note: Only Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall is affected by the vulnerability described in this advisory. Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module or Cisco Catalyst 6500 Series Firewall Services Module (FWSM) are not affected by this vulnerability. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(0.128), 9.0(0.137) Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(27.20), 100.8(33.29), 100.8(34.1), 100.8(38.1), 100.8(39.2), 100.9(0.6) Bug Id: CSCua76991 Title: 9K block exhaustion after 1 M PPS for any CP based inspect packet Description: Symptoms: 9K block exhaustion after sending 1M PPS SIP messages to port 5060 Conditions: 1 M PPS SIP UDP traffic. Workaround: None Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.5(1.220) Known Fixed Releases: 8.5(1.221) Bug Id: CSCso69942 Title: Traceback in Remote Access Authentication Code Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2(2.19) Known Fixed Releases: 7.2(4.2), 8.0(103.23), 8.0(3.14), 8.1(1.4) Bug Id: CSCsu76101 Title: Traceback in thread name Dispatch Unit Description: Symptom: Traceback on ASA when using anyconnect client and inspections such as VOIP,http,sunrpc,sqlnet etc. Workaround: 1)Disable all inspections that use TCP proxy and flow over SVC/anyconnect. These include the following inspections: VOIP (h323,skinny,sip) RTSP SQLNET HTTP SUNRPC 2)Alternatively, disable DTLS and enable svc compression svc dtls none comp svc Further Problem Description: Problem looks to be an interaction among CP TCP proxy, SVC (anyconnect) and tcpmod. In the data pipeline, CP TCP proxy is performed before SVC and SVC is performed before tcpmod. The problem occurs when CP TCP proxy modifies data that have been forwarded to and queued in tcpmod. The unanticipated modification corrupts state information (specifically TCP sliding window) maintained by tcpmod. The tcpmod eventually crash when the corrupted state information is used. Enabling compression causes SVC to perform a packet copy received from CP TCP proxy before forwarding to tcpmod. Since a copy of the packet is forwarded, the "unanticipated modification" is done to the released packet and not to the packet queued in tcpmod. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2(4.3), 8.0(3.19), 8.0(4), 8.0(4.3), 8.0(4.8) Known Fixed Releases: 7.2(205.1), 7.2(4.25), 8.0(4.22), 8.0(5), 8.1(2.12), 8.2(0.201), 8.2(1) Bug Id: CSCsr28008 Title: PAT src port allocation policy negates effect of host port alloc. policy Description: Port Address Translation (PAT) is a form of Network Address Translation (NAT) that allows multiple hosts in a private network to access a public network using a single, public IP address. This is accomplished by rewriting layer 4 information, specifically TCP and UDP source port numbers and checksums, as packets from the private network traverse a network device that is performing PAT. PAT is configured by network administrators and performed by network devices such as firewalls and routers in situations where public IP addresses are limited. After the initial multi-vendor DNS advisory was published on July 8th, 2008 it was discovered that in some cases the fixes to DNS implementations to use random source ports when sending DNS queries could be negated when such queries traverse PAT devices. The reason for this is that in these cases the network device performing PAT uses a predictable source port allocation policy, such as incremental allocation, when performing the layer 4 rewrite operation that is necessary for PAT. Under this scenario, the fixes made by DNS vendors can be greatly diminished because, while DNS queries seen on the inside network have random source port numbers, the same queries have potentially predictable source port numbers when they leave the private network, depending on the type of traffic that transits through the device. Several Cisco products are affected by this issue, and if DNS servers are deployed behind one of these affected products operating in PAT mode then the DNS infrastructure may still be at risk even if source port randomization updates have been applied to the DNS servers. This bug is for the Cisco ASA software and for Cisco PIX software 7.0.x and later, which use an incremental source port allocation policy when performing the source port rewrite operation that is needed for PAT. Note that traditional NAT, i.e. allocating one public IP address for each private IP address, is not affected by this problem because, unlike PAT, NAT only rewrites layer 3 information and does not modify layer 4 header information of packets traversing the NAT device. For more information about the DNS vulnerability mentioned above please refer to the multi-vendor advisory at: http://www.kb.cert.org/vuls/id/800113 or at the Cisco-specific advisory at: http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 7.0(8), 7.1(2), 7.2(4), 8.0(3) Known Fixed Releases: 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(3.32), 8.1(1.8), 8.1(101.4), 8.2(0.140) Bug Id: CSCui77398 Title: Cisco ASA Crafted ICMP Packet Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability Crafted ICMP Packet Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Successful exploitation of the Crafted ICMP Packet Denial of Service Vulnerability may result in valid connections passing through or directed to the affected system to be torn down or cause a reload of the system, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:C CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(7), 9.0(3), 9.0(3.2), 9.1(2.101), 9.1(2.7), 9.1(3.249) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.118), 100.7(6.122), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2) Bug Id: CSCum00556 Title: Cisco ASA HPM Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3385 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4, 9.1(4) Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59), 100.8(56.17) Bug Id: CSCtl67487 Title: Unbounded strcpy in dnss_gprocess_domain_name() Description: Symptoms: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2.6) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.24), 100.7(8.14), 100.7(9.4), 8.3(2.26), 8.4(1.99), 8.4(2) Bug Id: CSCtk74668 Title: ASA 8.2.2 traceback; Assert failure in Thread Name: IP Thread Description: <B>Symptom:</B> The ASA will generate a crashinfo file and reload. <B>Conditions:</B> The 'show crashinfo' output will show a recent traceback in Thread Name: IP Thread. It will also read "Abort: Assert failure". <B>Workaround:</B> None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement due to the fact that the bug cannot be reproduced. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCtl67486 Title: ASA MSN inspection causes Watchdog Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2.6) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.24), 100.7(8.16), 100.7(9.5), 7.2(5.3), 8.0(5.25), 8.1(2.50) Bug Id: CSCtg06316 Title: Insufficient performance during the packet flood Description: Symptom: ASA platform connection per second rates can be exceeded causing the ASA to exhibit high CPU (99%). The Cisco ASA does not experience a device reload but may not be able to satisfy new connection requests. Conditions: Cisco ASA subjected to packet floods which exceeds its connection per second rates using malformed packets (at PPS rates several times less than the datasheet max). Workaround: There are no available workarounds other than dropping the offending packets by applying an ACL on the Cisco ASA or on a transient device. Administrators are advised to consider these protection methods to be general security best practices for infrastructure devices and the traffic that transits the network. Cisco IOS Software can provide effective means of exploit prevention using Infrastructure access control lists (iACLs). This protection mechanism filters and drops packets that are attempting to exploit this vulnerability. Cisco IOS NetFlow records can provide visibility into network-based exploitation attempts. Cisco IOS Software, Cisco ASA and Cisco PIX security appliances, and FWSM firewalls can provide visibility through syslog messages and counter values displayed in the output from show commands. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2010-4673 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm l Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.2(2) Known Fixed Releases: Bug Id: CSCua22709 Title: SSL VPN Web Portal Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: * IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability * SQL Net Inspection Engine Denial of Service Vulnerability * Digital Certificate Authentication Bypass Vulnerability * Remote Access VPN Authentication Bypass Vulnerability * Digital Certificate HTTP Authentication Bypass Vulnerability * HTTP Deep Packet Inspection Denial of Service Vulnerability * DNS Inspection Denial of Service Vulnerability * AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability * Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2013-5515 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(5.27) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.30), 100.9(0.33), 100.9(4.2), 100.9(6.6), 100.9(7.9), 100.9(8.1), 8.2(5.43) Bug Id: CSCum46027 Title: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3382 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(9.6), 100.7(6.130), 100.8(38.126), 100.8(40.64), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 7.2(5.13) Bug Id: CSCtt32565 Title: Specific closing sequence may cause ESMTP inspect to hog CPU for 1+ sec Description: Symptom: Under certain traffic situations, ESMTP inspection on the PIX-ASA Platform may cause high CPU without much traffic load. Conditions: This has been seen on ASA Firewalls that have ESMTP inspection enabled. Workaround: Disable ESMTP inspection by removing the 'inspect esmtp' line from your policy-maps PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2011-4006 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.14), 8.4(2.11) Known Fixed Releases: 100.7(13.42), 100.7(14.36), 100.7(17.5), 100.7(18.4), 100.7(6.50), 100.7(8.34), 100.8(0.38), 100.8(11.2), 100.8(15.12), 100.8(19.31) Bug Id: CSCtu16462 Title: Nessus security scanner scan causes webvpn error recovery Description: Symptom: ASA webvpn component crashes when you run a Nessus security scanner scan against it. Conditions: ASA is running webvpn and the scanner is Nessus security scanner. Workaround: None. Further Problem Description: Note: Only the Webvpn process is backtracing. The ASA remains stable and continue forwarding traffic. All Webvpn components (portal, Anyconnect) will be affected by this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:U/RC:C CVE ID CVE-2011-4655 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Bug Id: CSCsx37414 Title: DA: Acct-disable-override:User can login with bad secondary credentials Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.2(0.211), 8.2(1), 8.2(4) Bug Id: CSCte20030 Title: 5580 traceback at inspect_sip on running more than 600 calls Description: Symptoms: Cisco ASA 5580 may experience a device reload due to SIP inspection ** This was only experience during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA configured with SIP inspection. Workaround: Disable SIP inspection if not needed. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(0.14) Known Fixed Releases: 100.5(5.2), 100.7(13.105), 100.7(6.104), 100.8(0.243), 100.8(11.43), 100.8(27.20), 100.8(33.28), 100.8(34.1), 100.8(38.3), 100.8(39.1) Bug Id: CSCtx33347 Title: Standby ASA traceback while trying to replicate xlates Description: Symptom: The standby ASA may generate a traceback and reload while it is trying to replicate the translation entries Conditions: Observed on ASA 5580 and 5585 platforms in failover environment Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2), 8.4(3) Known Fixed Releases: 100.7(13.57), 100.7(13.87), 100.7(18.10), 100.7(19.8), 100.7(6.63), 100.7(6.85), 100.8(0.181), 100.8(0.63), 100.8(11.10), 100.8(11.28) Bug Id: CSCsy80694 Title: ASA's DOM wrapper issue- Clientless XSS Description: Summary: There is a vulnerability in the Cisco ASA due to insufficient restrictions on access to the JavaScript-based Document Object Model (DOM) that the SSL VPN feature of Cisco ASA uses when clients browse web pages using the VPN web portal. If an unauthenticated, remote attacker can convince a user to visit a malicious page while the user is logged in to the secure portal, the attacker could use this vulnerability to execute arbitrary script or HTML code in the security context of the affected site. Workarounds: No workarounds in the Cisco ASA exists. However, additional mitigation information for XSS attacks can be found at the following Applied Mitigation Bulletin (AMB): http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 8.0(4.161), 8.0(4.215), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) Bug Id: CSCtf69525 Title: ASA Crashes with crafted TLS packet Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCup36829 Title: Cisco ASA SSL VPN Portal Customization Integrity Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/7.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:C/A:P/E:F/RL:OF/RC:C CVE ID CVE-2014-3393 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2.7), 9.1(5.231) Known Fixed Releases: 100.11(0.28), 100.11(5.40), 100.11(6.4), 100.12(0.14), 100.12(1.5), 100.12(12.2), 100.12(13.8), 100.12(15.2), 100.12(16.6), 100.12(17.10) Bug Id: CSCul36176 Title: Cisco ASA VPN Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3383 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.10(0.42), 100.8(38.72), 100.8(40.45), 9.1(4.3), 9.1(5) Known Fixed Releases: 100.10(0.46), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.74), 100.8(40.48), 100.8(46.47), 100.8(51.10), 100.9(10.18), 9.1(5.1) Bug Id: CSCum96401 Title: Cisco ASA IKEv2 Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3384 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(4.3) Known Fixed Releases: 100.10(9.6), 100.7(6.129), 100.8(38.117), 100.8(40.61), 100.8(56.21), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Bug Id: CSCsm68097 Title: SSH resource exhausted preventing further sessions Description: Symptom: Under a rare occurance, SSH sessions for management access can become locked preventing further SSH connections to be established to the ASA. Conditions: ASA 8.0(2), 8.0(3) SSH enabled Workaround: A reload will clear the hanged SSH sessions. -other types of connections still function (telnet,console) Other Notes: Following best practices, its always advisable to only accept SSH from trusted hosts. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(2), 8.0(3) Known Fixed Releases: 7.0(7.12), 7.1(2.70), 7.2(3.21), 7.2(4), 8.0(3.10), 8.1(1.2), 8.2(0.100) Bug Id: CSCts89962 Title: SSH memory leak in ssh2_authenticate() Description: Symptoms: Malformed SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C CVE ID CVE-2011-3314 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Bug Id: CSCtj04707 Title: Possible packet buffer exhaustion when operating in transparent mode Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-asa Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-0393 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2.152), 8.2(3.240) Known Fixed Releases: 100.5(5.43), 100.7(0.60), 100.7(5.23), 100.7(6.9), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.49), 8.2(3.109), 8.2(3.6) Bug Id: CSCun11074 Title: Cisco ASA SunRPC Inspection Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3387 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5), 8.4(1) Known Fixed Releases: 100.10(9.6), 100.7(6.134), 100.8(38.121), 100.8(40.62), 100.8(56.27), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 7.2(5.14) Bug Id: CSCsm84110 Title: ASA may traceback with malformed TCP packets Description: Summary: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.1, 8.1(0.184) Known Fixed Releases: 7.1(2.70), 7.2(3.22), 8.0(103.4), 8.0(3.10), 8.1(0.185), 8.1(1.1), 8.1(1.2) Bug Id: CSCtg69457 Title: SCCP inspection DoS vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 100.7(0.20), 8.2(2.13), 8.2(2.9) Known Fixed Releases: 100.7(0.28), 7.0(8.11), 8.0(5.19), 8.2(2.136), 8.2(2.19), 8.3(1.101), 8.3(1.8), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCua16597 Title: Webvpn: RDP ActiveX plugin causes high cpu with IE Description: Symptom: RDP from the webvpn portal causes IE to consume 90-100% cpu utilization on the client computer. Conditions: This is observed after a software upgrade on the ASA to 8.4(3)9, which uses a newer version of cscopf.ocx (3.1.0.3) Workaround: Switch to using the Java based rdp plugin with IE instead of the ActiveX, or use a Java based browser (FF or Chrome) Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.29), 8.4(3.9) Known Fixed Releases: 100.7(13.85), 100.7(23.1), 100.7(6.84), 100.8(0.173), 100.8(11.27), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.8(36.1) Bug Id: CSCtl04737 Title: Buffer Issue in MSN IM Inspection Code Description: Symptoms: The ASA MSN IM Inspection code contains a potential code deficiency. This was found during internal code inspection. Conditions: Cisco ASA with MSN IM Inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.21), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49), 8.2(4.3) Bug Id: CSCsv21224 Title: ASA process invalid OSPF MD5 sequence numbers Description: Symptom: Cisco ASA may process invalid OSPF MD5 sequence numbers. This issue was found and reported to Cisco by Francois Ropert. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank Mr. Ropert for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure. Conditions: Cisco ASA running version 8.0.4 and earlier. Workarounds: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 7.2(4.22), 8.0(4.18), 8.0(4.220), 8.0(5), 8.1(2.8), 8.2(0.189), 8.2(1) Bug Id: CSCtf37506 Title: TLS test tls10-hs-multiple with mutated packet causes ASA to traceback Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.4(0.43), 8.2(2) Known Fixed Releases: 100.5(5.15), 100.7(0.15), 100.7(6.1), 8.2(2.104), 8.2(2.17), 8.3(1.100), 8.3(1.6), 8.4(0.99), 8.4(1) Bug Id: CSCsq97154 Title: ASA WebVPN HTTP Instability Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: Bug Id: CSCto92403 Title: SunRPC inspection improper direction check Description: Symptoms: The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. SunRPC inspection may be bypassed when certain sequences of SunRPC packets are sent. Conditions: Device configured for SunRPC inspection. To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from show sunrpc-server active command: hostname# show sunrpc-server active LOCAL FOREIGN SERVICE TIMEOUT ----------------------------------------------- 1 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 2 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 3 209.165.200.5/0 192.168.100.2/647 100005 0:30:00 4 209.165.200.5/0 192.168.100.2/650 100005 0:30:00 Workaround: No workarounds are available other than disabling SunRPC inspection if not needed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2571 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.26), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.20), 100.8(0.32), 100.8(10.27), 100.8(12.26), 100.8(15.5), 100.8(19.3) Bug Id: CSCtb64913 Title: WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4.29), 8.0(4.32) Known Fixed Releases: 8.0(4.100), 8.0(4.44), 8.1(2.35), 8.2(1.10), 8.2(1.100), 8.2(1.102), 8.2(4), 8.3(0.0) Bug Id: CSCty06793 Title: ASA traceback when "show crashinfo" command issued Description: Symptom: Under rare circumstances, issuing ''sh crashinfo'' command on an ASA to view the crash file may lead to the ASA crashing again. Conditions: The condition for the crash is unknown Workaround: None known PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCtz79578 Title: Port-Channel Flaps at low traffic rate with single flow traffic Description: Symptom: Port-Channel flaps continously Conditions: Observed on ASA 5585-SSP-60 under performance testing for single flow traffic Workaround: change the channel-group mode to ON PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-2485 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.6), 100.9(0.12), 100.9(4.1), 8.4(5.240) Bug Id: CSCtc81560 Title: IKE receiver thread is stuck sleeping in udp_read Description: <B>Symptom:</B> After Phase 1 rekey, IKE Main Mode process gets stuck in MM_WAIT_MSG2. In fact we receive MSG2 however it does not reach the IKE thread internally. <B>Conditions:</B> Issue is being triggered during Phase 1 rekey, further conditions need to be identified. <B>Workaround:</B> Reload ASA appliance Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: Bug Id: CSCtr95843 Title: TACACS+ Authentication Bypass Vulnerability Description: Symptoms: This bug addresses an enhancement on the TACACS implementation of the Cisco ASA to avoid a potential bypass of TACACS authentication. Conditions: No confirmation of exploitability or attack for this issue. Workaround: Not applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.31), 100.7(14.22), 100.7(18.2), 100.7(6.44), 100.8(0.25), 100.8(10.36), 100.8(12.32), 100.8(15.6), 100.8(19.14), 100.8(2.14) Bug Id: CSCtu30620 Title: Missing input validation for specific code functions Description: Symptom: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.13(0.17), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.1), 100.15(0.1), 9.4(0.109), 9.4(1), 99.1(2.81), 99.1(3.65) Bug Id: CSCth60587 Title: Incorrectly bounded for loops in DHCP packet parsing code Description: Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.5(5.35), 100.7(0.47), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.48), 8.2(3.100), 8.2(3.240), 8.2(3.3), 8.2(4) Bug Id: CSCua70967 Title: Traceback in Thread Name: Crypto CA Description: Symptom: The ASA could reload with a traceback in Thread Name: Crypto CA Conditions: This issue has been seen on ASA 8.2(5), other versions may also be affected Workaround: No known workaround at this time PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCuo68327 Title: Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/6.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2014-3388 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(5.2), 9.1(5.6) Known Fixed Releases: 100.10(17.2), 100.10(2.25), 100.10(7.13), 100.11(0.10), 100.11(5.17), 100.11(6.1), 100.12(18.1), 100.8(40.75), 9.0(4.12), 9.1(5.7) Bug Id: CSCto92398 Title: SunRPC inspection credential length traceback Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(13.47), 100.7(13.65), 100.7(14.13), 100.7(14.42), 100.7(17.12), 100.7(18.1), 100.7(18.4), 100.7(18.9), 100.7(19.8) Bug Id: CSCtz04566 Title: SSL VPN Authentication Denial of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4.99), 8.2(5), 8.3(1.100) Known Fixed Releases: 8.2(5.30), 8.3(2.34) Bug Id: CSCte46460 Title: Post migration ACL allows traffic that was denied prior Description: Symptoms: Post migration ACL allows traffic that was denied prior to the migration of the configuration. ** This was only experience during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA with no special configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(0.18) Known Fixed Releases: 100.5(5.2), 100.5(5.3), 8.3(0.21), 8.3(0.22), 8.3(0.24), 8.3(1), 8.3(1.100) Bug Id: CSCsx52748 Title: ASA may crash under high IPSEC load Description: Symptom: 5580-40 crash when running 5000 tunnel IPSec RAS throughput test ** This was only experienced during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA configured for IPsec and using an internal test tool establishing ~ 5000 tunnels. Workaround: none Further Problem Description: none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(0.209) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.2(0.212), 8.2(1), 8.2(2.99), 8.2(4) Bug Id: CSCta06013 Title: Fuzzing testbed, traceback in the javascript parser Description: Symptom: ASA running 8.0.5 may reload in Unicorn Proxy Thread. Conditions: ASA running 8.0.5 code. Workaround: none. Further Problem Description: Issue seems to be related to javascript parser. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5738 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4.213) Known Fixed Releases: 100.7(13.59), 100.7(13.61), 100.7(18.10), 100.7(18.13), 100.7(19.9), 100.7(20.1), 100.7(6.65), 100.8(0.65), 100.8(11.10), 100.8(14.9) Bug Id: CSCty62368 Title: Traceback with Netflow configuration Description: Symptom: Active unit tracebacks in "Thread Name: Dispatch Unit". Conditions: Customer using VPN, Netflow on Failover units. Workaround: NA. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.3(0), 8.2(4), 8.3(2.13), 8.4(2), 8.4(3), 9.1(2) Known Fixed Releases: 100.7(13.79), 100.7(6.80), 100.8(0.146), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCum91360 Title: Aborted AnyConnect Authentications can cause resource leak Description: Symptoms: Customers reported that when a Cisco ASA is terminating Anyconnect VPN with IKEv2, over a period of time (~7 to 10 days) new IKEv2 connections will fail until reload of ASA. Conditions: Cisco ASA configured to terminate Anyconnect VPN with IKEv2 Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(6.5) Known Fixed Releases: 100.10(0.76), 100.10(2.8), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(2.1), 100.11(4.1), 100.7(6.129), 100.8(38.114), 100.8(40.59) Bug Id: CSCuh27912 Title: ASA does not obfuscate aaa-server key when timeout is configured. Description: Symptom: The ASA isn't obfuscating passwords when timeout configured before aaa-server key command. Conditions: timeout configured in aaa-server host command. Workaround: none. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.51), 100.9(10.1), 100.9(6.28) Bug Id: CSCtz70573 Title: SMP ASA traceback on periodic_handler for inspecting icmp or dns trafic Description: Symptom: ASA may reload with traceback in Thread Name: DATAPATH-20-2333. Conditions: ASA running 8.x on multi-core platforms. Workaround: Disable ICMP and DNS inspection. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.7(6.103), 8.4(1), 8.4(3), 8.4(4), 8.4(5), 8.5(1.9), 9.1(1) Known Fixed Releases: 100.10(0.32), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.110), 100.7(6.106), 100.7(6.125), 100.8(27.31), 100.8(38.4), 100.8(38.59) Bug Id: CSCsl41826 Title: Packets for VPN-l2l peer get dropped, stuck in deny=true in sh ASP table Description: Symptom: ASA drops traffic which should get encrypted for a valid L2L VPN peer. Conditions: Cisco ASA running release 8.0.2. Static L2L tunnels configured on the ASA. A valid show crypto ipsec sa output is present: QuickMode has completed and you see the active SPI values. Furthermore, the remote site is able to send traffic [#pkts decrypt counter is increasing]. However the #pkts encrypt counter is not increasing. Instead, you see the "sh asp table classify crypto" domain=ipsec-user, deny=true <---- this entry has deny = true, whereas other ones have deny=false. also hits=XX increasing for deny=true for this tunnel. The problem does not happen on the same tunnel every time, it move randomly from one tunnel to others. Workaround: Rebooting the ASA fix this issue for short time then it comes back, also reapplying or moving the cry map to higher priority solve this for short time. Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(2) Known Fixed Releases: Bug Id: CSCul11741 Title: Removing ports from service object-group does not remove from the ACL Description: <B>Symptom:</B> IF an ACL line contains both a "object-group network" in the destination AND an "object-group service" THEN removing ports from the service object group does not actually remove the ports from the ACL. The traffic from a new host that initiates a connection to a server in the destination group will be allowed by the ASA. <B>Conditions:</B> This happened when "object-group-search access-conrol" enabled globally on the ASA <B>Workaround:</B> remove the access-list and re-add it PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.40), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.68), 100.8(40.45), 100.8(46.37), 100.8(51.7), 100.9(10.16) Bug Id: CSCtf54976 Title: Traceback in thread dispatch unit Description: Symptom: Traceback in thread: Dispatch unit causes ASA reload loop. Conditions: Skinny inspection enabled Workaround: Disable skinny inspection. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5742 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1.11) Known Fixed Releases: Bug Id: CSCub63148 Title: With inline IPS and heavy load ASA could drop ICMP or DNS replies Description: Symptom:Intermittently, DNS reply packets, or ICMP echo reply packets, might be dropped by the ASA. Conditions:To encounter this bug, an ASA IPS module must be in-line with the traffic flow. The IPS module must be under heavy processing load. Additionally, for DNS traffic to be affected, the dns-guard feature must be enabled (it is enabled by default) For ICMP echo-replies to be affected, the 'inspect icmp' feature must be enabled (it is disabled by default) Workaround: - Reduce the processing load on the IPS, by reducing the amount of traffic sent to it - Exempt the affected traffic from IPS inspection - Change the IPS processing from 'in-line' to 'promiscuous' In the case of ICMP echo replies being dropped, disable 'inspect icmp' In the case of DNS replies being dropped, disable dns-guard. This should be done with caution, since with dns-guard disabled, each DNS connection will remain in the ASA's connection table until the UDP timeout applies to the connection. This could result in a significant amount of additional UDP connections in the ASA's connection table: ------------------------------------ policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no dns-guard <----- HERE policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp class IPS ips inline fail-open ! service-policy global_policy global ------------------------------------ More Info:When this problem is encountered, the ASA drops the packet and will increment the following ASP drop counter: (flow-expired) Expired flow This can be seen with the output of 'show asp drop' on the ASA: ASA#show asp drop ... Expired flow (flow-expired) 323 Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3.8) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.27), 100.9(0.30), 100.9(4.1), 100.9(6.2), 100.9(7.1), 100.9(8.1), 100.9(9.1) Bug Id: CSCur30988 Title: ASASM traceback with Thread name DATAPATH. Description: Symptom: ASASM traceback with Thread name DATAPATH. Conditions: ASASM/ASA running on software version 9.1.5(16) Workaround: none Further Problem Description: none Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(5.16) Known Fixed Releases: Bug Id: CSCug81326 Title: ASA - crash in fover_health_monitoring_thread Description: Symptom: ASA may crash in fover_health_monitoring_thread Conditions: Crash could not be reproduced and may be due to HW failure Workaround: unknown PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.33), 8.2(5.41) Known Fixed Releases: Bug Id: CSCtr79885 Title: ASA with VoIP memory leak 1% per day on binsize 56 Description: Symptom: Free memory decreases 1% per day Conditions: ASA 8.2 handling VoIP Binsize 56 taking the memory Workaround: Proactively reboot the ASA when used memory arrives to 80-85% PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5033 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.126), 100.8(11.20), 100.8(27.7), 100.8(33.3), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCth60621 Title: Incorrect bounding check in snp HTTP inspect code Description: Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.7(0.1), 8.3 Known Fixed Releases: 100.5(5.42), 100.5(5.43), 100.7(0.59), 100.7(5.23), 100.7(6.8), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.49), 8.2(3.106) Bug Id: CSCta02170 Title: ASA5550 or ASA with 4GE-SSM may crash due to block corruption Description: Symptom: ASA reloads due to block corruption. Conditions: ASA5550 or ASA with 4GE I/O module running 8.2.1 code and using interfaces in slot 0 and slot 1. Workaround: Do not use interfaces in slot 1 since this triggers the problem. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5726 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.10), 100.3(0.13), 100.4(0.18), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) Bug Id: CSCua35337 Title: Local command auth not working for certain commands on priv 1 Description: Symptom: command authorization for 'show conn', 'show arp', 'sh log' doesn't work if we place these commands on privilege level 1.. Conditions: Certain commands configured under privilege level 1 Workaround: Configure these commands for priv 2 or higher and have users login to privileged exec mode level 2 or higher PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.2(5.30) Known Fixed Releases: 100.7(13.100), 100.7(24.3), 100.7(6.98), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.22), 100.8(34.1), 100.8(38.1), 100.8(39.1) Bug Id: CSCsu11412 Title: Watchdog traceback in CTM under high data load/small packets Description: <B>Symptom: A traceback due to a watchdog failure may occur under high data load. </B> <B>Conditions: Sending high data load, small packets (66 bytes) over 500 connections bidirectionally via a 10 GbEnet port results in a hardware watchdog failure. </B> <B>Workaround: None known at this time. </B> Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(1.8), 8.1(101.9) Known Fixed Releases: 8.1(2.19) Bug Id: CSCud16590 Title: ASA may traceback in thread emweb/https Description: Summary Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2013-1150 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 7.2(5.9), 8.0(5.29) Bug Id: CSCsk60581 Title: Device reload possible when SIP inspection is enabled Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2, 8.0 Known Fixed Releases: 7.2(3.14), 7.2(3.18), 8.0(3.3), 8.0(3.8), 8.1(0.137), 8.2(0.80), 8.2(0.94) Bug Id: CSCtf40074 Title: watchdog when running set of Codenomicon TLS test cases Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.4(0.43) Known Fixed Releases: Bug Id: CSCsz37164 Title: "vpn-simultaneous-logins 0" does not prevent user access in all cases Description: Symptom: The documentation for the vpn-simultaneous-logins command (http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1572279) states: "Enter 0 to disable login and prevent user access" However, under some circumstances "vpn-simultaneous-logins 0" does not prevent user access. For example, if there are two tunnel groups associated with different group policies and one of the tunnel groups has been disabled by way of "vpn-simultaneous-logins 0" in the tunnel group's associated group policy, if user A logs in using tunnel group A, the same user A will be able to log in using tunnel group B even if this group has "vpn-simultaneous-logins 0". Conditions: A tunnel group has been disabled by way of the "vpn-simultaneous-logins 0" command and the same user that is currently logged in using a non-disabled tunnel group attempts to log into the tunnel group that is disabled. Workaround: None known at this time. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 8.0(4.161), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.5), 8.2(4) Bug Id: CSCtb37219 Title: Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.0, 7.1, 7.2, 8.0(4.32) Known Fixed Releases: 8.0(4.100), 8.0(4.44), 8.1(2.35), 8.2(1.10), 8.2(1.100), 8.2(1.102), 8.2(4), 8.3(0.0) Bug Id: CSCud37992 Title: HTTP Deep Packet Inspection Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5512 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.10(0.6), 100.7(13.111), 100.7(13.116), 100.7(6.105), 100.7(6.121), 100.8(27.30), 100.8(27.85), 100.8(34.1), 100.8(38.28), 100.8(38.4) Bug Id: CSCsx75440 Title: ACL - Implicit deny ip any any ACE may not work as expected Description: Symptom: Implicit deny any any may not work as expected. Traffic that is not permitted via the acl may be permitted even though the access-list may be applied on the higher security interface. Conditions: This was first observed in an ASA running 8.0.4(3) Workaround: 1. Remove the access-group line applied on the interface and re-apply it. example: no access-group acl-inside in interface inside access-group acl-inside in interface inside or 2. add an explicit deny ip any any line in the bottom of the acl applied on that interface Further Problem Description: The following data collected may be helpful before contacting TAC "sh asp table classify domain permit hits" and "sh asp table classify interface domain permit hits" Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4.3) Known Fixed Releases: Bug Id: CSCtd32106 Title: mutated SIP Invite-Bye message causes ASA to watch dog and traceback Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1), 8.3(0.12), 8.3(0.2) Known Fixed Releases: 100.4(0.30), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1) Bug Id: CSCth34278 Title: Clientless WebVPN Memory Leak Causes Blank Page after Authentication Description: Symptom: ASA memory used increments slowly over weeks leading up to the problem - at time of problem typical memory usage is 50MB more then after reload. Conditions: Webvpn must be enabled and in use. The memory leak does not affect AnyConnect VPN sessions. Workaround: None. Reloading the ASA may clear up the memory allocation PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-2474 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2.12), 8.2(3), 8.3 Known Fixed Releases: 100.7(13.17), 100.7(14.4), 100.7(16.1), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(9.48), 100.8(0.14), 100.8(15.5), 100.8(19.1) Bug Id: CSCul49796 Title: ASA Tranparent A/A - Replicated MAC addresses not deleted after timeout Description: Symptom: Mac-addresses remain in standby context's mac-address table after being deleted on the active. This can potentially lead to exhaustion of the bridging table on one of the firewalls. Conditions: ASA in multimode transparent mode Workaround: Clear the mac-address table manually on the standby context PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1), 8.4(1.106), 8.4(7), 9.1(2), 9.1(3.2) Known Fixed Releases: 100.10(0.50), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.126), 100.8(38.77), 100.8(40.50), 100.8(46.53), 100.8(51.13), 100.8(56.1) Bug Id: CSCth60606 Title: Incorrect bounding check in GTP parsing handler Description: Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.5(5.34), 100.7(0.43), 7.2(5.2), 8.0(5.20), 8.1(2.48), 8.2(3.1), 8.2(3.100), 8.2(4), 8.3(2.2), 8.4(0.99) Bug Id: CSCub37882 Title: Standby ASA allows L2 broadcast packets with asr-group command Description: Symptom: Standby ASA allows a directed L3 broadcast packet to loop until TTL expires with asr-group command Conditions: This was first identified on an ASA running 8.4.4(1) multiple context active/active failover where asr-group with the same group ID is enabled on inside and outside interface Workaround: The following workarounds are possible (in order of preference): 1. Do not apply both inside and outside interfaces to the same asr-group. 2. Configure interface ACL to drop directed broadcast traffic PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:W/RC:C CVE ID CVE-2012-3916 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1), 8.2(5), 8.4(0.2), 8.4(4), 8.4(4.1) Known Fixed Releases: 100.7(13.96), 100.7(6.92), 100.8(0.226), 100.8(11.35), 100.8(27.19), 100.8(33.18), 100.8(34.1), 100.8(36.4), 100.9(0.1), 8.2(5.32) Bug Id: CSCuf52468 Title: ASA Digital Certificate Authentication Bypass Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5509 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(1), 9.1(1) Known Fixed Releases: 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.38), 100.9(4.5), 100.9(6.16), 100.9(7.20), 9.0(2.100), 9.0(2.5), 9.0(3) Bug Id: CSCsw31799 Title: ASA traceback in thread Checkheaps due to tacplus_snd stack overflow Description: <B>Symptom:</B> The ASA may reload when communicating with TACACS server due to stack threads <B>Conditions:</B> The ASA must be configured to communicate with and external AAA server for authentication via TACACS : <B>Workaround:</B> none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.0(4.16), 8.0(4.17), 8.0(4.8), 8.4 Known Fixed Releases: 7.0(8.5), 7.1(2.81), 7.2(4.22), 8.0(4.18), 8.0(5), 8.1(2.8), 8.2(0.190) Bug Id: CSCtb83547 Title: Error message on console: :_open_telnet: open(pager) SSH ssh_exec: Description: Symptom: ASA seems to crash after executing ''show asdm session command'' An error message is seen on the console at regular intervals :_open_telnet: open(pager) SSH ssh_exec: open(pager) Conditions: ASA 8.2.1 code Running ASDM Workaround: Unknown PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5740 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: Bug Id: CSCti08890 Title: Mutated OSPF packets cause ASA to traceback Description: Symptom: Cisco ASA may experience a crash with a crafted OSPF packet. Conditions: CIsco ASA configured for OSPF. This issue can only be triggered by a Layer 2 adjacent device. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(0.2) Known Fixed Releases: 100.7(0.60), 100.7(5.24), 100.7(6.9), 100.7(8.1), 8.4(0.99), 8.4(1), 8.5(0.99), 8.5(1) Bug Id: CSCtz40094 Title: ASA 8.2.5.27 secondary traceback after the upgrade - Thread Name: snmp Description: Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'snmp' Conditions: ASA5580 running images 8.2.5.27 or 8.4.3.12 and configured with SNMP Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4625 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.8(0.120), 8.2(5.27), 8.4(3.12) Known Fixed Releases: 100.7(13.76), 100.7(6.79), 100.8(0.136), 100.8(11.21), 100.8(27.7), 100.8(33.5), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCtu39200 Title: ASA traceback in emweb/https while bringing up many webvpn sessions Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may crash in emweb/https while bringing up many webvpn clients. Conditions: Many client sessions were being initiated at the same time. Workaround: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5994 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1), 8.3(1), 8.4(2.5), 8.4(2.9) Known Fixed Releases: 100.7(13.44), 100.7(14.38), 100.7(17.8), 100.7(18.4), 100.7(6.52), 100.8(0.42), 100.8(0.54), 100.8(0.55), 100.8(11.4), 100.8(11.6) Bug Id: CSCsq74674 Title: ASA may reload after receiving certain EIGRP packets Description: Symptom: ASA may reload after receiving certain EIGRP packets . Conditions: Cisco ASA configured for EIGRP routing. Note: EIGRP support was initially introduced in Cisco ASA Version 8.0(2). Workarounds: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(2), 8.0(3), 8.1(1.1), 8.1(1.6) Known Fixed Releases: 8.0(103.34), 8.0(3.20), 8.1(1.100), 8.1(101.1), 8.2(0.130) Bug Id: CSCsy80705 Title: ASA WebVPN HTTP server issue-XSS Description: Summary: There is a vulnerability in the Cisco ASA due to insufficient restrictions on Rot13-encoded URL parameters utilized by the SSL VPN feature of the Cisco ASA when clients browse web pages by means of the VPN web portal. An attacker who could convince a user to visit a malicious page while logged into the secure portal could take advantage of the vulnerability to execute arbitrary script or HTML code within the security context of the affected site. Public Intellishield Alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 Workarounds: No workarounds in the Cisco ASA exists. However, additional mitigation information for XSS attacks can be found at the following Applied Mitigation Bulletin (AMB): http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 8.0(4.161), 8.0(4.215), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) Bug Id: CSCuc42812 Title: Cisco ASA 1000V Firewall H.323 Inspection DoS Vulnerability Description: A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130116-asa1000v Note: Only Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall is affected by the vulnerability described in this advisory. Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module or Cisco Catalyst 6500 Series Firewall Services Module (FWSM) are not affected by this vulnerability. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.7(1), 9.0(0.126) Known Fixed Releases: 100.7(13.103), 100.7(6.104), 100.8(0.240), 100.8(11.40), 100.8(27.20), 100.8(33.25), 100.8(34.1), 100.8(37.17), 100.8(38.1), 100.8(39.1) Bug Id: CSCto40365 Title: Crafted TACACS+ reply considered as successful auth by ASA Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.3), 100.7(14.1), 100.7(15.3), 100.7(6.38), 100.7(8.34), 100.7(9.25), 100.8(0.3), 100.8(10.3), 100.8(12.2), 100.8(2.1) Bug Id: CSCuh44815 Title: ASA Digital Certificate HTTP Authentication Bypass Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5511 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4), 9.0(2.101), 9.1(1.2), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(13.115), 100.7(6.120), 100.8(27.85), 100.8(38.24), 100.8(40.13), 100.8(41.2), 100.8(60.31), 100.9(0.54), 100.9(10.2) Bug Id: CSCty33946 Title: ASA5580 traceback after upgrade to 8.4.3.2 Description: Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'datapath' Conditions: ASA5580 running image 8.4.3.2 and configured for WebVPN Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4624 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2), 8.4(3), 8.4(3.12), 8.4(3.2), 8.4(3.8) Known Fixed Releases: 100.7(13.84), 100.7(21.9), 100.7(6.83), 100.8(0.169), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.9(0.1) Bug Id: CSCsq68451 Title: ASA5580 reloads during connection stress test Description: Symptom: ASA5580 reloads during connection stress test. Condition: ASA5580-40 running 8.1.1. with "logging buffered informational" and "logging flash- bufferwrap" commands enabled. Workaround: Do not enable "logging flash-bufferwrap" Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(1) Known Fixed Releases: 8.1(1.100), 8.1(101.8), 8.2(0.148) Bug Id: CSCsl37063 Title: DTLS Traceback in TLS fragment handling Description: Symptom: ASA crashes in DTLS fragment handling code. Conditions: 1. SVC and DTLS is used. 2. Lossy and/or high-latency network causing out-of-order packets. Workaround: Disable DTLS Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 8.0(3.2), 8.1(0.126), 8.2(0.78) Bug Id: CSCtr93804 Title: DCERPC inspection for RCI message type broken Description: Symptoms: DCERPC message type RCI may not pass through the Cisco ASA firewall. Conditions: ASA firewall doing DCERPC inspection. Workaround: None at this time. Further Problem Description: This defect is a regression in some versions of 8.4.2 ASA software. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2.4) Known Fixed Releases: 100.7(13.27), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.21), 100.8(10.29), 100.8(15.5), 100.8(19.4), 100.8(2.10), 100.8(20.1) Bug Id: CSCti06454 Title: ASA Session ID Passed in URL as GET Request (webvpn_state) Description: Symptom: Security tool reports that the session ID, "webvpn_state", is stored in the HTML of the application and passed in the URL as variable "v=" during GET requests (as seen in the request below). A session ID is designed for the web server and application to identify a user for a single authenticated session. This is a false positive and not a vulnerability in Cisco ASA. Workaround: Not applicable Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCtn48877 Title: Traceback in fover_FSM_thread with IPv6 failover on SSM-4GE-INC Description: Symptom: ASA crashes by Watchdog failure or Assert failure in fover_FSM_thread. Conditions: IPv6 failover enabled, and IPv6 configurations applied on interfaces of SSM-4GE-INC. The crash is observed when performing the following operations: - adding/modifying "ipv6 address" configurations under the interface - execute "failover active" on the Standby unit - unplug a LAN cable from the Active unit to trigger failover Workaround: move the IPv6 configurations to onboard interfaces, avoid using SSM-4GE-INC with IPv6 failover. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2), 8.2(4), 8.2(4.5), 8.2(5.6) Known Fixed Releases: 100.7(13.19), 100.7(13.65), 100.7(14.5), 100.7(17.5), 100.7(18.1), 100.7(18.9), 100.7(19.8), 100.7(6.43), 100.7(6.62), 100.7(9.50) Bug Id: CSCei65963 Title: Add SNMPv3 support to ASA Description: Symptoms: ASA does not support SNMPv3. Conditions: All current ASA releases. Workaround: Use SNMPv1 or SNMPv2c through an IPSec tunnel - while not 100% equivalent to SNMPv3, this workaround would at least provide data integrity and data confidentiality when using SNMPv1 or SNMPv2c with an ASA. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.0(1) Known Fixed Releases: 8.2(0.187) Bug Id: CSCsr09163 Title: webvpn - +webvpn+/index.html http response splitting problem Description: Symptom: The ASA is vulnerable to HTTP response splitting. Detail on HTTP response splitting defects : http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.owasp.org/index.php/HTTP_Response_Splitting An attacker can insert arbitrary HTTP headers into the responses from the ASA by specifying specially formatted input to the tgroup input form field. Cisco has published a vendor response at the following URL: http://tools.cisco.com/security/center/viewAlert.x?alertId=20737 This vulnerability was discovered by Daniel King of SecureWorks, Inc. Cisco greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Conditions: This is default behavior for the ASA. Workaround: There are no workarounds for this issue. The following Cisco Applied Mitigation Bulletin titled: Understanding Cross-Site Scripting (XSS) Threat Vectors provide several best practices and information that can be used to mitigate these type of issues: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0 Known Fixed Releases: 8.0(3.30), 8.1(1.100), 8.1(101.4), 8.2(0.140) Bug Id: CSCtn29288 Title: TCP Split Handshake Investigation Description: Summary: This bug is to investigate and track the TCP Split Handshake attack discovered and reported by NSS Labs. Cisco PSIRT is aware of the report and has been working with NSS for several months and in that time have been unable unable to reproduce and confirm any new security vulnerabilities in Cisco products. PSIRT will disclose any security vulnerabilities discovered in compliance with Cisco's security vulnerability policy: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment. Cisco has been working with NSS Labs on the TCP split handshake spoof since early this year. In this time we have been unable to confirm any new security vulnerabilities in Cisco products, and have demonstrated the Cisco ASA protects against this attack. The Cisco PSIRT continues to work with NSS Labs, and will follow our well-established disclosure process should any new information come to light. Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: Bug Id: CSCts85969 Title: ASA reloads with nested traceback in thread name CP Midpath Processing Description: <B>Symptom:</B> ASA may reload with a nested traceback in thread name CP Midpath Processing. <B>Conditions:</B> ASA running 8.x code with webvpn enabled. <B>Workaround:</B> Disable Webvpn Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: Bug Id: CSCub85692 Title: ASA traceback in IKE Daemon while handling IKEv1 message Description: Summary Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-1149 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5), 8.2(5.31) Known Fixed Releases: 100.7(13.101), 100.7(6.99), 100.8(0.239), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(37.14), 100.8(38.1), 100.8(39.1) Bug Id: CSCub61578 Title: ASA: Assert traceback in PIX Garbage Collector with GTP inspection Description: Symptom: Under rare circumstances, the ASA may generate a traceback in the PIX Garbage Collector thread and reload. The traceback will contain the following message: assertion ''0'' failed: file ''malloc.c'', line 5804 Conditions: The ASA must be configured for GTP inspection and be actively passing GTP traffic. Workaround: Disable GTP inspection. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3945 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.31), 8.4(4.4) Known Fixed Releases: 100.7(13.109), 100.7(6.105), 100.8(27.26), 100.8(34.1), 100.8(38.4), 100.8(50.8), 100.9(0.15), 100.9(4.1), 8.2(5.36), 8.4(5.4) Bug Id: CSCuj44998 Title: ASA drops inbound traffic from AnyConnect Clients Description: Symptom: Inbound traffic from the AC client to the ASA's protected networks is dropped while the outbound traffic to the AC client works fine. Conditions: ASA has a site to site VPN configured with any one of the following conditions: >> The remote network (in the encryption domain) overlaps with the anyconnect pool assigned to the AC clients. >> The crypto ACL has a deny rule for the anyconnect pool assigned to the AC clients >> Any crypto ACL has an explicit 'deny ip any any' as an access-list entry. Workaround: For the first two conditions, configure a local pool for AnyConnect Clients not overlapping with the remote network defined in the crypto ACL. For the third condition, remove the explicit "deny ip any any" access-list entry from the crypto ACL. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(5.5), 9.0(2.1), 9.0(3.4), 9.1(2.103), 9.1(3), 9.1(3.250) Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.55), 100.8(40.32), 100.8(45.7), 100.8(46.28), 100.8(52.2) Bug Id: CSCtz79983 Title: Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition Description: Symptom: ASA generates Below syslog ASA-3-201011: Connection limit exceeded 4714/7500 for input packet from x.x.x.x/49777 to xxxx/443 on interface outside= Policy-map is configured to limit max connections policy-map outside-policy class outside-class set connection conn-max 7500 embryonic-conn-max 500 service-policy outside-policy interface outside 3300 in use, 10248 most used Conditions: Policy-map configured to limit max connection, set connection conn-max 7500 embryonic-conn-max 500 Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3.1) Known Fixed Releases: 100.7(13.83), 100.7(13.94), 100.7(21.8), 100.7(6.82), 100.7(6.90), 100.8(0.163), 100.8(0.210), 100.8(11.25), 100.8(11.33), 100.8(27.19) Bug Id: CSCtz97298 Title: ASA may traceback in thread netfs_thread_init Description: Symptom: ASA may crash in thread name netfs_thread_init Conditions: This can happen only via webvpn while user execute some SMB operations. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-3061 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.26) Known Fixed Releases: Bug Id: CSCts33187 Title: Security Issue in Apache Description: Summary A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server. Multiple Cisco products could be affected by this vulnerability. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024 This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:U/RC:C CVE ID CVE-2011-3192 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2.7) Known Fixed Releases: Bug Id: CSCtf29867 Title: Memory leak happens due to huge number of LDAP authentication failure Description: Symptom: Memory consumption in fragment size: 80 and 88 happens in ASA5510. Conditions: This problem is found in ASA5510 with VPN Load-Balanced configuration and LDAP authentication under 8.0(5). In the problematic environment, a large number of LDAP Authentication failures for RA Users are found in syslog. Workaround: Nothing to be confirmed at this time. (Preventing authentication failures should be the workaround.) PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2010-4682 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(5) Known Fixed Releases: 100.4(0.50), 100.7(2.4), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(1.2), 8.4(1) Bug Id: CSCtw84068 Title: DHCP Memory Allocation Denial of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: 100.7(13.54), 100.7(13.63), 100.7(14.49), 100.7(18.15), 100.7(18.6), 100.7(20.4), 100.7(6.61), 100.7(6.69), 100.8(0.57), 100.8(0.92) Bug Id: CSCut15570 Title: Anyconnect SSL VPN certificate authentication fails o ASA Description: Symptom: Anyconnect SSL VPN certifcate authentication fails o ASA Conditions: -- certificate authentication -- in debug crypto ca the following error is observed: CERT-C: I pkixpath.c(1170) : Error #72 Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.11(0.57), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.22) Bug Id: CSCtx42746 Title: cut through proxy authentication vulnerability Description: Symptom: When a user tries to connect to a http resource behind the firewall, the firewall intercepts the connection and prompts him to enter his credentials on a http page. The the URL of this page contains a session ID. Conditions: Requires http cut through proxy authentication using the http listener: aaa authentication match aaa authentication listener http port http redirect Seen on all versions. Workaround: Do not use the http listener authentication method. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-0335 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2(5), 8.2(5), 8.4(2) Known Fixed Releases: 100.7(13.57), 100.7(18.9), 100.7(19.8), 100.7(6.62), 100.8(0.61), 100.8(11.9), 100.8(14.7), 100.8(24.31), 100.8(30.5), 100.8(32.3) Bug Id: CSCtk08411 Title: ESMTP Inspection Issues Description: Symptoms: Cisco ASA ESMTP inspection enhancements. During additional internal testing using ASA version 8.2(2)114 which contains the fix for DDTS CSCtg32918, subsequent issues where discovered in the SMTP processing engine. Conditions: Cisco ASA configured for ESMTP inspection. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: 100.5(5.58), 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.18), 100.7(8.4), 7.2(5.2), 8.4(0.117), 8.4(1), 8.4(1.99) Bug Id: CSCub66345 Title: Traceback at " GTP_PDP_MAGIC" when issuing "show pdp-context" command Description: Symptom: Executing the ''show service-policy inspect gtp pdp-context'' may cause the ASA to crash. Conditions: GTP inspection is enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4.4) Known Fixed Releases: 100.7(13.109), 100.7(6.105), 100.8(27.26), 100.8(27.30), 100.8(34.1), 100.8(38.4), 100.8(50.12), 100.8(50.8), 100.9(0.15), 100.9(0.19) Bug Id: CSCua52914 Title: 1550 byte block depletion due to webvpn snp_fp_svc_ob_tunnel_flow Description: <B>Symptom:</B> An ASA firewall may run out of 1550 byte blocks and as a result, cease to pass traffic. Management to/from the box may also be affected. The depletion can be seen in the output of 'show blocks' with a focus on the 1550 byte blocks. <B>Conditions:</B> This has been seen on ASA code version 8.6.1 and may exist on other versions as well. Initial debugging seems to implicate some webvpn functionality as the root cause, so having webvpn traffic appears to be a requirement. <B>Workaround:</B> At this point, the only option is to reload the ASA to restore the lost memory blocks. Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.6(1) Known Fixed Releases: Bug Id: CSCuj54806 Title: ICMP inspection closes TCP conns with "Flow closed by inspection" Description: Symptom: This DDTS is a Duplicate of CSCui77398 Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(7), 9.0(3.2) Known Fixed Releases: Bug Id: CSCth02276 Title: FTP Inspection - Passing Non-RFC FTP command with ABOR Masking Description: Symptom: A vulnerability exists in the Cisco ASA FTP inspection engine where an unauthenticated attacker could bypass security checks by sending Non-RFC compliant FTP commands. Conditions: Cisco ASA configured for FTP inspection. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-0929 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.23), 100.7(8.14), 100.7(9.4), 7.2(5.3), 8.0(5.24), 8.1(2.49) Bug Id: CSCth60631 Title: Filename buffer not properly terminated Description: Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.5(5.31), 100.7(0.36), 100.7(5.7), 100.7(6.3), 8.4(0.99), 8.4(1), 8.4(1.99), 8.4(2) Bug Id: CSCti35517 Title: 5555: Traceback in system test with DFP and FO Description: Symptoms: Stress testing with AnyConnect and clientless sessions and with Failover and DFP enabled may cause a device reload. Conditions: AnyConnect and failover are configured. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5737 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.5(0.18), 8.0(5.5), 8.2(1), 8.2(3), 8.3 Known Fixed Releases: 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.12), 100.7(6.17), 100.7(6.26), 100.7(8.18), 100.7(9.9), 8.4(1.99), 8.4(2) Bug Id: CSCti05769 Title: Migration of max_conn/em_limit to MPF is completely wrong in 8.3 Description: Symptoms: Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside. Conditions: Workaround: Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: Bug Id: CSCth60553 Title: CLI History Access Description: Symptoms: CTRL-r allows you to look at CLI history. If you enter ctrl-r and then enter a substring of some command in its history, it will pop up the entire command containing that substring. After the 'disable' command, history isn't flushed, so an unprivileged user can get at history from the last privileged user. Conditions: Cisco ASA with default configuration. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-1639 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.7(13.31), 100.7(14.21), 100.7(18.2), 100.7(6.44), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.13), 100.8(2.14) Bug Id: CSCum88762 Title: VPN Filter missing from standby session Description: Symptoms: When dynamic VPN filters are shared with L2TP/IPsec sessions, the dynamic VPN filter may not be present in standby unit. This is because we don't support failover for IPsec/L2TP. As a result, after the dynamic ACL is replicated, the L2TP handling removes the ACL from the standby. Conditions: ASA configured to terminate L2TP/IPsec sessions Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.1/1.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.10(0.76), 100.10(2.8), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(2.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59) Bug Id: CSCuc80080 Title: DNS Inspection Denial of Service Vulnerability Description: Symptom: Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(1), 9.1(0.2) Known Fixed Releases: 100.8(0.245), 100.8(11.45), 100.8(27.20), 100.8(34.1), 100.8(38.3), 100.8(39.2), 100.9(0.6), 9.0(1.100), 9.0(1.2), 9.0(2) Bug Id: CSCtf86990 Title: Assertion in dhcpd_copy_pool_parameters with long dhcpd domain name Description: Symptom: The ASA will assert when it tries to assign a dhcp address to a dhcp client. Condition: This will only occur when as part of the dhcpd server pool, and extremely long domain name is configured. Workaround: use a domain-name less than 255 characters long. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.4(0.5) Known Fixed Releases: 100.7(0.49), 100.7(6.6), 100.7(8.1), 8.1(2.48), 8.2(3.101), 8.2(3.240), 8.2(3.4), 8.2(4), 8.3(2.3), 8.4(0.99) Bug Id: CSCtg43848 Title: ASA traceback with SIP traffic Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may crash with SIP traffic. Conditions: Many SIP calls are passing through the ASA. Workaround: None known. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:U/RC:C CVE ID CVE-2012-5997 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2.100), 8.2(2.11) Known Fixed Releases: 100.7(13.105), 100.7(6.104), 100.8(0.243), 100.8(11.43), 100.8(27.20), 100.8(33.28), 100.8(34.1), 100.8(38.3), 100.8(39.1), 100.9(0.6) Bug Id: CSCsy91157 Title: Watchdog when inspecting malformed SIP traffic Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4.29) Known Fixed Releases: 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.10), 8.2(4), 8.3(0.0) Bug Id: CSCtw50291 Title: TCP intercept initiated for traffic that is denied by access-list Description: Symptom: Portscanner against hosts behind the ASA may report some port to be open although they are blocked by the firewall access-list. This is due to a defect of the tcp intercept components of the ASA that erroneusly start sending syn cookie to the scanner source for port closed by the access-list. Note that no packet from the scanner is actually bypassing the access list and reach the target. Conditions: none Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-4494 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCtc59462 Title: Traceback in thread name: ssh Description: Symptom: A Cisco ASA may crash with a traceback in the SSH process. Conditions: ASA with 2 SSH sessions that are active to the ASA console. One of the SSH sessions reaches the idle timeout, while some config changes are made on the other session. Workaround: None Further Problem Description: The impact to the failover pairs is minimal and the pair will switch over to be available for traffic. The backport of this fix to the 8.2 train was deemed too risky for that train. However, we have not have any reports of this crash from customers running 8.2 at the moment of publication. On the other hand, it is recommended to customers running version 8.2 to migrate to 8.4 to fix this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5717 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4.100), 8.2(2), 8.3(2.25) Known Fixed Releases: 100.7(0.49), 100.7(5.15), 100.7(6.6), 100.7(8.1), 100.7(9.1), 8.4(0.99), 8.4(1), 8.5(0.99), 8.5(1), 8.6(0.0) Bug Id: CSCuh08651 Title: UDP ports 500/4500 not reserved from PAT on multicontext ASA for IKEv1 Description: Symptom: UDP ports 500 and 4500 are not being reserved when IKEv1 is enabled. Conditions: This happens only when the ASA is running in multi-context mode. Workaround: 1) Issue "clear xlate gport 500" and "clear xlate gport 4500". 2) Adjust PAT configuration to use an IP address that differs from the VPN interface IP More Info: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(2), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.52), 100.9(10.1), 100.9(6.28), 100.9(7.31) Bug Id: CSCte91042 Title: SMTP Inspect Security Issue Description: Symptom: Cisco ASA has a potential issue with its SMTP inspection engine, where an unauthenticated attacker may bypass certain policies of the SMTP inspection. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.4(0.47), 100.5(5.8), 100.7(2.1), 7.2(4.100), 7.2(5), 8.2(2.99), 8.2(4), 8.3(1.100), 8.4(1) Bug Id: CSCuc95774 Title: access-group commands removed on upgrade to 9.0(1) Description: Symptom: "access-group" commands missing frmo the configuration on upgrading to 9.0(1). Conditions: First seen in ASAs setup for Active/Standby failover running 8.4(4)9 prior to upgrade. ASA in standalone mode (without failover) upgrade as expected. IPv4 and IPv6 access-groups applied to one or more interfaces in the same direction. Workaround: Apply the access-group to interfaces post upgrade to 9.0(1). PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(1), 9.0(2), 9.1(1.170) Known Fixed Releases: 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 9.0(2.100), 9.0(2.5), 9.0(3), 9.1(1.3) Bug Id: CSCuc84537 Title: TACACS+ Authentication Bypass Vulnerability Description: Symptoms: This bug addresses an enhancement on the TACACS implementation of the Cisco ASA to avoid a potential bypass of TACACS authentication. Conditions: No confirmation of exploitability or attack for this issue. Workaround: Not applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.107), 100.7(6.104), 100.8(11.46), 100.8(27.23), 100.8(34.1), 100.8(38.3), 100.8(38.4), 100.8(50.1), 100.9(0.6), 7.2(5.9) Bug Id: CSCti24271 Title: Unable to ssh to the ASA (8.2.2) Description: <B>Symptom:</B> Unable to connect via SSH to a Cisco ASA running software version 8.2.2 on any interface. "show resource usage resource ssh" shows peak limit reached with no active sessions. "Denied" counter increments for each attempted ssh connection. <B>Conditions:</B> Cisco ASA running 8.2.2 and configured for SSH access. <B>Workaround:</B> The only available workaround is to reload the affected ASA PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCtf56761 Title: IM Messaging Logging Description: Symptom: The Yahoo instant messaging inspection code has a deficiency that may lead to a denial of service condition when generating certain syslog messages. Conditions: Cisco ASA configured for Yahoo instant messaging inspection. Workaround: Disable Yahoo IM inspection. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.4(0.54), 100.7(2.6), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.3), 8.4(1) Bug Id: CSCsr74439 Title: PIX/ASA: Certain malformed NAT-T packets may cause IKE process to hang Description: Symptom: A Cisco PIX or Cisco ASA IKE process may stop processing IKE packets when certain malformed NAT-T packets are received. Note: No IKE debugs are seen after the malformed packet is sent. Conditions: Cisco PIX/ASA configured to terminate IPSec remote access or site-to-site tunnels. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2(4), 8.0(3.20) Known Fixed Releases: 7.0(8.1), 7.1(2.75), 7.2(4.9), 8.0(4.5), 8.1(1.100), 8.1(101.6), 8.2(0.145) Bug Id: CSCtr21346 Title: DCERPC Inspection Denial Of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.24), 100.7(14.12), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(9.56), 100.8(0.19), 100.8(10.24), 100.8(12.26), 100.8(15.5) Bug Id: CSCtg69742 Title: standby unit crashes under heavy multicast traffic and continuous script Description: Symptom: Standby unit may experience a device reload during internal testing. ** This issue is only present in code that was never released to customers. It was fixed before FCS. Conditions: Cisco ASA configured for failover. Stanby unit is only affected. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(5.19), 8.2(2.99) Known Fixed Releases: 100.5(5.16), 100.7(0.17), 100.7(6.1), 8.2(2.107), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCts58501 Title: SSH Incorrect length check in ssh_application_processing() Description: Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Authentication is needed in order to exploit this vulnerability. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-3311 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Bug Id: CSCsq78418 Title: WebVPN portal susceptible to Cross Site Scripting (XSS) attacks Description: <B>Symptom:</B> The ASA WebVPN portal is succeptible to Cross-Site Scripting (XSS). <B>Conditions:</B> ASA running 8.x with WebVPN. <B>Workaround:</B> None at this time. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.0(3) Known Fixed Releases: 8.0(103.34), 8.0(3.20), 8.0(3.21), 8.1(1.100), 8.1(101.1), 8.2(0.130) Bug Id: CSCtt36737 Title: AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-3415 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2.1), 8.6(1) Known Fixed Releases: 100.7(13.43), 100.7(13.65), 100.7(14.37), 100.7(17.7), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62), 8.4(2.102) Bug Id: CSCsz79757 Title: Traceback - Thread Name: Dispatch Unit with skinny inspect enabled Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.2(1) Known Fixed Releases: 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.2), 8.2(4), 8.3(0.0) Bug Id: CSCtg45851 Title: Traceback: CP Processing Description: <B>Symptom:</B> ASA Crashes with thread name CP Processing. <B>Conditions:</B> Cisco ASA configured for SIP inspection. This issue is caused by legitimate traffic. <B>Workaround:</B> Disable SIP inspection. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.4(0.50), 100.7(0.10), 8.0(5.17), 8.2(2.12), 8.3(1.4) Known Fixed Releases: 100.7(0.15), 8.0(5.18), 8.1(2.45), 8.2(2.104), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCua12688 Title: debug ctl-provider causes traceback Description: Symptom: ASA crashes immediately after typing ''no debug ctl-provider'' Conditions: ASA running 8.2.5 with the command ''debug ctl-provider'' enabled Workaround: undebug all will not trigger the crash PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.4/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5729 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.87), 100.7(6.84), 100.8(0.176), 100.8(11.27), 100.8(27.19), 100.8(33.11), 100.8(34.1), 100.8(35.1), 100.8(36.1), 100.9(0.1) Bug Id: CSCtz14749 Title: Traceback in Thread Name: CP Midpath Processing Description: Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'datapath' Conditions: ASA5580 running image 8.4.3.2 and configured for WebVPN Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4624 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.81), 100.7(21.7), 100.7(6.81), 100.8(0.153), 100.8(11.24), 100.8(27.19), 100.8(33.8), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCto32012 Title: Routing: page fault traceback in Thread Name: EIGRP-IPv4: PDM Description: Symptom: Traceback in routing: page fault crash in Thread Name: EIGRP-IPv4: PDM, eip meth_ch_ioctl Conditions: Standby firewall and config sync during reload Workaround: When performing an hitless upgrade, before rebooting the standby unit, on the standby unit (secondary): 1. Remove the EIGRP process (by "no router eigrp" command). 2. Do a write mem on the secondary (standby) 3. Reload the standby 4. Upon loading the new image in the standby unit, the config sync from the active will take place (without traceback); since the config is synced, EIGRP will get enabled on the standby unit as well after the sync. 5. Make the secondary unit (with the new image) the active 6. Remove the EIGRP process from the primary (the new standby) 7. Do a write mem 8. Reload the standby 9. Upon loading the new image in the standby unit (primary), the config sync from the active (secondary) will take place. 10. Make the primary active again. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4), 8.4(2) Known Fixed Releases: 100.7(13.77), 100.7(6.79), 100.8(0.139), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.8(36.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCua83032 Title: Some parts of the WebVPN login susceptible to HTTP Response Splitting Description: Symptom: ASA is vulnerable to HTTP response splitting in certain URLs. HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server. Detail on HTTP response splitting defects : http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.owasp.org/index.php/HTTP_Response_Splitting Conditions: This is default behavior for the ASA if Clientless webvpn is enabled. Workaround: There are no workarounds for this issue. Further Problem Description: The following Cisco Applied Mitigation Bulletin titled: Understanding Cross-Site Scripting (XSS) Threat Vectors provide several best practices and information that can be used to mitigate these type of issues: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-3285 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5), 9.0(0.4) Known Fixed Releases: 100.7(6.88), 100.8(0.203), 100.8(11.31), 100.8(27.19), 100.8(34.1), 100.8(35.3), 100.8(36.1), 100.9(0.1), 100.9(3.2), 8.2(5.32) Bug Id: CSCtf56704 Title: MSN Instant Messaging Inspection Issue Description: Symptom: The MSN instant messaging inspection code has a deficiency that may lead to a denial of service condition. Conditions: Cisco ASA configured for MSN instant messaging inspection. Note: The attack surface for this issue is very low. Workaround: Disable MSN IM inspection. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.7(0.1), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) Bug Id: CSCtr43773 Title: SCEP proxy misconfig allows cert auth bypass Description: Symptoms: a misconfiguration of SCEP proxy on a tunnel-group can allow for authentication bypass. Conditions: ASA is running version > 8.4. This is seen when using WebVPN with Anyconnect <3 or with clientless. Workaround: Configure ''authentication aaa certificate'' under the webvpn-attributes of the tunnel-group. Further Problem Description: The misconfiguration consist in configuring ONLY certificate authentication without also adding the aaa method as mandate in the config guide. Proper configuration should include the following under the webvpn-attributes of the tunnel-group authentication aaa certificate PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.21), 100.7(14.9), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(9.53), 100.8(0.17), 100.8(10.19), 100.8(12.22), 100.8(15.5) Bug Id: CSCsu12382 Title: Some TLS packets may cause incorrect DMA mappings, leading to traceaback Description: Symptom: An ASA on rare occasions will crash after processing crafted TLS packets. Conditions: This affects all versions of 8.1 code without the fix integrated. Workaround: None. Further Problem Description: None. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(101.8) Known Fixed Releases: 8.1(1.100), 8.1(1.9), 8.2(0.151) Bug Id: CSCtl86372 Title: IKE fails to initialize when minimal data is sent to pub int. Description: Symptoms: Sending a low data rate of traffic to the public interface, may cause the IKE daemon to stop responding. This may prevent new IKEv1 and IKEv2 tunnels from being established. Conditions: None. Workaround: None. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AAV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2011-0363 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2, 8.4(0.129) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.24), 100.7(8.16), 100.7(9.6), 8.2(4.3), 8.2(5), 8.4(1.2) Bug Id: CSCsv02768 Title: TCP connections getting stuck in FINWAIT1 state Description: Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities. Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(3.12), 8.0(4) Known Fixed Releases: 7.1(2.79), 7.2(4.18), 8.0(4.220), 8.0(4.9), 8.0(5), 8.1(2.3), 8.2(0.169) Bug Id: CSCum56399 Title: Cisco ASA GTP Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3386 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.10(9.6), 100.7(6.129), 100.8(38.119), 100.8(40.61), 100.8(56.23), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Bug Id: CSCua12667 Title: fail-close option fails to drop TCP conns when CX service is stopped Description: Symptoms: When an ASA CXSC fails or is stopped. TCP traffic may continue to pass through the ASA under certain circumstances, even though fail-close is configured. Conditions: This has been experienced with TCP traffic (i.e., HTTP, FTP, SSH, etc.). All other traffic is denied successfully. Workaround: The only workaround is for an administrator to configure an ACL on the ASA and drop the packet or take any other action to recover the ASA CXSC. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4) Known Fixed Releases: 100.7(13.82), 100.7(21.8), 100.7(6.82), 100.8(0.159), 100.8(11.25), 100.8(27.19), 100.8(33.9), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCtt17328 Title: Nested Checkheaps traceback w/ domain-lookup & dynamic-filter blacklist Description: Symptom: In some cases, the ASA may generate a nested traceback in the Checkheaps thread and reload. This may occur when the ASA receives certain DNS responses to queries generated by the firewall. Conditions: The ASA must be configured as a DNS client and have a dynamic-filter static blacklist defined. For example: dns domain-lookup inside DNS server-group DefaultDNS name-server ! dynamic-filter blacklist name Workaround: Disable DNS lookups on the ASA: no dns domain-lookup inside PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(2), 8.4(2.10) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.32), 100.8(0.36), 100.8(0.46), 100.8(0.54) Bug Id: CSCui76124 Title: Unable to telnet to ASA due to telnet limit reached Description: Symptom: Unable to telnet to the ASA due to the limit of 5 simultaneous sessions reached. This situation can be verified with the output of 'show resource usage', which will show the output like below: Resource Current Peak Limit Denied Context Telnet 5 5 5 0 System Conditions: Telnet is used to manage the ASA Workaround: Reload or failover the ASA to mitigate the problem. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(3), 9.1(1) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1) Bug Id: CSCtr00165 Title: Port Forwarder ActiveX control contains a Buffer Overflow vulnerability Description: Summary The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser. Cisco has released free software updates that address this vulnerability. A companion Applied Mitigation bulletin that details potential workarounds is available. The advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient The companion AMB document is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120314-asaclient PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 9.3/8.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-0358 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2.13) Known Fixed Releases: 100.7(13.40), 100.7(13.61), 100.7(14.31), 100.7(17.5), 100.7(18.13), 100.7(18.4), 100.7(19.2), 100.7(6.48), 100.7(6.65), 100.8(0.35) Bug Id: CSCsx23611 Title: VPN: TCP traffic allowed on any port with management-access enabled. Description: Symptom: The firewall "inside" interface is responding to connection attempts on any port (1-65536) when the initial SYN is going over a VPN tunnel. Conditions: When a firewall has a VPN setup on it's configuration, and connection requests are being sent to the interface IP that is not terminating the VPN, the firewall responses to the connection request, even though the application port does not exist. The three way handshake is immediately followed by a reset packet which kills the connections. The easiest way to verify you are running into this condition, is to send traffic across the VPN tunnel with the command (where y.y.y.y is the inside interface of the firewall): telnet <ip> <random port> Here's an example: telnet y.y.y.y 12345 If you're successful, you'll see the following in IOS: Trying 192.168.100.1, 12345 ... Open 302013 Built inbound TCP connection 49230 for outside:x.x.x.x/4885 (x.x.x.x/4885) to NP Identity Ifc:y.y.y.y/12345 (y.y.y.y/12345) 302014 Teardown TCP connection 49230 for outside:x.x.x.x/4885 to NP Identity Ifc:y.y.y.y/12345 duration 0:00:00 bytes 0 TCP Reset-I Workaround: No known workaround. Conditions: A VPN tunnel must terminate on the ASA and the "management-access" command must be enabled. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(2.7), 8.0(4.20) Known Fixed Releases: 100.3(0.2), 8.0(4.161), 8.0(4.27), 8.0(5), 8.1(2.165), 8.1(2.17), 8.2(1.10), 8.2(4) Bug Id: CSCtf56740 Title: Yahoo IM Inspection code deficiency Description: Symptom: The Yahoo instant messaging inspection code has a deficiency that may lead to a denial of service condition. Conditions: Cisco ASA configured for Yahoo instant messaging inspection. Note: The attack surface for this issue is very low. Workaround: Disable Yahoo IM inspection. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.4(0.54), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.3), 8.4(1) Bug Id: CSCtq10441 Title: UDP inspection engines denial of service vulnerability Description: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) may be affected by some of the vulnerabilities above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2), 8.2(3), 8.2(4) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(8.34), 100.7(9.42), 100.8(0.10), 100.8(0.31), 100.8(10.10) Bug Id: CSCtx98905 Title: ASA traceback with Thread Name: dhcp_daemon Description: Symptom: ASA is crashing multiple times a day. The same crash was seen on both the primary and secondary asa. The crash is on thread: dhcp_daemon. Conditions: ASA is doing dhcp relay with setroute option. Workaround: 1) Disable setroute 2) Configure route option on DHCP server (ASA will overwrite via setroute) 3) disabling dhcp relay and use internal dhcp server PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5732 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5), 8.5(1.7) Known Fixed Releases: 100.7(13.79), 100.7(21.7), 100.7(6.80), 100.8(0.148), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCue31622 Title: Secondary Flows Lookup Denial of Service Vulnerability Description: Symptoms: The ASA may crash or show high CPU Conditions: This is due to an inefficient lookup within the connection table when the ASA is dealing with secondary flows. This is usually happen for flows that have been inspected and need to open a secondary connection. The crash or high CPU is usually experienced on the standby device in high-availability setup, however under rare circumstances could be experience on the active device. Workaround: None Further Problem Description: A vulnerability in the code that executes lookup of secondary flows within the connections table of the Cisco ASA could allow an unauthenticated, remote attacker to cause high CPU and potentially lead to the reload of the affected system. The vulnerability is due to a race condition when a non optimal lookup of the hash of a secondary flow within the connection table is performed on the affected system. An attacker could exploit this vulnerability by creating several connections that will result in multiple secondary flows passing through and being inspected by the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5415 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-5415 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3), 8.4(4.5), 8.4(5) Known Fixed Releases: 100.7(13.111), 100.7(6.113), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.11), 100.9(7.19), 100.9(8.1), 8.4(5.99) Bug Id: CSCtz03292 Title: ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC Description: Symptom: ASA may reload with a traceback in one of the following thread names: Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here) Thread Name: DHCP Client Thread Name: SSH Conditions: Affects all ASA platforms. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-6390 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.7(20.4), 100.8(0.101), 100.8(0.103), 100.8(0.106), 8.0(5.27), 8.4(3.5), 8.4(3.9) Known Fixed Releases: 100.7(13.71), 100.7(20.5), 100.7(21.4), 100.7(6.73), 100.8(0.110), 100.8(11.17), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1) Bug Id: CSCur41860 Title: HTTP and FTP Copy operations exposes sensitive information in syslogs Description: Symptoms: When copying files from the ASA using HTTP or FTP, a syslog with code 769004 will be generated that contains sensitive information. Conditions: This is seen when using HTTP or FTP as a destination for file copy activities on the ASA Workaround: Disable the specific syslogs that log the password as follows: no logging message 769004 Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2014-3410 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3410 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(7), 9.1(5), 9.2(2) Known Fixed Releases: 100.11(0.54), 100.12(0.94), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(11.18), 100.13(12.37), 100.13(15.21), 100.13(16.16), 100.13(18.6) Bug Id: CSCud29045 Title: ASASM forwards subnet directed bcast back onto that subnet Description: Symptom: An ASASM may forward a subnet directed broadcast back out the interface on which it received it. When the ASASM is in multi-context mode, the broadcast packet may be sent back to the ASASM and loop indefinitely unless some mitigation (such as TTL decrement) is applied. A likely associated symptom is high CPU utilization on the MSFC, specifically in the IP Input process. Conditions: ASASM in multi-context mode, with same-security permit intra-interface configured on the context Workaround: Filter the subnet directed broadcast using an access-list Remove same-security permit intra-interface Implement TTL decrementing in the context PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.5(1.15) Known Fixed Releases: 100.8(27.30), 100.8(34.2), 100.8(38.4), 100.8(50.14), 100.9(0.20), 100.9(4.1), 100.9(9.1), 8.5(1.16), 9.0(1.106), 9.0(1.3) Bug Id: CSCuh25271 Title: Upgrade fails w/ msg "No Cfg structure found in downloaded image file." Description: Symptom: Upgrade fails with error message "No Cfg structure found in downloaded image file." Conditions: Upgrade from version without fix for CSCua99091 (e.g. 9.1.1) to image with fix for CSCud21312 (e.g. 9.1.2.2). Workaround: If the customer is running an image without the fix for CSCua99091 (e.g. 8.4.4, 9.1.1) then the customer needs to do an intermediate upgrade to a version that includes the fix for CSCua99091 (e.g. 8.4.6, 9.1.2) and then upgrade to the desired image (e.g. 9.1.2.2) Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(0), 8.4(0.1), 8.5(1), 8.6(0), 9.0(1), 9.1(1), 9.1(1.1), 9.1(2.1) Known Fixed Releases: Bug Id: CSCua96172 Title: Traceback: Thread Name: Unicorn Proxy Thread Description: <B>Symptom:</B> Memory leak results in crash with traceback in thread name "Unicorn Proxy Thread". <B>Conditions:</B> Seen on ASA 5580 running 8.2(5.20). <B>Workaround:</B> None. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.20) Known Fixed Releases: Bug Id: CSCug83080 Title: Cross-site scripting vulnerability Description: Symptom: It's possible to embed a script as an HTTP parameter. The script will be present in a response and executed by the user's web browser. Conditions: SSL VPN is enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2013-3414 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.7(6.119), 100.8(27.84), 100.8(38.21), 100.8(40.10), 100.8(41.2), 100.8(60.26), 100.9(0.53), 100.9(10.1), 100.9(6.28), 100.9(7.33) Bug Id: CSCua58408 Title: ASA accepts route to network address which can lead to a traceback Description: Symptom: ASA accepts route pointing to network address, this can lead to a crash Conditions: ASA running 8.2 or 8.4 Incorrect route added, interface configured in the 192.168.100.128/25 network and route points to 192.168.100.128 as the next hop Workaround: Correct the route. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4), 8.4(4) Known Fixed Releases: Bug Id: CSCuc71272 Title: SIP sessions cause CPU hogs and high CPU on standby ASA Description: SYMPTOM: CPU on standby ASA spikes to 100% CONDITIONS: Large number of SIP sessions through ASA to multiple destination IP addresses WORKAROUND: Use an inspection policy to limit the number of conns for SIP traffic PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-5415 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCum41087 Title: Cisco ASA BIOS Protection Description: Symptoms: CiscoFireSIGHT contains a stored XSS vulnerability Conditions: none Workaround: Additional mitigation at: http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2.7) Known Fixed Releases: Bug Id: CSCue63881 Title: ASA SSHv2 Denial of Service Vulnerability Description: Symptoms: ASA cannot be accessed via SSH. Conditions: This may happen both in routed or transparent mode for both multicontext or single mode ASA. This can be triggered by IPv4 and IPv6 packets. Only traffic directed to the ASA can trigger this vulnerability. Workaround: Using HTTPS management interface or console can be used as temporary workaround. Further Problem Description: A vulnerability in the implementation of the Secure SHell (SSH) function could allow an unauthenticated, remote attacker to deny SSH management access to legitimate users. The vulnerability is due to improper implementation of the logic to terminate SSH sessions. An attacker could exploit this vulnerability by starting an SSH session to the affected system. This vulnerability is affecting both SSHv1 and v2. An exploit could allow the attacker to deny SSH management access to legitimate user. The attacker will be able to deny the access for 60 seconds, after which, the affected system will release the resource and users will be able to use the SSH service again. However, repeated exploitation may lead to a denial of service condition. This bug is fixing the issue for SSHv2 only connection. SSHv1 will be fixed in a separate bug: CSCuf51892. Issue on SSHv1 can be workaround by forcing the ASA to accept only SSHv2 connection by the config mode command: ssh version 2 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-1193 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1193 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.7(13.111), 100.7(6.111), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.2(5.45) Bug Id: CSCtx43501 Title: CPU hog due to snmp polling of ASA memory pool information Description: Symptom: The ASA provides access to three different memory pools via SNMP. 1) The "System memory" pool (which is a superset of 2 and 3 below) 2) The MEMPOOL_DMA pool 3) The MEMPOOL_GLOBAL_SHARED pool If the MEMPOOL_GLOBAL_SHARED pool information is queried via SNMP, a CPU hog might occur. The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough through the ASA, packets might be dropped. If an ASA is experiencing this problem, it could generate syslogs that look like this: %ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a 0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca 0x00000000004245a5 Also, the output of 'show process cpu-hog' will show entries for SNMP: Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33 Conditions: To encounter this problem, memory information for the "Global Shared" pool must be queried via SNMP. Workaround: Avoid polling the memory information for the Global Shared pool: Exclude: .1.3.6.1.4.1.9.9.48.1.1.1.X.7 - "MEMPOOL_GLOBAL_SHARED" where X is the integer corresponding to a particular statistic about the pool. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-4664 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(2.23), 8.2(3.6), 8.4(2.8), 8.4(3.8), 8.4(4), 9.1(2) Known Fixed Releases: Bug Id: CSCub11353 Title: ASA: Standby unit may traceback in Thread Name: qos_metric_daemon Description: Symptom: ASA may crash in Thread Name: qos_metric_daemon. Conditions: This was first identified on an ASA failover pair running 8.2.4(8). The standby unit crashes. Workaround: Disable PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4.8) Known Fixed Releases: Bug Id: CSCtf42516 Title: ASA 5580 8.2(2) traceback with traffic across 10 Gig interfaces Description: Symptom: Both firewalls in the failover pair experienced a crash. Crash output of both units is similar. Conditions: ASA 5580-20 running software version 8.2(2). Crash occurred when traffic is passed through the newly installed 10 GigabitEthernet interfaces. Workaround: Do not pass traffic across the 10GigabitEthernet interfaces. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.4(0.50), 100.5(5.10), 100.7(2.2), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.2), 8.4(1) Bug Id: CSCtc47782 Title: Malformed IKE traffic causes rekey to fail Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.0(4) Known Fixed Releases: 100.3(0.19), 7.2(4.45), 8.0(5.1), 8.1(2.37), 8.2(1.105), 8.2(1.15), 8.2(4), 8.3(0.5) Bug Id: CSCtn74649 Title: BTF DNS-Snooping TTL maxes out at 24 hours, less than actual TTL Description: Symptom: The ASA Botnet filtering system relies on a DNS-to-IP binding stored in the DHCP Snooping table. The Table should contain entries that exist as long as the TTL listed in the DNS response it was generated from. Currtently the TTL maximum for the DNS-SNooping database is limited to 24 hours while DNS TTL's could be as high as 2^31 seconds. Conditions: This is present in all current builds that support botnet filtering. Workaround: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4), 8.3 Known Fixed Releases: 100.7(13.2), 100.7(14.1), 100.7(15.2), 100.7(6.36), 100.7(8.34), 100.7(9.23), 100.8(0.2), 100.8(10.2), 100.8(12.2), 100.8(2.1) Bug Id: CSCtx69059 Title: Traceback in Unicorn Proxy Thread under heavy WebVPN load Description: Symptom: ASA reloads under heavy WebVPN load without crash after reporting Signal 11 caught in Unicorn Proxy Thread to logging. Conditions: ASA was under heavy WebVPN load. High connect/disconnect rate. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2012-5980 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3.1) Known Fixed Releases: 100.7(13.57), 100.7(18.10), 100.7(19.8), 100.8(0.61), 100.8(11.10), 100.8(14.8), 100.8(24.31), 100.8(30.6), 100.8(32.3), 100.9(0.1) Bug Id: CSCue73708 Title: Group enumeration still possible on ASA Description: SYMPTOMS: Cisco ASA Software is affected by a group name enumeration vulnerability because of a difference in the way it responds to correct and incorrect group names sent in the initial exchange packet when Aggressive Mode is used for IKE version 1 phase 1. CONDITIONS: Aggressive Mode is used for IKE version 1 phase 1. Main Mode does not have this problem. WORKAROUNDS: Use Main Mode, but this implies an inability to use a group pre-shared keys; certificate authentication is required instead. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2013-1194 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1194 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2, 9.0(1), 9.1(0.1) Known Fixed Releases: 100.7(13.111), 100.7(6.113), 100.8(27.63), 100.8(50.40), 100.9(0.36), 100.9(4.5), 100.9(6.11), 100.9(7.9), 8.2(5.43), 8.4(5.99) Bug Id: CSCui45606 Title: ASA traceback upon resetting conn due to filter and inspect overlap Description: Symptom: A vulnerability in the inspection and filter features of the Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the affected system to reload. Conditions: Unsupported configuration with overlapping filters and inspects, asa configured to send resets for this dropped traffic. The vulnerability is due to an internal traffic loop condition that can be triggered when a received packet is matched both for filtering and inspection due to a configuration with overlapping traffic matching criteria, such configuration is not supported. An attacker could exploit this vulnerability by sending a packet that would be matched by the incorrect configuration, when resetting the connection, the ASA gets into a loop and the stack overflows. An exploit could allow the attacker to trigger a crash of the affected system resulting in a Denial Of Service condition. Workaround: Remove the misconfiguration or use ''no service reset{outbound|inbound|outside}'' as needed to prevent the RST from being generated. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5567 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5567 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.122), 100.8(38.34), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.3) Bug Id: CSCuh13899 Title: ASA protocol inspection connection table fill up DOS Vulnerability Description: Symptom: Some connection may not removed even after reaching idle timeout. Conditions: Non inspected flows and flows inspected in CP will be affected. Flows which are inspected in DP such as icmp, icmp-error, simple-dns (udp), simple-http, ip-thru, waas, srtp, ip-options, ipv6 are not affected. Workaround: 1. Clear the connection using the command ''clear conn'' 2. disable specific protocol inspection where possible and open higher port ranges in the ACL. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-3463 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3463 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(2), 8.4(5.7), 8.4(6), 9.0(2.3), 9.1(1.5), 9.1(2.1) Known Fixed Releases: 100.10(0.6), 100.7(13.118), 100.7(6.121), 100.8(27.85), 100.8(38.28), 100.8(40.16), 100.8(41.2), 100.8(60.34), 100.9(10.4), 100.9(6.32) Bug Id: CSCud20104 Title: ASA Traceback, appears related to reporting threat-detection metrics Description: Symptom: -- ASA traceback/crash, appears related to reporting threat-detection metrics to the ASDM Conditions: -- ASA5580-40 failover pair in active-standby mode -- 8.4.3.3 Workaround: -- unknown -- could try with disabling ''asdm history enable'' or ''threat-detection stat tcp- intercept'' PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3.3) Known Fixed Releases: Bug Id: CSCui51199 Title: Cisco ASA Clientless SSL VPN Rewriter Denial of Service Description: Symptom: ASA reload with traceback in Unicorn Proxy Conditions: - Webvpn is enabled on more then one interface - same-security-traffic permit intra-interface and management-access commands are configured This is affecting on 9.0 and 9.1 trains Workaround: There is a workaround using a webvpn filter to block the clientless users from accessing https on the inside interface: Here's an example that QA tested: Using this ACL: access-list deny_pub_priv webtype deny url https://93.124.22.2 (where 93.124.22.2 is the asa private ip address) And this in the group policy: group-policy WebVPN1 attributes webvpn filter value deny_pub_priv Now when you browse to that address you get a message that states ?access to this recourse has been denied? and NO crash! The we can see the acl is working be looking at the hit count as seen here (show access-list): access-list deny_pub_priv line 1 webtype deny url https://93.124.22.2 (hitcnt=3) Further Problem Description: A vulnerability in Clientless SSL VPN feature of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of an affected system. The vulnerability is due to a stack overflow while browsing internal resources via the Clientless SSL VPN portal when the same-security-traffic permit intra-interface and management-access commands are configured. An attacker could exploit this vulnerability by accessing crafted URL through the SSL VPN portal. An exploit could allow the attacker to reload the affected system and create a denial of service condition. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5551 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5551 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(2), 9.0(3), 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.24), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.32), 100.8(45.6), 100.8(46.11), 100.8(51.1), 100.9(10.12) Bug Id: CSCuc74589 Title: RADIUS implementation should conform to RFC Description: Symptoms: This bug addresses an enhancement to the RADIUS implementation to better conform to RFC 2865. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:C CVE ID CVE-2012-5724 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(27.20), 100.8(33.29), 100.8(34.1), 100.8(38.1), 100.8(39.2), 100.9(0.6) Bug Id: CSCun10916 Title: Cisco ASA SCH Digital Certificate Validation Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 5.0/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-3394 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.10(9.6), 100.11(2.1), 100.11(4.1), 100.7(6.130), 100.8(38.126), 100.8(40.63), 100.8(56.31), 100.8(63.2), 100.8(64.5), 100.8(65.4) Bug Id: CSCuc83323 Title: XSS in SSLVPN Description: Symptoms: The ASA does not properly perform input validation on some WebVPN pages.This may allow an unauthenticated attacker to perform a cross site scripting attacks using these pages. Conditions: None. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE-2011-5752 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.6(1) Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(27.20), 100.8(33.29), 100.8(34.1), 100.8(38.1), 100.8(39.2), 100.9(0.6) Bug Id: CSCsr32004 Title: ASA may crash after processing certain malformeded EIGRPpackets Description: Symptom: ASA may reload after receiving certain EIGRP packets . Conditions: Cisco ASA configured for EIGRP routing. Note: EIGRP support was initially introduced in Cisco ASA Version 8.0(2). Workarounds: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.0(2), 8.0(3), 8.0(3.19), 8.0(3.31), 8.1 Known Fixed Releases: 8.0(4.5), 8.0(5), 8.1(1.100), 8.1(101.8), 8.2(0.149) Bug Id: CSCuj33496 Title: Cisco ASA ASDM Privilege Escalation Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2126 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(6), 8.4(6.1), 8.4(6.2), 8.4(6.3), 8.4(6.4), 8.4(6.5), 8.4(6.6), 8.4(7), 9.1(3) Known Fixed Releases: 100.10(0.22), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.117), 100.7(6.124), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11) Bug Id: CSCsx32675 Title: Crafted H323 packet may cause ASA to reload Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(0.203) Known Fixed Releases: 7.0(8.6), 7.1(2.81), 7.2(4.26), 8.0(4.24), 8.1(2.14), 8.2(0.208), 8.2(0.209), 8.2(4) Bug Id: CSCuh19462 Title: ASA 9.1.2 - Memory corruptions in ctm hardware crypto code. Description: Symptoms: ASA may crash during certificate processing under heavy traffic load Conditions: ASA running 9.1.2 version on smp platform Workaround: None known Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2013-3458 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3458 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.8(27.84), 100.8(38.23), 100.8(40.13), 100.8(41.2), 100.8(60.30), 9.0(2.105), 9.0(3), 9.1(2.5), 9.1(2.99), 9.1(3) Bug Id: CSCum98738 Title: ASA 9.1.3 Threat Detection adds and removes shun ignoring timeout Description: <B>Symptom:</B> Threat Detection adds and immediately removes shun ignoring timeout <B>Conditions:</B> Threat Detection scanning-threat shun is enabled <B>Workaround:</B> No known workaround PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCtr47517 Title: Protocol-Independent Multicast Denial of Service Vulnerability Description: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: this bug (CSCtr47517) corresponds to Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.24), 100.7(14.13), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.57), 100.8(0.19), 100.8(0.31), 100.8(10.25) Bug Id: CSCtf20269 Title: 1550 block exhaustion due to EIGRP multicast storm Description: Symptom: Following a storm of EIGRP traffic on the network 1550 blocks may become exhausted and never recover on the ASA. Conditions: EIGRP must be enabled on the interface where the storm took place. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2010-4672 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1.11), 8.2(2) Known Fixed Releases: Bug Id: CSCsz90342 Title: Malformed SIP packets may cause memory leak Description: Symptom: Malformed TCP packets destined to a host behind the ASA over port 5060 may cause a memory leak on the affected device. The device recovers after these packets are blocked or the attack is stopped. Conditions: Cisco ASA configured with TCP proxy for SIP. Workaround: None Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.28), 100.4(0.27), 8.2(1.110), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.12), 8.3(1) Bug Id: CSCtd32627 Title: mutated SSLv3(recordclientalert type) causes ASA to traceback Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.3(0.2) Known Fixed Releases: 100.7(2.1), 7.2(4.100), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(0.12), 8.4(1) Bug Id: CSCtr04553 Title: Traceback while cleaning up portlist w/ clear conf all or write standby Description: Symptom: Scenario 1: ASA traceback with ''clear config all'' Scenario 2: Standby ASA occasionally crashes when ''write standby'' is issued on the active unit. Conditions: Scenario 1: - memory delayed-free-poisoner is enabled - call-home is configured to send messages to email addresses Scenario 2: - Active/Standby Failover - Smart Call Home is not configured. - DFP is not enabled on the standby unit. Workaround: no workaround PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.5/1.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.8(2.22), 8.2(5.5), 8.4(3), 8.4(4.8), 8.6(1.2) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.24), 100.9(0.24), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.2(5.39) Bug Id: CSCsx72410 Title: Traceback in thread name Dispatch Unit Description: Symptom: Cisco ASA may crash in thread name Dispatch Unit in very rare occasions when using AnyConnect. Workaround: Upgrade to version with fix. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.0(4.22) Known Fixed Releases: 8.0(4.161), 8.0(4.29), 8.1(2.165), 8.1(2.20), 8.2(0.237), 8.2(0.253), 8.2(0.254), 8.2(4) Bug Id: CSCub98434 Title: ASA - SQL*Net Inspection Engine Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5508 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5.26) Known Fixed Releases: 100.7(13.111), 100.7(6.114), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.9), 7.2(5.11), 8.2(5.43) Bug Id: CSCsu86109 Title: Invalid SPI on VPN connection causes 0-byte block leak Description: Symptom: ESP packets with invalid SPIs may cause IPSec connections to fail. Conditions: Cisco ASA configured for site-to-site or remote access IPSec VPNs. Workarounds: None Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.1(1.8) Known Fixed Releases: 8.1(1.109), 8.2(0.163), 8.2(1) Bug Id: CSCug84623 Title: ASA DMA memory leak due to SSL negotiations Description: Symptoms: A vulnerability in the handling of SSL handshake of Cisco Adaptive Security Appliance could allow an unauthenticated, remote attacker to cause gradual memory depletion on the ASA. The vulnerability is due to the improper handling of incomplete SSL handshakes. An attacker could exploit this vulnerability by sending an high amount of maliciously crafted SSL handshake messages. An exploit could allow the attacker to deplete the memory of the ASA until gradually degrading its performance. Conditions: Running an affected software version. Any feature allowing a SSL connection to the device could be leveraged for the attack. Workaround: Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C CVE ID CVE-2013-6697 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(5), 8.4(6), 9.0, 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.118), 100.8(27.83), 100.8(38.16), 100.8(40.6), 100.8(41.2), 100.8(60.11), 100.9(0.45), 100.9(10.1), 100.9(6.22) Bug Id: CSCup54184 Title: Cisco ASA SharePoint RAMFS Integrity and Lua Injection Vulnerability Description: Symptoms: A vulnerability in the SSL VPN code of Cisco ASA Software could allow an authenticated, remote attacker to overwrite arbitrary file present on the RAMFS file system or inject Lua scripts. The vulnerability is due to insufficient validation of the code that handled session information of the SSL VPN when a sharepoint handled is created. A sharepoint handler is created when a valid sharepoint connection is initiated.. An attacker could exploit this vulnerability by sending crafted HTTP request to the affected system. SSL VPN feature needs to be configured for the system to be vulnerable. An exploit could allow the attacker to overwrite arbitrary file on the RAMFS cache or inject lua scripts. As results an attacker can cause a denial of service to the Clientless SSL VPN portal or potentially cause the reload of the system. This vulnerability was reported to Cisco by Alec STUART-MUIRK Conditions: SSL VPN should be configured on the system. Additionally a Sharepoint handled needs to be present in order to exploit this issue. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-3399 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3399 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(1.28), 8.6(0), 8.7(1), 9.0(3), 9.2(1), 9.3(1) Known Fixed Releases: 100.11(0.34), 100.11(5.44), 100.11(6.5), 100.12(0.17), 100.12(1.11), 100.12(10.1), 100.12(12.4), 100.12(13.10), 100.12(15.4), 100.12(16.9) Bug Id: CSCtr63728 Title: SIP Inspection Media Update Denial of Service Vulnerability Description: Symptom: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5), 8.4(2) Known Fixed Releases: 100.7(13.33), 100.7(14.23), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.28), 100.8(10.40), 100.8(15.7), 100.8(19.16), 100.8(2.16) Bug Id: CSCsi80155 Title: SSL memory leak found during batch test of malformed HTTP messages Description: Summary: There is a suspect memory leak issue found when running high rate of HTTPS packets against Cisco ASA software version 7.2(2.20). The issue does not appear to occur in 8.x images. The show memory command can be used to collect memory utilization statistics as per the following example: ASA# show memory Free memory: 165005000 bytes (61%) Used memory: 103430456 bytes (39%) ------------- ---------------- Total memory: 268435456 bytes (100%) The show memory detail command can be used to obtain detailed memory information. Workaround: Only allow HTTPS connections to the Cisco ASA from trusted hosts. Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 7.2(2.20) Known Fixed Releases: Bug Id: CSCua27134 Title: Traceback in Thread Name: Dispatch Unit Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaipv6 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3058 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3), 8.4(3.9), 8.4(4) Known Fixed Releases: 100.7(13.84), 100.7(21.9), 100.7(23.1), 100.7(6.83), 100.8(0.170), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1) Bug Id: CSCsm77958 Title: ASA may crash while processing PPPoE and SSL VPN transactions Description: Symptom: When clientless SSL VPN client attempts to connect to ASA, ASA crashes with threadname : IP Thread followed by the output below: assertion "t->stack[0] == STKINIT" failed: file "thread.c", line 709 Condition: - when clientless webvpn user attempts to establish SSL VPN. Workaround: None at this point Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(2), 8.0(3) Known Fixed Releases: 7.0(7.12), 7.1(2.70), 7.2(3.21), 7.2(4), 8.0(3.10), 8.1(1.2), 8.2(0.100) Bug Id: CSCub75522 Title: ASA TFW sends broadcast arp traffic to all interfaces in the context Description: Symptom: An Adaptive Security Appliance ASA allows certain traffic to traverse through all the interfaces in a context. Conditions: Multiple context ASA ASA in Transparent Mode First found in ASA code 8.4.3(11) but may affect previous versions. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/2.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3.11) Known Fixed Releases: 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) Bug Id: CSCsr65901 Title: ASA reloads under heavy SIP traffic Description: <B>Symptom:</B> ASA reloads <B>Conditions:</B> Fairly heavy SIP load placed on ASA. In this case 2000 SUBSCRIBES in roughly 20 SIP messages a second. <B>Workaround:</B> none. <B>Further Problem Description:</B> none Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(0.34) Known Fixed Releases: 8.0(3.39), 8.1(1.100), 8.1(101.6), 8.2(0.143) Bug Id: CSCsq91277 Title: ACL Misbehavior in Cisco ASA Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(0.4), 8.0(103.25), 8.0(3.19), 8.0(4), 8.0(4.3) Known Fixed Releases: 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(4.5), 8.0(5) Bug Id: CSCsx23387 Title: Recoverable crash condition within aware http server Description: Symptom: Crafted HTTP packets may drive CPU utilization to 100%. Conditions: WebVPN must be enabled. Workaround: None. Further Problem Description: None. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 7.2(4.100), 8.0(4.25), 8.0(5), 8.1(2.15), 8.2(0.212), 8.2(4) Bug Id: CSCsu90653 Title: ASA: Disabling Isakmp User Auth Causes Webvpn Authentication to Fail Description: <B>Symptom:</B> if a tunnel-group with ldap authentication and authorization is configured for webvpn and ipsec, and the ipsec-attributes have isakmp ikev1-user-authentication none configured, the ldap process receives a type 0 request. This bypasses authentication and allows any with a valid username to have access to webvpn even if the password is incorrect. <B>Conditions:</B> if a tunnel-group with ldap authentication and authorization is configured for webvpn and ipsec, and the ipsec-attributes have isakmp ikev1-user-authentication none <B>Workaround:</B> none <B>Further Problem Description:</B> <!-- This section can include additional information to allow the --> <!-- customer to understand the problem in more detail. --> <!-- --> <!-- This field might include: --> <!-- A broader description of the conditions under which the problem --> <!-- might occur. Description of why the problem occurred (e.g., --> <!-- RFC noncompliance). --> <!-- --> <!-- Don't include customer configurations, customer names, passwords, --> <!-- decoded stack traces, or any other information that could --> <!-- compromise a site's security. --> Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 7.2(4.17), 8.0(4.8), 8.0(5), 8.1(2.2), 8.2(0.165), 8.2(1) Bug Id: CSCsz77717 Title: TCP sessions remain in CLOSEWAIT indefinitely Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0(4), 8.0(4.32) Known Fixed Releases: 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.5), 8.2(4), 8.3(0.0) Bug Id: CSCuc11186 Title: ARP: Proxy IP traffic is hijacked. Description: Symptoms: In certain conditions, ASA doesn't check the source of the ARP request or GARP packets for addresses it performs NAT translation for. Proxy-arp cache may thus get polluted and cause traffic hijacking for addresses ASA does NAT for. Conditions: Configured NAT on the ASA for which it performs proxy-arp. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.8/4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5010 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Bug Id: CSCub27414 Title: ASA transparent mode drops traffic under high amount of icmp traffic Description: Symptoms: Cisco ASA running in transparent mode, contains a vulnerability that could allow an unauthenticated remote attacker to cause a partial Denial of Service (DoS). Under a heavy flow of ICMPv4 or ICMPv6 packets towards unknown L2 destinations, CPU utilization of an ASA in transparent mode may go high and cause other production traffic to drop. Conditions: Certain ICMPv4 and ICMPv6 traffic may cause a partial Denial of Service on the Cisco ASA. A large number of Syslog messages ID 313005 will be produced during this time. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5423 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: Bug Id: CSCup34515 Title: ASA WebVPN login button not present in portal Description: Symptom: ASA 8.2.5.49 there is no login button in webportal Conditions: ASA 8.2.5.49 Workaround: downgrade to 8.2.5.48 Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 8.2(5.50) Bug Id: CSCug91577 Title: ASA 9.1.1.7 crash Thread Name: Unicorn Proxy Thread Description: Symptom: A vulnerability in the WebVPN functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to cause an affected device to crash. The vulnerability is due to a fault in the Proxy Bypass Content Rewriter implementation. An attacker could exploit this vulnerability by performing an HTTP request that triggers content rewriting. Depending on the configuration, a successful exploit could allow the attacker to cause the appliance to crash or trigger an error recovery event. When the ASA crashes it will be on Thread Name: Unicorn Proxy Thread Conditions: Using webvpn with content rewrite configuration Workaround: If WebVPN event recovery is enabled, the ASA do not crash but logs a webvpn recovery event instead. Workaround configuration: webvpn no error-recovery disable Further Problem Description: This vulnerability does not affect 8.x software versions. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2013-5557 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(1.7) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.18), 100.8(40.8), 100.8(41.2), 100.8(60.18), 100.9(0.48), 100.9(10.1), 100.9(6.28), 100.9(7.26) Bug Id: CSCuf07393 Title: ASA assert traceback during xlate replication in a failover setup Description: Symptom: An ASA firewall running in STANDBY as part of an Active/Standby or Active/Active high availability configuration may crash citing an assert in thread name DATAPATH-x-xxxx. Conditions: The crash is seen in rare circumstances on a standby firewall or a firewall in an Active/Active high availability configuration where some contexts are STANDBY on that firewall. Workaround: None at this time. In order to reduce the impact of crashes in an Active/Active failover configuration you might want to move both ACTIVE Failover Groups to one ASA More Info: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(1), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.16), 100.8(40.6), 100.8(41.2), 100.8(60.12), 100.9(0.45), 100.9(10.1), 100.9(6.27), 100.9(7.23) Bug Id: CSCud00451 Title: L2 learning/ARP DOS attack possible Description: Symptoms: Cisco ASA running in transparent mode, contains a vulnerability that could allow an unauthenticated remote attacker to cause a partial Denial of Service (DoS). Under a heavy flow of ICMPv4 or ICMPv6 packets towards unknown L2 destinations, CPU utilization of an ASA in transparent mode may go high and cause other production traffic to drop. Conditions: Certain ICMPv4 and ICMPv6 traffic may cause a partial Denial of Service on the Cisco ASA. A large number of Syslog messages ID 313005 will be produced during this time. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5423 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(4.1), 9.0(0.1) Known Fixed Releases: 100.8(0.245), 100.8(11.45), 100.8(27.20), 100.8(34.1), 100.8(38.3), 100.8(39.3), 100.9(0.6), 9.0(2.100), 9.0(3), 9.2(0.99) Bug Id: CSCua95979 Title: ASA 8.2.5 Traceback: Thread Name: UserFromCert Thread Description: Symptom: ASA 5520 running 8.2.5 crashed suddenly. Conditions: Workaround: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 1 Catastrophic Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCuc65775 Title: ASA CIFS UNC Input Validation Issue Description: Symptoms: The Cisco Adaptive Security Appliance (ASA) is susceptible to an input validation issue which can result in a crash of the ASA. Conditions: ASA running an affected release of software. Workaround: None. Further Problem Description: The potential for the issue to occur is present when a user authenticated through WebVPN attempts to access a shared directory using the browse network interface. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-6395 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.111), 100.7(6.109), 100.8(27.63), 100.8(50.32), 100.9(0.33), 100.9(4.2), 100.9(6.4), 100.9(7.9), 100.9(8.1), 8.2(5.43) Bug Id: CSCua91108 Title: ASA unexpected system reboot with Thread Name: UserFromCert Thread Description: Symptom: A vulnerability in VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to a parallel processing of a large number of IKE requests for which username-from-cert is configured. An attacker could exploit this vulnerability by sending a huge number of IKE requests when the affected device is configured with username-from-cert command. An exploit could allow the attacker to cause a reload of the affected device, leading to a denial of service condition. Conditions: Certificate authentication with username-from-cert enabled. Workaround: There is no known workaround at this point. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2013-5544 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5544 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.97), 100.7(6.94), 100.8(0.232), 100.8(11.35), 100.8(27.19), 100.8(33.20), 100.8(34.1), 100.8(37.7), 100.8(39.1), 100.9(0.1) Bug Id: CSCuu25753 Title: ASA SM traceback in DATAPATH, Page fault: Address not mapped Description: Symptom: ASA SM 9.1(5) may traceback in DATAPATH, Page fault: Address not mapped. Conditions: ASA SM running 9.1(5)12, other versions may be affected as well. Most likely traceback is caused by specific fragmented traffic. Workaround: no known workarounds Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(5.12) Known Fixed Releases: Bug Id: CSCuj66766 Title: TFTP Request for Unprovisioned Phone/Config Creates Race in sec_db Description: Symptom: Due to a design limitation of the phone proxy feature of the Cisco Adaptive Security Appliance (ASA), it is possible for a race condition to occur for entries in the phone proxy connection database. This could allow a malicious user to pass traffic from an untrusted phone through the ASA. Conditions: ASA configured for the phone proxy feature. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C CVE ID CVE-2014-0739 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0739 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCtc96018 Title: ASA watchdog when inspecting malformed SIP traffic Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.0, 8.1, 8.2, 8.3(0.2) Known Fixed Releases: 100.3(0.24), 7.2(4.45), 8.0(5.2), 8.1(2.37), 8.2(1.107), 8.2(1.16), 8.2(4), 8.3(0.8) Bug Id: CSCuj83344 Title: ASA cifs share enumeration DOS vulnerability Description: Symptom: A vulnerability in WebVPN CIFS access function of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to trigger a reload of the affected device. Conditions: ASA running version 9.0(3) with CIFS enabled to enumerate to root share locations . Workaround: Specify the share directory in the bookmark to reduce the enumeration of multiple shares ie:cifs:// /share Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2013-6691 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6691 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.0(3) Known Fixed Releases: 100.10(0.54), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.83), 100.8(40.53), 100.8(46.59), 100.8(51.15), 100.8(56.1) Bug Id: CSCut42790 Title: ASA 9.3(2)+ high CPU utilization due to _fini function Description: Symptom: High CPU utilization on ASA. Sometimes utilization keeps growing over time up to 100%. Conditions: ASA running software 9.3(2) or later with failover enabled. Workaround: The following workaround has been observed to get the cpu down. ASA(config)# no threat-detection basic-threat ASA(config)# no threat-detection statistics Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCur40249 Title: L2L Test w/ DFP, SFR and debug SFR results in ASA becoming unresponsive Description: Symptom:An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates. 'show process cpu-usage non-zero' shows most of the CPU usage is in the datapath as shown here: uut19-5512# show processes cpu-usage non-zero PC Thread 5Sec 1Min 5Min Process 0x00000000019649eb 0x00007fffee11d560 0.0% 0.2% 0.3% ssh - - 95.4% 34.9% 38.5% DATAPATH-0-1451 Also, 'cpu hog granular-detection 1000 1' and 'show process cpu-hog' contain output similar to this: Process: DATAPATH-0-1451, PROC_PC_TOTAL: 52, MAXHOG: 9284, LASTHOG: 2584 LASTHOG At: 23:41:21 UTC Apr 6 2015 PC: 0x0000000000000000 (suspend) Process: DATAPATH-0-1451, NUMHOG: 51, MAXHOG: 9284, LASTHOG: 2584 LASTHOG At: 23:41:21 UTC Apr 6 2015 PC: 0x0000000000000000 (suspend) Call stack: 0x00000000004381fa 0x000000000071cc3d 0x000000000171170d 0x000000000171aaac 0x000000371c808201 Interrupt based hog entry #1 Hog #1, traceback #1, at: 23:40:28 UTC Apr 6 2015, hog 9 ms PC: 0x000000371c47a9b4 Call stack: Hog #1, traceback #2, at: 23:40:28 UTC Apr 6 2015, hog 19 ms PC: 0x000000371c47a9b0 Call stack: Note there is no Call stack in the "Interrupt based hog entry", and the PC is in the 0x0000003700000000 range. Conditions:Threat-detection is enabled or memory delay-free-poisoner are enabled. This issue affects 9.3.2.x code versions only. 9.3.3 contains the fix for this issue. Workaround:Disable threat detection (it is enabled be default). This can be done by issuing the following commands in global configuration: no threat-detection basic-threat no threat-detection statistics Also make sure the delayed-free-poisoner is not enabled (it is not enabled by default and should be enabled only under TAC supervision): no memory delayed-free-poisoner enable More Info: Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 100.10(6.10), 100.12(0.77) Known Fixed Releases: 100.12(0.104), 100.13(0.12), 100.13(1.19), 100.13(16.25), 100.13(19.7), 100.13(20.3), 100.13(21.3), 100.13(23.1), 9.3(2.99), 9.3(3) Bug Id: CSCum77083 Title: traceback in Thread Name: IKEv2 Daemon Description: Symptom: ASA reloads with Thread Name: IKEv2 Daemon Conditions: ASA running 9.1 or later code and configured to terminate IKEv2 connections. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 100.8(38.104) Known Fixed Releases: 100.10(9.5), 100.11(4.1), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3), 100.8(67.1) Bug Id: CSCur05643 Title: Cisco Adaptive Security Appliance (ASA) CVE-2014-6271 and CVE-2014-7169 Description: Symptom: The Cisco Adaptive Security Appliance (ASA) Software includes a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-6271 CVE-2014-7169 This bug has been opened to address the potential impact on this product. Conditions: Devices with default configuration. Workaround: Not Available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.1(2.7) Known Fixed Releases: Bug Id: CSCuo19916 Title: ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet Description: Symptom: When using cut-through-proxy, virtual http, and virtual telnet on an ASA, clients may receive 302 Moved responses for the redirect that contain no location. With some browsers (confirmed on IE9), this behavior causes the client to continuously reset and restart the connection which results in a DOS situation for the ASA and any associated syslogs servers due to thousands of connection builds/teardowns within very short period of time. Conditions: 1. Must be using cut-through-proxy on the ASA 2. Must have a virtual HTTP configured as the redirect destination IP in the authentication proxy ACL 3. Must also have virtual telnet configured on the ASA with the same IP as virtual HTTP Workaround: 1. Disable virtual telnet (host will still not get the login page but authentication will be successful) 2. Utilize the aaa authentication listener with the redirect keyword and trigger the authentication based on regular HTTP traffic traversing the ASA and do not redirect to the virtual HTTP address PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.4(7), 9.1(2) Known Fixed Releases: 100.10(0.95), 100.10(12.8), 100.10(17.1), 100.10(2.18), 100.10(6.0.40), 100.10(7.8), 100.11(2.4), 100.11(3.3), 100.11(5.3), 100.11(6.1) Bug Id: CSCta62631 Title: H323 inspection fails when multiple TPKT messages in IP packet Description: Symptom: When H323 traffic is traversing the ASA, and if that H323 traffic has IP packets that contain multiple TPKT messages, the firewall might fail to correctly process the H323 information and perform the necessary inspections. One symptom might be that internal IP addresses in the payload of the TCP packets are not correctly "fixed-up" by the firewall if they are subjected to address translation on the firewall. Conditions: All of the following conditions must be met to hit this problem: 1) H323 traffic must traverse the firewall, and the IP packets in these flows must contain more than one TPKT message per IP packet. 2) The H323 inspection must be enabled on the firewall. Workaround: Remove the H323 inspection with the command 'no inspect h323' in the policy applied to the firewall, open the access-lists to allow the necessary audio streams, and ensure the H323 endpoints are not subjected to NAT by the firewall. Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.0(4), 8.0(4.34), 8.2(1) Known Fixed Releases: 8.0(4.41), 8.0(4.42), 8.0(5), 8.1(2.32), 8.1(2.33), 8.2(1.6), 8.2(4), 8.3(0.0) Bug Id: CSCup22532 Title: Multiple Vulnerabilities in OpenSSL - June 2014 Description: Symptom: The following Cisco products Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including: 8.0.2 - 8.0.5.39, 8.1.1 - 8.1.2.56, 8.2.1 - 8.2.5.49, 8.3.1 - 8.3.2.40, 8.4.1 - 8.4.7.20, 8.5.1 - 8.5.1.20, 8.6.1 - 8.6.1.13, 8.7.1 - 8.7.1.11, 9.0.1 - 9.0.4.13, 9.1.1 - 9.1.5.7, and 9.2.1 include a version of openssl that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0195 - DTLS invalid fragment vulnerability CVE-2014-0224 - SSL/TLS MITM vulnerability This bug has been opened to address the potential impact on this product. Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted: CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference CVE-2014-0221 - DTLS recursion flaw CVE-2014-3470 - Anonymous ECDH denial of service Conditions: The Cisco Adaptive Security Appliance (ASA) running software v9.2.1 is vulnerable to CVE-2014-0195 - DTLS invalid fragment vulnerability when SSLVPN is enabled and configured to use DTLS. Previous ASA software releases are NOT affected by this vulnerability. The Cisco Adaptive Security Appliance (ASA) running software v8.0 and later is vulnerable to CVE-2014-0224 - SSL/TLS MITM vulnerability when using the following configurations: * When SSLVPN is enabled and configured to allow clientless VPN tunnels, OR * When TLS-proxy is configured (either stand-alone or in conjunction with the phone proxy feature), OR * When the ASA is configured to join an Active Directory domain using the 'kcd-server' command. When the ASA is acting as a server (or listener) it is not vulnerable. However, since there are no tools available for testing when we are a client, we have to assume that we could be vulnerable. The ASA must be acting as a client, connecting to a server with the SSL vulnerability and the MITM attacker must be on the network between the ASA and the server. Note that "WebVPN" and "SSLVPN" are synonymous. Workaround: CCVE-2014-0195: This vulnerability impacts only DTLS connectivity on 9.2.1 and later 1. Disable DTLS connectivity to the ASA by changing all of the WebVPN-enabled interfaces to include 'tls-only'. asa(config)# webvpn asa(config-webvpn)# enable outside tls-only INFO: WebVPN is enabled on 'outside', DTLS is disabled on 'outside'. CVE-2014-0224: This defect impacts SSL connectivity in certain circumstances. 1. Disable SSLVPN clientless connectivity by removing all 'vpn-tunnel-protocol' commands with 'ssl-clientless' from your group-policies. asa(config)# group-policy my_policy attributes asa(config-group-policy)# no vpn-tunnel-protocol ssl-clientless asa(config-group-policy)# show run group-policy group-policy my_policy internal group-policy my_policy attributes vpn-tunnel-protocol ssl-client 2. Disable TLS-proxy by removing any 'tls-proxy' commands and associated 'policy-map' commands. For instance, if you had an incoming and outgoing proxy, like: tls-proxy my_proxy_out server trust-point foreign_trust client trust-point local_trust client cipher-suite 3des-sha1 null-sha1 aes128-sha1 aes256-sha1 rc4-sha1 ! tls-proxy my_proxy_in server trust-point local_trust client trust-point foreign_trust client ciphe Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.0, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2(1) Known Fixed Releases: 100.11(0.18), 100.11(0.21), 100.11(5.25), 100.11(5.28), 100.11(6.1), 100.12(10.4), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10) Bug Id: CSCur45455 Title: ASA crashes in DHCPV6 Relay agent feature Functionality Description: Symptoms: ASA may crash in thread name DHCPv6 Relay Conditions: This can be triggered by malformed DHCPv6 packet when DHCPv6 relay is configured. To verify whether this feature is configured, use the show run ipv6 dhcprelay and confirm that the feature is enabled on at least one interface. The following example shows DHCPv6 relay feature enabled on the outside interface: asa#show run ipv6 dhcprelay ipv6 dhcprelay enable outside Workaround: Further Problem Description: A vulnerability in the DHCP relay function of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause a reload of the affected system. The vulnerability is due to insufficient validation of crafted DHCP packets. Only Cisco ASA configured as DHCP version 6 relay are affected by this vulnerability. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets through the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-0578 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0578 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.54), 100.12(0.103), 100.12(24.5), 100.12(30.2), 100.13(0.12), 100.13(1.13), 100.13(11.23), 100.13(16.22), 100.13(19.6), 100.13(20.3) Bug Id: CSCua85555 Title: Cisco ASA SSL VPN Authentication Bypass Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-2128 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 27-MAY-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.117), 100.7(6.123), 100.8(38.43), 100.8(40.27), 100.8(45.4), 100.8(46.5) Bug Id: CSCus53692 Title: ASA traceback in Thread Name: fover_parse Description: Symptom: ASA may generate a traceback during failover synchronization in thread name fover_parse. Conditions: This issue has been seen on ASA 5500x running 9.1(3), other versions may also be affected. WCCP ACL configured with either users, user group, or a fully qualified domain name object which is not supported. Workaround: Remove ACL with users, user group, or a fully qualified domain name object from WCCP configuration. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3) Bug Id: CSCua24960 Title: Traceback in CP Midpath Processing - SSL DHE cipher Description: Symptom: Upgrade to 8.4.4 causes a traceback in a failover pair of 5585's Conditions: Upgrade from 8.3.4 Workaround: none at this time Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.4(4) Known Fixed Releases: 100.7(23.1), 100.7(6.83), 100.8(34.1), 8.4(4.2), 8.4(4.99), 8.4(5) Bug Id: CSCul46582 Title: ASA: Out of order Fin packet leaves connection half closed Description: Symptom: During the session closing ASA receive out of order FIN packets from one host. ASA keeps this connection as half-closed. Conditions: ASA receive out of order FIN packet only from one host (in this case from client) Server Client --> (SEQ=407)(ACK=1453)(CTL=FIN,ACK) --> <-- (SEQ=1454)(ACK=408)(CTL=ACK) <-- <-- (SEQ=1453)(ACK=407)(CTL=FIN,ACK) <-- --> (SEQ=408)(ACK=1454)(CTL=ACK) --> During the recreation I changed manually the sequence: Server Client --> (SEQ=407)(ACK=1453)(CTL=FIN,ACK) --> <-- (SEQ=1453)(ACK=407)(CTL=FIN,ACK) <-- <-- (SEQ=1454)(ACK=408)(CTL=ACK) <-- --> (SEQ=408)(ACK=1454)(CTL=ACK) --> Then connection is tear down normally. Workaround: configure tcp bypass for affected traffic Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.5(1.16), 9.1(3) Known Fixed Releases: 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.8(40.56), 9.0(4.1), 9.0(4.141), 9.1(4.1), 9.1(4.115), 9.1(5) Bug Id: CSCut28217 Title: Active ASA in failover setup reboots on its own Description: Symptom: Active ASA in failover setup reboots on its own. Conditions: Active ASA in failover setup reboots on its own. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Bug Id: CSCur64659 Title: ASA Traceback in Thread Name: DATAPATH-6-2544 Description: Symptom: ASA Traceback in Thread Name: DATAPATH-6-2544 Conditions: ASA 5585 Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.4(7.23), 9.1(5.19) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.5), 100.13(11.19), 100.13(12.41), 100.13(16.18), 100.13(18.7) Bug Id: CSCus56590 Title: ASA - Traceback in Thread Name: fover_parse Description: Symptom: Standby ASA would enter a boot loop after attempting to replicate the configuration from the Active member, generating a Trace back with the name : fover_parse Standby ASA finishes the bulk sync in failover but never gives "sync config finished " message to active, this is the point where it reloads. Conditions: ASA with failover Versions : 9.3.2 and 9.4.1 Workaround: Go in to version 9.3.1, 9.3.2.104 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCuu01586 Title: ASA sends ARP when reverse DNS lookup request is sent for BVI subnet Description: Symptom: When ASA operates in transparent mode, it generates an ARP request for any reverse DNS lookup IP which is in the same subnet as of BVI. This happens only when DNS inspection is enabled. Conditions: - Transparent firewall - DNS inspect enabled - Reverse DNS query for any IP in BVI subnet. Workaround: - Disable the DNS inspect - Static arp binding to avoid the ARP requests. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCuc94818 Title: Management session processes may hang due to environment monitoring Description: Symptom: CLI sessions may hang on running "show environment" command. Home page of ASDM may display "lost connection to firewall". Conditions: First seen on multi-core ASA platforms running 8.4(4)9. Workaround: Reload the ASA. Status: Other Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.4(4.9) Known Fixed Releases: Bug Id: CSCuu28909 Title: ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel Description: Symptom: In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA. Conditions: +ASA cluster +site to site VPN tunnel configured +ICMP error packets destined to the VPN tunnel Workaround: +deny icmp erros using an access-list on the data interfaces Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.1(6.1), 9.4(1) Known Fixed Releases: 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9), 100.15(2.35) Bug Id: CSCus64082 Title: ASA fails to sync objects with name ANY after upgrade from 8.4 to 9.x Description: Symptom: Standby ASA fails to sync objects with name ANY used in ACE after the zero downtime upgrade from 8.4.x/8.6.x to 9.x. The below errors are seen on the console during the configuration replication: ERROR: specified object does not exist ERROR: object () does not exist. Due to missing configuration the standby ASA may enter into a boot loop. Conditions: ASA configured with object name ANY and that object is used in an access-list. object network ANY subnet 0.0.0.0 0.0.0.0 access-list outside-in extended permit tcp object ANY host Workaround: 1. Use any other object name apart from 'ANY' 2. Rather than using object name 'ANY' use keyword 'any' in ACL configuration 3. Upgrade both the ASAs at the same time Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.1(2), 9.1(5) Known Fixed Releases: 100.11(0.56), 100.8(40.95), 9.0(4.31), 9.1(6.2), 9.2(3.101) Bug Id: CSCut18717 Title: ASA - Standby traceback in Thread Name: fover_parse Description: Symptom: Standby ASA traceback in thread name fover_parse during upgrade from 8.6.1.12 to 9.0.4.29 after Beginning configuration replication from mate. Conditions: ASA is A/S failover pair Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.0(4.29) Known Fixed Releases: Bug Id: CSCub66513 Title: Spyker "show environment" hang for top slot in a Spyker dual fw setup Description: Symptom: CLI sessions may hang on running "show environment" command. Home page of ASDM may display "lost connection to firewall". Conditions: First seen on ASA 5585 with 2 firewall slots running 8.4(4)9. Workaround: Reload the ASA. More Info: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 100.7(6), 8.4(4.9) Known Fixed Releases: 100.7(6.102), 100.8(27.63), 100.8(50.28), 100.9(0.31), 100.9(4.1), 100.9(6.3), 100.9(7.6), 100.9(8.1), 100.9(9.1), 8.4(4.99) Bug Id: CSCus51289 Title: ASA: Traceback when removing manual NAT rule Description: Symptom: ASA: Traceback when removing manual NAT rule Conditions: The user must be removing a manual NAT rule from the configuration with the following characteristics: 1. The destination portion of the rule must contain an object with a large range of addresses and 2. The rule must contain a service object An example rule that may trigger this crash is: object network src host 192.168.10.1 object network dest range 10.0.0.0 10.255.255.255 object service port service tcp source eq 80 nat (inside,outside) source static src src destination static dest dest service port port no nat (inside,outside) source static src src destination static dest dest service port port Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.4(5), 9.1(6) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Bug Id: CSCus11465 Title: ASA teardown connection after receiving same direction fins Description: Symptom: ASA version 9.2.2.4 or 9.3.1 will teardown tcp connection after it receiving fin ack fin ack of the same direction Conditions: ASA version 9.2.2.4 or 9.3.1 receiving fin ack fin ack of the same direction Workaround: using tcp bypass Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.2(2), 9.3(1) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Bug Id: CSCut27332 Title: ASA traceback in aaa_shim_thread Description: Symptom: ASA traceback in aaa_shim_thread Conditions: ASA running 9.3.2 High load with AnyConnect 3.0 or newer Heavy DAP or dynamic ACL usage with large aggregate ACLs Failover configuration Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6), 100.14(3.5) Bug Id: CSCut56198 Title: Clustering: Traceback in DATAPATH with transparent FW Description: Symptom: ASA traceback occurred on one of the slave units in a 4 node cluster in the DATAPATH thread. Stack trace indicates that the ASA was doing a transparent firewall operation. Conditions: Cisco ASA running release 9.2.1.213 and configured as a cluster slave with multi-context configuration which included mixed-mode contexts. Workaround: None Further Problem Description: Please see Eng-note. Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.2(1.213), 9.3(2.108) Known Fixed Releases: 100.11(0.57), 100.11(0.58), 100.12(0.120), 100.12(0.121), 100.13(0.61), 100.13(21.12), 100.13(21.13), 100.13(28.2), 100.14(0.7), 100.14(0.8) Bug Id: CSCtg28821 Title: ASA: AAA Session limit [2048] reached when xauth is disabled for vpn Description: Symptom: If there are more than 2048 ipsec remote access connections to a ASA55550 without user authentication, vpn and ssh/telnet connnections may fail. The following messages may appear in the ASA logs: Apr 14 2010 15:48:08: %ASA-3-113001: Unable to open AAA session. Session limit [2048] reached Apr 14 2010 15:48:08: %ASA-7-713906: Group = Banricompras, IP = 200.132.64.2, Failed opening authentication session! Workaround: Enable xauth, and this will prompt user for authentication credentials Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.7(0.9), 7.2(5.16), 8.0(5.17), 8.1(2.45), 8.2(2.102), 8.2(2.13), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) Bug Id: CSCti43763 Title: Management connection fail after multiple tries with SNMP connections. Description: Symptom: Management connections may fail after multiple tries with SNMP connections in background. Conditions: This bug can be identified by doing "show asp table socket" If you see management connection in a CLOSEWAIT state and then you do "show counters protocol npshim" and see the pending connections counter increment for every management connection attempt then you are hitting this bug. First found in following scenario: ASDM will fail to load after multiple SNMP and HTTPS requests to the ASA. Workaround: Currently, only reloading the ASA resolves the issue. Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.0(5.20), 8.2(2), 8.2(3) Known Fixed Releases: 100.5(5.43), 8.0(5.21), 8.1(2.49), 8.2(3.109), 8.2(3.6), 8.2(4), 8.3(2.7) Bug Id: CSCtg47237 Title: ASA traceback under Nessus scanning Description: <B>Symptom:</B> Crash under scan <B>Conditions:</B> ASA undergone a scanning done by Nessus network scanning program. <B>Workaround:</B> None at the moment Status: Terminated Severity: 2 Severe Last Modified: 26-MAY-2015 Known Affected Releases: 8.2(1.10) Known Fixed Releases: Bug Id: CSCue18975 Title: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5507 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 100.8(50.20), 100.9(7.14), 100.9(7.15), 9.1(1.4) Known Fixed Releases: 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.19), 100.9(8.1), 9.0(2.100), 9.0(2.2), 9.0(3) Bug Id: CSCus97061 Title: ASA Cluster member traceback in DATAPATH Description: Symptom: ASA crashed with DATAPATH thread. Conditions: -> ASA5585 units running Clustering -> Release 9.2.3.2 Workaround: -> Crash is not experienced when transit interfaces have their MTU set as 9198. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 9.2(3.2), 9.4(1) Known Fixed Releases: 100.11(0.57), 100.12(0.120), 100.13(0.61), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.20) Bug Id: CSCts72188 Title: ASA: SSH process may exist after being orphaned from SSH session Description: Symptom: The SSH process may still be running even after the SSH session that spawned the SSH process has closed out on an ASA firewall. CPU spike may be seen due to these stuck ssh processes. Conditions: This was identified on an ASA failover pair running 8.2.4(1) Workaround: Failover to the other unit. If this is not a failover pair then reload is the only other option. Further Problem Description: Gather the output of the following and open a TAC case. sh proc | i ssh ASA# sh proc | i ssh Mwe 08c2e084 7214a764 7249a300 1 721489b0 7132/8192 listen/ssh Mwe 08be148b 7181278c 09f8050c 5 718108f8 7312/8192 ssh/timer Mrd 08899185 7262787c 09f81014 595408460 72620728 26900/32768 ssh Mrd 08899185 726308cc 09f81014 572091828 72629778 26900/32768 ssh Mrd 08899185 72750e94 09f81014 538272393 72749d40 26908/32768 ssh Mrd 08899185 727769cc 09f81014 549586257 7276f878 26900/32768 ssh Mrd 08899185 726e86fc 09f81014 526485007 726e15a8 26900/32768 ssh PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5411 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 27-MAY-2015 Known Affected Releases: 8.2(4.1) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.128), 100.8(11.20), 100.8(27.7), 100.8(33.4), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.29) Bug Id: CSCuu29947 Title: ASA: Traceback in Dispatch Unit Description: Symptom: ASA caused a traceback in dispatch unit running 8.4.7.23 Conditions: unknown at this point Workaround: N/A Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCuq57307 Title: ASA 8.4 Memory leak due to duplicate entries in ASP table Description: Symptom: The ASA may experience a memory leak each time a VPN tunnel is built and torn down. Conditions: The ASA must be configured with a QoS policy that matches on per-flow destination addresses for a particular tunnel-group. For example: class-map vpn-class match flow ip destination-address <<<<<<<<<<<<< match tunnel-group 10.38.110.250 ! policy-map outside-policy class vpn-class police output 30000000 Workaround: Temporarily disable the QoS policy Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.11(0.57), 100.11(0.58), 100.12(0.116), 100.12(0.121), 100.13(0.52), 100.13(0.63), 100.13(21.13), 100.13(21.9), 100.13(28.2), 100.14(0.4) Bug Id: CSCuu38315 Title: ASA Cluster member traceback in DATAPATH Description: Symptom: ASA 5585-20 cluster member running 9.4.1 traceback in DATAPATH Conditions: ASA 5585-20 running 9.4.1 in cluster mode. Workaround: No known workarounds. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCui63001 Title: ASA traceback in Thread Name: fover_parse during command replication Description: Symptom: Under certain rare circumstance, an ASA may reload when trying to replicate commands to a failover peer. The reload can occur on either the Active unit or Standby unit. Conditions: Failover must be enabled. The reload can occurs on configuration replication during configuration changes. It can also affect units that are trying to save the configuration using the "write memory" or "write standby" commands. Workaround: None. This is a rare circumstance and will not occur consistently. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 100.8(46.4), 9.1(2.3) Known Fixed Releases: 100.10(0.53), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.134), 100.8(38.83), 100.8(40.52), 100.8(46.59), 100.8(51.15), 100.8(56.1) Bug Id: CSCut97995 Title: ASA: SIP inspection translates route hostname if it contains IP Description: Symptom: ASA SIP inspection translates route hostname field in SIP ACK packet if it contains IP. For example, if route hostname =c192.168.40.71.31816.call.cgatepro, 192.168.40.71 will be translated according to ASA NAT table, however this field should not be modified by ASA. Conditions: inspect SIP enabled on ASA Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCuu55258 Title: ASA 9.4: very slow RX speed for SFR module Description: Symptom: Low transfer speed from SFR module, causing failure when applying SFR policy. Conditions: Running ASA 9.4 Workaround: Use ASA9.3 or 9.2 code. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.4, 9.4(1) Known Fixed Releases: Bug Id: CSCuu54957 Title: ASA:Traceback with Thread Name Checkheaps when object-group is modified Description: Symptom: ASA 5515 running version code 9.1(3) may generate a traceback with Thread Name: Checkheaps when an object-group is modified. Conditions: Observed on ASA 5515 with CX module inline Workaround: none Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCuu27334 Title: ASA: Traceback with Thread Name - AAA Description: Symptom: ASA device Traceback with Thread Name:- AAA Conditions: ASA device running ASA 9.1(4) version Workaround: NONE Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: Bug Id: CSCus07980 Title: ASA: Traceback in Dispatch Unit possibly due to block corruption Description: Symptom: ASA may traceback in Dispatch Unit due to a possible block or block header corruption. Conditions: Seen on ASA running 8.4(7)23, although other version may be affected as well Workaround: None Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCuu16987 Title: ASA Traceback in spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) Description: Symptom: ASA Traceback in DATAPATH thread name using logging functions. Conditions: Workaround: Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: Bug Id: CSCsx64741 Title: Page fault traceback in Thread Name: DATAPATH-X-XXX Description: Symptom: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp. Conditions: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp. Workaround: remove rate limiting (police) from configuration Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 28-MAY-2015 Known Affected Releases: 7.2(4), 7.2(4.30), 7.2(4.33), 8.0(4.16), 8.0(4.23), 8.2(0.210) Known Fixed Releases: 100.3(0.2), 7.0(8.7), 7.2(4.35), 8.0(4.25), 8.0(5), 8.1(2.15), 8.2(0.214), 8.2(4) Bug Id: CSCuo58584 Title: Cisco ASA fix for CSCun56954 Description: Symptom: This bug is tracking the necessary change on the ASA side to fix a vulnerability in the FirePOWER services. For additional info refer to the Cisco Security Advisory: Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See Cisco Security Advisory Workaround: See Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 28-MAY-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18), 100.13(18.7) Bug Id: CSCus70693 Title: ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: Description: After upgrade to 9.3.2 SSL VPNs stop working. Symptom: SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect: "Could not connect to server. Please verify Internet connectivity and server address." In the DART: Type : Error Source : acvpnui Description : Function: ConnectMgr::run File: .\ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED This errors are seen: "%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)." These errors are seen while debugs enabled: RC4-SHA / RC4-MD5 error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838 AES256-SHA / AES128-SHA / DES-CBC3-SHA error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639 Tests: + AnyConnect 3.1.05160 uses TLS 1.0 - fails + AnyConnect 4.0.00057 uses TLS 1.2 - fails + with IE TLS 1.0 - fails + with IE TLS 1.1/1.2 - fails + with Mozilla Firefox TLS 1.0 - fails but + Mozilla Firefox TLS 1.1/1.2 - work ok + Chrome also uses TLS 1.2 - works ok. Conditions: ASA running 9.3.2 (the issue is not seen on the 9.3.1) Certificate with: - RSA keys size: 2048 bits - Signature Algorithm: sha256RSA - Signature Hash Algorithm: sha256 It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet. Workaround: + Downgrade + try to regenerate the certificate + for WebVPN use Firefox/Chrome and TLS 1.2 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13), 100.14(6.9) Bug Id: CSCuq50366 Title: Traceback may occur on bring up of multiple SSL sessions w/DHE Description: Symptom: On rare occasions it is possible that a traceback may occur when bringing up multiple SSL sessions with DHE. Conditions: Workaround: Use a different cipher than DHE or upgrade to a version with the fix for this issue. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 100.12(10.28), 100.12(10.32), 100.12(2.14), 9.1(5.19), 9.1(5.21), 9.2(2.4) Known Fixed Releases: 100.11(0.55), 100.12(10.33), 100.12(21.2), 100.12(9.14), 100.8(40.94), 9.1(5.101), 9.2(3.1), 9.3(2.1) Bug Id: CSCuh33570 Title: ASA: Watchdog traceback in SSH thread Description: Symptom: Under rare conditions, an ASA may generate a traceback and reload in the SSH thread. Conditions: The traceback occurs when an active SSH management session is disconnected during rekey. This rekey can be either data or time based. Workaround: There is no known workaround at this time. More Info: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28), 100.9(7.29) Bug Id: CSCuu36639 Title: ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout Description: Symptom: Intermittently ESP packets are dropped on the ASA due to Crypto Accelerator issues. Crypto Hardware accelerator on ASA crashes with the message %ASA-4-402125: CRYPTO: The ASA Crypto hardware accelerator IPsec ring timed out There is traffic loss over the tunnel when the crash happens and the below message is also seen. %ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Unknown Error, code= 0x7F) while executing the command Process IPSec Inbound Packet (0x30) Conditions: ASA 5506-X acting as IKEv1 or IKEv2 IPSec Termination point such as L2L VPN end-point. Workaround: NA Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.3(2.2), 9.3(3), 9.4(1) Known Fixed Releases: Bug Id: CSCum70178 Title: Datapath:Observing Deadlock in different DATAPATH threads Description: Symptom: Cisco ASA working as a Failover Standby Unit, periodically reloads in thread name datapath. Crash message could be like the following : Deadlock in thread DATAPATH-9-2588, from: Traceback from thread DATAPATH-9-2588: Test scenario was Multiple ftp Clients from Outside to single FTP Server on Inside, with 1K conn/sec rate Conditions: Cisco ASA 8.4 when configured as standby in a failover pair. Reason problem is more evident on Standby could be that, as there isn't much work to do, it is possible that multiple Cores to work on flow-time-out at the same time As part of detaching a flow from host->h_tcp_eflow emb-flow-count is being decremeted But this is being done for a paired_flow->host, while holding the flow->host lock This can lead to dead-locck, in the following senario : Core-1 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Core-2 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 100.8(38.102), 8.4(7.9), 9.1, 9.1(4.5), 9.1(5) Known Fixed Releases: 100.10(9.6), 100.7(6.131), 100.8(38.126), 100.8(40.68), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 8.2(5.50) Bug Id: CSCut88287 Title: ASA Traceback in vpnfol_thread_msg Description: Symptom: ASA device Traceback in vpnfol_thread_msg Conditions: ASA device running in Active/Standby HA Pair. Workaround: NONE Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCue97782 Title: ASA: Old connections tear down IPsec VPN tunnel on switchover Description: Symptom: L2L IPsec VPN can flap in case of redundant topology, such as shown below: + out1 ---\ inside ASA -| ISP--- Peer + out2 ---/ Conditions: This may happen in all ASA versions when ISP fails and IP SLA is used to change routing. Routing change causes existing tunnel teardown and new tunnel reestablishment. New TCP or UDP connections will be opened over new tunnel, but old TCP or UDP connections remain in the ASA connection table pointing to the old interface. This may sometimes trigger reestablishment of VPN tunnel when traffic is sent over these old connections. Workaround: None. Status: Other Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 8.3(2), 9.0(1), 9.1(1) Known Fixed Releases: Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Bug Id: CSCuj50870 Title: ASA in failover pair may panic in shrlock_unjoin Description: Symptom: ASA may crash with the following message on console: Message #220 : Panic: DATAPATH-15-1947 - Message #221 : ERROR: shrlock_unjoin_domain Domain member count underflow Conditions: This was observed on ASA in failover pair. Both active and standby units may crash. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 100.9, 100.9(0.54), 100.9(7.25), 100.9(7.27), 9.0(3), 9.1(1) Known Fixed Releases: 100.10(0.58), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(40.56), 9.0(4.1), 9.0(4.140), 9.1(4.1), 9.1(4.115), 9.1(5) Bug Id: CSCuo37603 Title: object nat config getting deleted after reloaded with vpdn config Description: Symptom:An ASA running 9.1(5),9.2(1) or later might have NAT commands rejected by the system. A console error message is displayed: "ERROR: NAT unable to reserve ports." Conditions:To encounter this problem the either one the following scenario must be met: Scenario 1: 1) ASA running version 9.1(5) or 9.2(1) or later 2) PPPoE configuration present on an interface 3) A NAT rule configured to use the PPPoE interface as the mapped IP for a translation Scenario 2: 1) ASA running version 9.1(5) or 9.2(1) or later 2) Existing NAT rules are deleted and reinstalled immediately either by failover/cluster sync or manually Workaround:Re-configure the NAT command. More Info: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 100.8(38), 9.1(5) Known Fixed Releases: 100.11(0.38), 100.11(5.47), 100.11(6.10), 100.12(0.20), 100.12(1.15), 100.12(10.6), 100.12(12.5), 100.12(13.11), 100.12(15.4), 100.12(16.11) Bug Id: CSCuh23347 Title: ASA:Traffic denied 'licensed host limit of 0 exceeded Description: Symptom: ASA 5505 drops Traffic with syslog message "%ASA-4-450001: Deny traffic for protocol 1 src inside:10.11.12.3/512 dst outside:4.2.2.2/0, licensed host limit of 0 exceeded" with Base License. Conditions: ASA 5505 running 8.4.6 with Base license. Workaround: upgrade to 9.0.2, 9.1.2 or downgrade to 8.2.5. Also works on 8.4.5.6 More Info: Status: Fixed Severity: 1 Catastrophic Last Modified: 28-MAY-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.24), 100.9(0.53), 100.9(10.1), 100.9(6.29) Bug Id: CSCuu53928 Title: ASA does not set forward address in OSPF route redistrubution in NSSA Description: Symptom: ASA does not set the Forward Address for the Connected Redistributed routes. Conditions: Found in ASA running multiple context with version 9.3(1) Workaround: Workaround 1: Clearing the ospf process in the specific context ensures that forward ip address is set as router id. Workaround 2: Reboot of the ASA. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: Bug Id: CSCut12311 Title: Traceback in DATAPATH Thread with SFR Redirection Enabled Description: Symptom: Adaptive Security Appliance (ASA) unexpectedly reloads when FirePOWER services module traffic redirection is enabled and certain fragmented traffic is received. Conditions: Traffic is redirected to FirePOWER services module. Workaround: Disable traffic redirection to FirePOWER services module. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.3 Known Fixed Releases: Bug Id: CSCtd36473 Title: IPsec: Outbound context may be deleted prematurely Description: Symptom: Outbound encryption traffic in an IPsec tunnel may fail, even if inbound decryption traffic is working. Conditions: This issue has been observed on an IPsec connection after multiple rekeys, but the trigger condition is not clear. The presence of this issue can be established by checking the output of "show asp drop" and verifying that the Expired VPN context counter is increasing for each outbound packet sent. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 8.0, 8.2(2) Known Fixed Releases: 100.5(5.9), 100.7(2.1), 8.0(5.13), 8.1(2.42), 8.2(2.8), 8.2(4), 8.3(1.1), 8.3(1.100), 8.4(1) Bug Id: CSCuu20155 Title: ASA: Traceback in Thread Name DATAPATH due to phone-proxy dns lookup Description: Symptom: ASA Traceback in Thread Name DATAPATH when phone-proxy is in use. The issue seems related to phone-proxy dns lookup. Conditions: Workaround: disable phone-proxy Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(6.1) Known Fixed Releases: Bug Id: CSCuh69931 Title: ASA 5512 - 9.1.2 Traceback in Thread Name: ssh Description: Symptom: ASA SSHv2 rekey causes traceback. Conditions: ASA SSHv2 rekey occurs after data or time (55 minutes) trigger. If the connection is closing while this is ongoing, a traceback will occur. Workaround: none at this time. More Info: Status: Fixed Severity: 2 Severe Last Modified: 28-MAY-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.8(27.84), 100.8(38.21), 100.8(40.10), 100.8(41.2), 100.8(60.26), 100.9(0.53), 100.9(10.1), 100.9(6.28), 100.9(7.33), 9.1(2.5) Bug Id: CSCur23709 Title: ASA : evaluation of SSLv3 POODLE vulnerability Description: Symptom: The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 Conditions: The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions. To see the SSL configuration: show run all ssl Default configuration of the ASA: ssl client-version any ssl server-version any The following non-default configuration values also enable SSLv3: ssl client-version sslv3-only ssl client-version sslv3 ssl server-version sslv3-only ssl server-version sslv3 Some of the previously listed options are not available on older ASA software releases. Workaround: There are no workarounds. Further Problem Description: This bug is for SSL server-side and is fixed in the following (and later) posted ASA releases: 9.3.1.1 9.2.3 9.1.5.21 9.0.4.26 8.4.7.26 8.2.5.55 It will also be available in the April/2015 timeframe on the following ASA software releases: 8.3.2.43 8.5.1.23 8.6.1.16 8.7.1.15 For the client-side (Clientless Smart Tunnel Component), please check CSCur42776. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.2(1), 8.3(1), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 99.1 Known Fixed Releases: 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(1.3), 100.13(11.18), 100.13(11.23) Bug Id: CSCuu56912 Title: ASA change non-default port to 443 for https traffic redirected to CWS Description: Symptom: ASA change non-default port to 443 for https traffic redirected to CWS When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates ... Complete Connect Method (513) CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 ... For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 Conditions: ASA is configured to redirect non-default port for https traffic to CWS. Workaround: NONE Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.0, 9.1, 9.4 Known Fixed Releases: Bug Id: CSCul02601 Title: ASA traceback in checkheaps due to snmp natmib Description: Symptom: ASA traceback when polling snmp nat mib Conditions: none Workaround: none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(7), 8.6(1.2) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.33), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Bug Id: CSCul47481 Title: ASA WebVPN Login portal returns to login page after successful login Description: Symptom: After a period of operation, a users are unable to login to the Clientless WebVPN portal. After logging in, the user is redirected back to the login page. The problem happens after authentication, so failed logins still report as failures. Reloading the ASA or failing over to the standby ASA resolves the issue for a period of time. Conditions: Clientless WebVPN on ASA. Workaround: The problem appears to happen after a period of operation after upgrading to 8.4.7 (This issue has not been reported against 8.4.5/9.0.3 releases). Reloading the ASA or failing over to the standby unit should resolve the issue for a period of time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.95), 100.8(40.56), 100.9(10.23), 8.4(7.8), 9.0(4.2) Bug Id: CSCte21219 Title: Certificate authentication failing on ASA: incorrect key for validation Description: Symptom: When using IPSEC or SSL and using certificate validation of the clients that are connecting to the ASA, validation will fail. Errors similar to the following may be seen in the ca debugs: CERT-C: I pkixpath.c(1137) : Error #72eh CRYPTO_PKI: Certificate validation: Failed, status: 1838. Attempting to retrieve revocation status if necessary CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838 Conditions: 2 CA certificates installed in trustpoints used with vaildation that the same CN but use a different RSA key for each certificate. Workaround: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.4(0.35), 100.7(2.1), 8.0(5.10), 8.2(2.5), 8.2(2.99), 8.2(4), 8.3(0.21), 8.3(1), 8.4(1) Bug Id: CSCze96017 Title: Active ftp-data is blocked by Firepower on Chivas Beta on 5512 Description: Symptom: The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies. Conditions: Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT). Workaround: 1. Create a policy to allow ftp-data traffic from Server to Client or 2. Use passive FTP Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 0.0(0) Known Fixed Releases: Bug Id: CSCur20322 Title: ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment Description: Symptom: ASA in an L2 cluster environment causes a DATAPATH traceback. The unit comes back up but will not join the cluster and results in an RPC_SYSTEMERROR failure. Manual joining into the cluster causes an immediate crash after entering "enable". Conditions: ASA operating in 9.2.1 code and in multi-context. ASA in a cluster L2 environment. Workaround: No workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCue46275 Title: Connections not timing out when the route changes on the ASA Description: Symptom: Connections on the ASA are not timing out after a route change Conditions: timeout floating-conn was set to 30 seconds Workaround: clear out the connections manually Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.2(5), 8.3(2), 8.4(5), 9.0(1), 9.1(1) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.24), 100.9(0.52), 100.9(10.1), 100.9(6.28) Bug Id: CSCub16427 Title: Standby ASA traceback while replicating flow from Active Description: Symptom: ASA may reload with a traceback in threadname DATAPATH-19-2279 Conditions: ASA running 8.4.x or 8.5.x. Other versions may also be impacted. - ASAs in a failover pair, and failover already established between them - At one point Standby started working for clear config all, this could be due to "write standby" on Active - This causes standby to crash Workaround: NONE Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(1), 8.5(1) Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.236), 100.8(0.244), 100.8(11.37), 100.8(11.48), 100.8(27.19), 100.8(27.20), 100.8(33.22), 100.8(33.29) Bug Id: CSCug33233 Title: Cisco ASA Management Connections Denial of Service Description: Symptoms: ASA becomes unresponsive to management connection. This includes management over SSH, Telnet and HTTP(S) Conditions: This is seen when management traffic is allowed on more then one interface (e.g. inside and outside) and on one of this interface, management connection are allowed via VPN tunnel. Workaround: none Further Problem Description: A vulnerability in in the code of the function that is creating management flows of the Cisco ASA Software could allow an unauthenticated, remote attacker to to cause the affected system to become unresponsive to management session requests over SSH, Telnet and HTTP(S). The vulnerability is due to a memory leak when the management flow is created. An attacker could exploit this vulnerability by creating several management session requests. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-6707 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6707 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.0(2), 9.1(1) Known Fixed Releases: 100.10(0.9), 100.10(1.10), 100.8(27.89), 100.8(38.30), 100.8(40.20), 100.8(41.2), 100.8(60.37), 100.9(10.4), 100.9(6.35), 9.0(3.100) Bug Id: CSCup37416 Title: Stale VPN Context entries cause ASA to stop encrypting traffic Description: Symptom: ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic. Conditions: n/a Workaround: This issue may be prevented by disabling data-based rekeying. If the problem still occurs without data-based rekeying, failover to the backup ASA or reboot the ASA Further Problem Description: Status: Open Severity: 1 Catastrophic Last Modified: 29-MAY-2015 Known Affected Releases: 9.1(3), 9.1(5.12), 9.2(3) Known Fixed Releases: Bug Id: CSCua35666 Title: ASA: traceback in Thread Name: IPsec message handler,Syslog 602305. Description: Symptom: ASA running 8.4.4 reload in threadname IPsec message handler. Conditions: This crash is related to IPSEC VPN and new 8.4.4 syslog 602305. Workaround: Disable syslog message 602305. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(0.4), 8.4(4) Known Fixed Releases: 100.7(6.84), 100.8(34.1), 8.4(4.2), 8.4(4.99), 8.4(5) Bug Id: CSCuj88114 Title: WebVPN Java rewriter issue: Java Plugins fail after upgrade to Java 7u45 Description: Symptom: ASA WebVPN Java Plugins fail to load after upgrade to Java 7 Update 45 with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar' Conditions: Windows or Mac OSX machines using Java 7 Update 45. Also affects JRE build 1.6.0.51 and 65. Workaround: 1) Disable the option 'Keep temporary files on my computer' on the Java Control Panel -> General -> Settings. This works for both Mac OSX and Windows. 2) Downgrade Java to version 7 Update 40 or below. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4, 8.4(2), 8.4(5), 9.1, 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.38), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.41), 100.8(45.8), 100.8(46.28) Bug Id: CSCuo33186 Title: Traceback with thread DATAPATH-2-1181 Description: Symptom: ASA 5580-20 running 9.1.4 crashed in thread name DATAPATH-2-1181 Conditions: Redirection to Scansafe configured Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.10(0.97), 100.10(12.8), 100.10(17.1), 100.10(2.19), 100.10(6.0.40), 100.10(7.9), 100.11(0.9), 100.11(3.15), 100.11(5.12), 100.11(6.1) Bug Id: CSCuu46569 Title: ASA CA certificate import fails with different types of Name Constraints Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: 100.14(0.27) Bug Id: CSCtq57752 Title: ASA: IPSec outbound SA data lifetime rekey fails Description: Symptom: IPSec outbound SA fails to rekey when data lifetime reaches zero kB. Conditions: ASA has an IPSec tunnel with a remote peer. The data lifetime on the ASA reaches 0 kB, the lifetime in seconds has not yet expired. Workaround: Increase the data lifetime to a very high value (or even the maximum value), or decrease the lifetime in seconds. The lifetime in seconds should ideally expire before the data limit in kB reaches zero. In this manner the rekey will be triggered based on seconds, and the data lifetime issue can be bypassed. Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 100.7(13.39), 8.4(2.240), 8.6(0) Known Fixed Releases: 100.7(13.40), 100.7(14.32), 100.7(17.5), 100.7(18.4), 100.7(6.48), 100.8(0.35), 100.8(11.2), 100.8(15.11), 100.8(17.8), 100.8(19.27) Bug Id: CSCus08101 Title: ASA: evaluation of Poodle Bites in TLSv1 Description: Symptom: Cisco ASA includes a version of TLS that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8730 This vulnerability is hardware dependent. ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability. ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue. The first fixed ASA software releases for this vulnerability are as follows 8.2 Train: 8.2.5.55 8.4 Train: 8.4.7.26 9.0 Train: 9.0.4.29 9.1 Train: 9.1.6 9.2 Train: 9.2.3.3 9.3 Train: 9.3.2.2 Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There is no workaround that mitigates this issue More Info: Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html Cisco has published the following Security Notice and IntelliShield Alert: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 http://tools.cisco.com/security/center/viewAlert.x?alertId=36740 The Sourcefire Snort SIDs for this vulnerability is: 32758 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2014-8730 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 9.0, 9.1, 9.2 Known Fixed Releases: 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(1.37), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) Bug Id: CSCut46019 Title: MARCH 2015 OpenSSL Vulnerabilities Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0286, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. Workaround: Not available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.2(5), 9.2(1), 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.123), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Bug Id: CSCuq10239 Title: Windows 8 with new JRE, IE is not gaining access to smart tunnel Description: Symptom: IE on windows 8 with java start is not gaining access to smart tunnel Conditions: user is starting smart tunnel with java, UAC is turned on Workaround: turn UAC off or use active-x to start smart tunnel Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(7.240) Known Fixed Releases: 100.14(0.24), 100.14(7.32), 99.1(2.167) Bug Id: CSCuu48626 Title: ASA - access list address argument changed from host 0.0.0.0 to host :: Description: Symptom: ASA changes the configured access-list address argument from "host 0.0.0.0" to "host ::" Conditions: ASA version 9.3.2 and 9.3.3 Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.3(2), 9.3(3) Known Fixed Releases: 100.14(0.27) Bug Id: CSCuq65542 Title: Cisco ASA Software Version Information Disclosure Vulnerability Description: Symptoms: A vulnerability in the SSL VPN code of Cisco ASA Software could allow an unauthenticated, remote attacker to obtain information about the Cisco ASA Software version. This information could be used for reconnaisance attacks.. The vulnerability is due to a verbose output returned when a specific URL is submitted to the affected system.. An attacker could exploit this vulnerability by browsing a specific URL. SSL VPN feature needs to be enabled for a system to be vulnerable . This vulnerability was reported to Cisco by Alec STUART-MUIRK Conditions: SSL VPN needs to be configued on the system. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-3398 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3398 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.1(5.3) Known Fixed Releases: 100.11(0.46), 100.12(0.43), 100.12(10.47), 100.12(6.5), 100.13(0.2), 100.13(11.1), 100.13(12.1), 100.13(13.1), 100.13(14.1), 100.13(15.1) Bug Id: CSCuu57547 Title: ASA SIP inspected traffic matches wrong NAT rule Description: Symptom: ASA SIP inspected traffic matches wrong NAT rule This has as an effect SIP streams like BFCP traffic (source port UDP 5070) to get diverted to wrong egress interface. Conditions: Workaround: Disable SIP inspection Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.0(1), 9.1(5), 9.1(6.4), 9.2(3.4), 9.4(1) Known Fixed Releases: Bug Id: CSCuu57076 Title: ASA CA server doesn't publish local CRL over a VPN tunnel Description: Symptom: CRL retrieval fails when trying over a VPN tunnel. At the same time users can download the CRL when not going through the VPN Furthermore the following URL: https://IP_OF_ASA/+CSCOCA+/enroll.html is reachable over a VPN tunnel. On ASA we logs we see: May 28 2015 10:50:22: %ASA-6-302013: Built inbound TCP connection 215 for outside:172.29.1.1/1248 (172.29.1.1/1248)(LOCAL\cisco) to identity:192.168.3.1/80 (192.168.3.1/80) (cisco) May 28 2015 10:50:30: %ASA-6-302014: Teardown TCP connection 213 for outside:172.29.1.1/1246(LOCAL\cisco) to identity:192.168.3.1/80 duration 0:00:30 bytes 0 SYN Timeout (cisco) May 28 2015 10:50:31: %ASA-6-302014: Teardown TCP connection 214 for outside:172.29.1.1/1247(LOCAL\cisco) to identity:192.168.3.1/80 duration 0:00:30 bytes 0 SYN Timeout (cisco) May 28 2015 10:50:52: %ASA-6-302014: Teardown TCP connection 215 for outside:172.29.1.1/1248(LOCAL\cisco) to identity:192.168.3.1/80 duration 0:00:30 bytes 0 SYN Timeout (cisco) May 28 2015 10:50:52: %ASA-7-609002: Teardown local-host identity:192.168.3.1 duration 0:00:51 Conditions: ASA terminates the VPN tunnel Workaround: Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Bug Id: CSCuu18989 Title: ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit Description: Symptom: It was noticed that when the maximum number of simultaneous connection limit is set, ASA might drop the connection with the error message ' %ASA-3-201011: Connection limit exceeded' even when it is clearly not close to hitting the maximum limit specified. Conditions: ASA 5585 running 9.4(1) version code Workaround: none Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.4(1), 9.5(1) Known Fixed Releases: Bug Id: CSCut75983 Title: ASA Traceback in PPP Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.14(0.27) Bug Id: CSCuu09498 Title: Assert failure while booting the ASA from sw image. Description: Symptom: Device: ASA5555 Versions: 8.6.1 , 9.1.5.21, 9.0.4 Problem Description : Secondary unit stuck in boot loop. Troubleshooting Done : Tried to boot the ASA from ROMMON with images 9.1.5.21 and 9.0.4 but the ASA was crashing again with the same traces with the following error: Prior to this the ASA was powered off twice. Erase all, but still the same issue. Panic: Init Thread - igb_init_ap(): Unable to initialize the shared code 1 threads not report traceback Crash link: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150414-133858427_crash-rommon.txt Checkecd on Topic, found a similar case : https://wwwin-tools.cisco.com/casekwery/getServiceRequest.do?id=632711637 Based on it RMA was provided. Customer provided the console session to transfer the images to the flash, the ASA was again crashing with the message: assertion "_vf_mode_init" failed: file "vf_api.c", line 111 core0 same core snap_count=1 signo=6 RIP=7ffffd692027 New Crashinfo: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150416-080110631_newcrash.txt&forceText=1 Decoded: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150416-080214677_decoded-crash.txt&forceText=1 On TZ found a similar issue: https://techzone.cisco.com/t5/ASA-Firewall/628059103-ASA5545-8-6-1-10-Crash-in-Init-Thread/td-p/458125 Conditions: RMA 'd devices needed to be upgraded to match the primary version and while doing that we hit this issue. Workaround: None. Further Problem Description: Device: ASA5555 Versions: 8.6.1 , 9.1.5.21, 9.0.4 Problem Description : Secondary unit stuck in boot loop. Troubleshooting Done : Tried to boot the ASA from ROMMON with images 9.1.5.21 and 9.0.4 but the ASA was crashing again with the same traces with the following error: Prior to this the ASA was powered off twice. Erase all, but still the same issue. Panic: Init Thread - igb_init_ap(): Unable to initialize the shared code 1 threads not report traceback Crash link: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150414-133858427_crash-rommon.txt Checkecd on Topic, found a similar case : https://wwwin-tools.cisco.com/casekwery/getServiceRequest.do?id=632711637 Based on it RMA was provided. Customer provided the console session to transfer the images to the flash, the ASA was again crashing with the message: assertion "_vf_mode_init" failed: file "vf_api.c", line 111 core0 same core snap_count=1 signo=6 RIP=7ffffd692027 New Crashinfo: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150416-080110631_newcrash.txt&forceText=1 Decoded: http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=634471481&fileName=20150416-080214677_decoded-crash.txt&forceText=1 On TZ found a similar issue: https://techzone.cisco.com/t5/ASA-Firewall/628059103-ASA5545-8-6-1-10-Crash-in-Init-Thread/td-p/458125 Status: Terminated Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.6(1), 9.0(4), 9.1(5.21) Known Fixed Releases: Bug Id: CSCuo41487 Title: Traceback during the pool clean-up when an object-group is modified Description: Symptom: ASA Traceback during the pool clean-up when an object-group is modified. Conditions: While modifying the object-group. Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: Bug Id: CSCuu10284 Title: ASA Dataplane captures dont capture packets when using match/access-list Description: Symptom: ASA Dataplane captures dont show any packet captured even though the condition matches the flow Conditions: ASA dataplane captures applied with a match or access-list command Workaround: use the dataplane captures without the match/access-list command Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.20), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.10), 100.15(2.36), 100.15(3.3) Bug Id: CSCsq68617 Title: High CPU caused by the radius_snd process if AAA server is down or slow Description: Symptom: ASA5540 shows high CPU around 90% Conditions: The appliance is receiving a discrete number of EzVPN concurrent requests. The authentication is performed via radius server and the AAA server is down or not reachable Workaround: none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 8.0(2), 8.0(3), 8.0(3.15) Known Fixed Releases: 7.2(4.31), 8.0(4.5), 8.0(5), 8.1(1.100), 8.1(101.4), 8.2(0.140) Bug Id: CSCuu60257 Title: Unicorn Proxy Thread crash when customized webvpn welcome page accessed Description: Symptom: ASA presenting crashes caused by "Unicorn Proxy Thread" whenever the customized welcome Webvpn portal is loaded. Conditions: > ASA running code 9.4.1 > Webvpn welcome page customized with main logo changed. Workaround: Remove the webvpn customization settings from the unit (being tested). Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuu50708 Title: ASA Tranceback on 9.1.5.19 Description: Symptom: ASA running 9.1.5.19 Conditions: none Workaround: none Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 30-MAY-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: Bug Id: CSCta55072 Title: ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure Description: Symptom: ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure Conditions: Running 8.2.1version. The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash. If there is no limit for inside hosts with the license, the crash won't be triggered. Workaround: No workaround PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 30-MAY-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.3), 100.4(0.7), 100.4(0.9), 8.1(2.31), 8.1(2.32), 8.2(1.10), 8.2(4), 8.3(0.0) Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-MAY-2015 Known Affected Releases: 108.2(0.7) Known Fixed Releases: 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9), 100.15(2.35) Bug Id: CSCuu32905 Title: ASA WebVPN: Javascript fails to execute when accessing internal portal Description: Symptom: On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js. Conditions: Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6). Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.14(0.26), 100.14(7.32), 9.1(6.5), 99.1(2.167) Bug Id: CSCuu55785 Title: ASA ISE And Hostscan are not supported together Description: Symptom: When using pre-login checks with Hostscan and NAC agent for post login, an incorrect DAP is pushed after the CoA reauthentication is sent. This is because ISE and Hostscan are not supported together on the same connection. This is a documentation bug meant to clarify this design limitation in the deployment guides. Conditions: ASA configured with CoA for posture. ASA Hostscan pre-login check attributes used in DAP Policies. NAC agent used for post-login compliance Workaround: Remove Hostscan attributes in the DAP check Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.2(1), 9.2(2), 9.3(1) Known Fixed Releases: Bug Id: CSCut67965 Title: CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached Description: Symptom: ASA running 9.4.1 stops accepting IKEv2 connections. Conditions: ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached". Workaround: None Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 31-MAY-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.14(0.28), 100.14(7.33), 9.4(1.230), 99.1(2.169) Bug Id: CSCuu42174 Title: Crypto RSA keys removed from Standby Unit with "wr standby" in Multimode Description: Symptom: RSA keys removed from the ASA Standby unit with "wr standby" Conditions: ASA device in Multiple context and Active/Active Failover. Workaround: Don't use "wr standby" command from the system context Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCuu39615 Title: eglibc 2.18 is missing upsteam fix #15073 Description: Symptom: ASA could crash due to heap corruption Conditions: Heavy memory allocation Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 9.3(2.160) Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.14(0.27), 9.1(6.5), 99.1(2.168) Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.14(0.27), 9.1(6.5), 99.1(2.168) Bug Id: CSCuu61417 Title: Access-group removed from intf when incomplete new graph is applied Description: Symptom: When an incomplete SG instance (w/o ACE and access-group is specified) is instantiated, the access-group configuration is removed from ASA interface, which leads to network connectivity loss. Conditions: Working SG instances with proper ACEs and access-groups applied to ASA interfaces. An incomplete SG instance (w/o ACE and access-group is specified) is instantiated Workaround: Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 1.2(0.26) Known Fixed Releases: Bug Id: CSCuc16455 Title: ASA packet transmission failure due to depletion of 1550 byte block Description: Symptom: Cisco Adaptive Security Appliance runs out 1550 byte block and it do not free it. In general, block depletion of 1550 bytes can result in the ASA being unable to generate packets. This will cause traffic disruptions and failover problems. Conditions: Configure Lan-to-Lan IPSec VPN and traffic path through it. Workaround: There is no known workaround at this point. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 8.4(4.5), 8.4(4.9), 9.0(1), 9.1(1) Known Fixed Releases: 100.7(13.103), 100.7(6.104), 100.8(0.241), 100.8(11.41), 100.8(27.20), 100.8(33.26), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCug85087 Title: ASA crashes in thread name "ssh" while running packet-tracer Description: Symptom: ASA running 8.6(1)5 crashes in thread name "ssh" while running packet-tracer Conditions: N/A Workaround: There is no workaround at this time Status: Other Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 8.6(1.5) Known Fixed Releases: Bug Id: CSCud70273 Title: ASA may generate Traceback while running packet-tracer Description: Symptom: A Cisco ASA may crash and generate a traceback when using the packet-tracer feature via the CLI or by ASDM. Conditions: This is seen in very rare situations and does not appear to be easily reproducible. Identifying that you have hit this crash is not possible without crash analysis. Please refer to the bug details for fixed in version. Workaround: There is no workaround at this time. Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 8.4(5), 8.6(1.5) Known Fixed Releases: 100.7(6.115), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.19), 8.2(5.42), 8.4(5.102), 8.4(6) Bug Id: CSCus57241 Title: ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions Description: Symptom: After upgrade from 9.2.(2.4) to 9.3(2) , VPN remote access connections are intermittently matching the DfltAccessPolicy instead of matching the appropriate policy. If the DfltAccessPolicy policy's action is to terminate, the VPN RA sessions will not establish. Conditions: - DAP is configured - ASA upgraded from 9.2(2.4) to 9.3(2) Workaround: - allow permit in the default policy (action=continue), if your security policy allows for this. -Downgrade to ASA pre-9.3.2 release, if at all possible. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.112), 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2), 100.14(12.1) Bug Id: CSCuu55006 Title: ASA:Traceback with Thread Name Checkheaps when object-group is modified Description: Symptom: ASA 5515 running version code 9.1(3) may generate a traceback with Thread Name: Checkheaps when an object-group is modified. Conditions: Observed on ASA 5515 with CX module inline Workaround: none Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 31-MAY-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Find additional information in Bug Search index.   2013 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks