| |
Bug Id: | CSCtx60431 |
Title: | Traceback in Thread Name: Dispatch Unit due to Websense URL Filtering |
|
Description: | Symptom:
Under rare situations, The ASA may crash with The thread "Dispatch Unit". The crash is observed with URL Filtering configuration enabled.
Conditions:
ASA running version 8.4.3
Web-sense URL filtering configuration
Workaround:
- Change 'url-server (County_Inside) vendor websense host 10.10.4.44 timeout 30 protocol TCP version 1 connections 5'
to 'url-server (County_Inside) vendor websense host 10.10.4.44 timeout 30 protocol TCP version 4 connections 5'
- Or
change to 'url-server (County_Inside) vendor websense host 10.10.4.44 timeout 30 protocol UDP version 1 connections 5'
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: | 100.7(13.87), 100.7(6.85), 100.8(0.184), 100.8(11.28), 100.8(27.19), 100.8(33.12), 100.8(34.1), 100.8(35.2), 100.8(36.1), 100.9(0.1) |
|
|
| |
| |
Bug Id: | CSCtj09979 |
Title: | IKEv2 traceback with 1 L2L and 1 RA tunnel |
|
Description: | Symptom:
Active ASA may crash inThread Name: DATAPATH-2-1403
Conditions:
This was first identified on an ASA5585 failover pair running 8.2.4 code.
Workaround:
None at this time.
Further Problem Description:
The next 8.2.5(x) interim will contain the fix for this defect.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 8.4(0.119), 8.4(0.15) |
|
Known Fixed Releases: | 100.7(0.67), 100.7(0.71), 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.12), 100.7(6.15), 100.7(6.21), 100.7(8.1), 100.7(8.12) |
|
|
| |
| |
Bug Id: | CSCuh41688 |
Title: | 5585X-SSP60 8.4(5)6 Secondary unit crash |
|
Description: | Symptom:
ASA 5585X-SSP60 transparent firewall in A/A failover environment crashed
Conditions:
Normal operation
Workaround:
None
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 8.4(5.6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCul77722 |
Title: | Traceback with assertion "0" failed: file "malloc.c", line 5839 |
|
Description: | Symptom:
ASA failover cluster crashes in Checkheaps with assertion "0" failed: file "malloc.c", line 5839.At the time of the crash no new SSL connection are accepted by ASA, while existing SSL connections seems to work fine.
Conditions:
ASA crashes on Checkheaps.
Workaround:
No workaround as of now
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 9.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui51199 |
Title: | Cisco ASA Clientless SSL VPN Rewriter Denial of Service |
|
Description: | Symptom:
ASA reload with traceback in Unicorn Proxy
Conditions:
- Webvpn is enabled on more then one interface
- same-security-traffic permit intra-interface and management-access commands are configured
This is affecting on 9.0 and 9.1 trains
Workaround:
There is a workaround using a webvpn filter to block the clientless users from accessing https on the inside interface:
Here's an example that QA tested:
Using this ACL:
access-list deny_pub_priv webtype deny url https://93.124.22.2 (where 93.124.22.2 is the asa private ip address)
And this in the group policy:
group-policy WebVPN1 attributes
webvpn
filter value deny_pub_priv
Now when you browse to that address you get a message that states ?access to this recourse has been denied? and NO crash!
The we can see the acl is working be looking at the hit count as seen here (show access-list):
access-list deny_pub_priv line 1 webtype deny url https://93.124.22.2 (hitcnt=3)
Further Problem Description:
A vulnerability in Clientless SSL VPN feature of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of an
affected system.
The vulnerability is due to a stack overflow while browsing internal resources via the Clientless SSL VPN portal when the same-security-traffic
permit intra-interface and management-access commands are configured. An attacker could exploit this vulnerability by accessing crafted URL
through the SSL VPN portal. An exploit could allow the attacker to reload the affected system and create a denial of service condition.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-5551 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5551
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 9.0(2), 9.0(3), 9.1(2), 9.1(3) |
|
Known Fixed Releases: | 100.10(0.24), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.32), 100.8(45.6), 100.8(46.11), 100.8(51.1), 100.9(10.12) |
|
|
| |
| |
Bug Id: | CSCut63154 |
Title: | ASA crashes after NAT configuration changes via SSH |
|
Description: | Symptom:
ASA crashes after NAT configuration changes via SSH
Conditions:
Workaround:
NA
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 01-JUN-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtt26116 |
Title: | Traceback due to double free of memory block in SNP |
|
Description: |
Symptom:
Customer was crashing frequently after adding remote access clients. Previously, they had run without
crashing when only using site-to-site. After adding remote access, they began crashing as often as
hourly.
Conditions:
n/a
Workaround:
None
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 8.2(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut24720 |
Title: | AnyConnect failing to match dap record after upgrade to 9.3.2 |
|
Description: | Symptom:
AnyConnect failing to match dap record after upgrade to 9.3.2 from 9.3.1
Conditions:
After upgrade to 9.3.2
Workaround:
rename affected DAP records
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCum70178 |
Title: | Datapath:Observing Deadlock in different DATAPATH threads |
|
Description: | Symptom:
Cisco ASA working as a Failover Standby Unit, periodically reloads in thread name datapath.
Crash message could be like the following :
Deadlock in thread DATAPATH-9-2588, from:
Traceback from thread DATAPATH-9-2588:
Test scenario was Multiple ftp Clients from Outside to single FTP Server on Inside, with 1K conn/sec rate
Conditions:
Cisco ASA 8.4 when configured as standby in a failover pair.
Reason problem is more evident on Standby could be that, as there isn't much work to do,
it is possible that multiple Cores to work on flow-time-out at the same time
As part of detaching a flow from host->h_tcp_eflow emb-flow-count is being decremeted
But this is being done for a paired_flow->host, while holding the flow->host lock
This can lead to dead-locck, in the following senario :
Core-1 :
Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters
Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters.
Core-2 :
Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters
Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 100.8(38.102), 8.4(7.9), 9.1, 9.1(4.5), 9.1(5) |
|
Known Fixed Releases: | 100.10(9.6), 100.7(6.131), 100.8(38.126), 100.8(40.68), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 8.2(5.50) |
|
|
| |
| |
Bug Id: | CSCum35118 |
Title: | ASA:Traceback in Thread Name: DATAPATH-23-2334 |
|
Description: | Symptom:
ASA (8.4.5) crashed in Thread Name: DATAPATH-23-2334
Conditions:
First observed in ASA running 8.4.5.
Delete of thread-detection policy while such policy is still in-used and with live traffics going through the network. This can include reconfiguration or failover synching.
Workaround:
Shutdown interfaces and do "clear local-host all" before making change to the thread detection policy.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 8.4(5) |
|
Known Fixed Releases: | 100.10(9.5), 100.11(4.1), 100.7(6.129), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3) |
|
|
| |
| |
Bug Id: | CSCus23416 |
Title: | ASA traceback in DATAPATH-1-2414 after software upgrade |
|
Description: | Symptom:
ASA crash in DATAPATH-1-2414 after software upgrade
Conditions:
huge ACL size
Workaround:
none
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 9.0(4.13) |
|
Known Fixed Releases: | 100.11(0.56), 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3) |
|
|
| |
| |
Bug Id: | CSCuu63223 |
Title: | ASA 9.3(1) shared license server stops distributing licenses randomnly |
|
Description: | Symptom:
ASA SSLVPN shared license server stops distributing licenses at random intervals. Output of "show shared license" shows wrong values for Available and Utilized licenses.
Shared license utilization:
AnyConnect Premium:
Total for network : 1000
Available : 287789076
Utilized : -287788076
This device:
Platform limit : 1004
Current usage : -287788376
High usage : 150
Conditions:
Issue seen in ASA 9.3(1) acting as a license server.
Workaround:
None. Reload fixes the issue.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 9.3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuh20372 |
Title: | ASA adds 'extended' keyword to static manual nat configuration line |
|
Description: | Symptom:
This problem was introduced in version 9.1(2)1. It does not affect version 9.1(2)
If a static manual NAT line is added to the configuration, the 'extended' keyword is also incorrectly added to the configuration line by the parser
Example:
ASA(config)#nat (any,any) source static dmz-pc dmz-pc destination static vpn-network vpn-network
ASA(config)#
ASA(config)#show run nat
nat (any,any) source static dmz-pc dmz-pc destination extended static vpn-network vpn-network
ASA(config)#
The configuration then can no longer be removed by putting a 'no' in front of the entire line:
ASA(config)#no nat (any,any) source static dmz-pc dmz-pc destination extended static vpn-network vpn-network
^
ERROR: % Invalid input detected at '^' marker.
ASA#
Additionally, after this problem is encountered after upgrading to 9.1(2)1, if the configuration is saved and the ASA is rebooted so that it boots up 9.1(2), the manual NAT commands with the 'extended' keyword will fail to be loaded into the configuration due to the syntax error.
Conditions:
ASA running 9.1(2)1 or later. 9.1(2) is not affected by this problem.
Manual NAT (aka Twice NAT) is affected by this problem, but auto-NAT (aka object-NAT) is not.
Workaround:
If possible, downgrade the ASA to version 9.1(2) and ensure that the manual NAT lines are present in the configuration. If necessary, re-add the manual NAT lines if they fail to be loaded when booting 9.1(2).
To remove the static manual NAT line, use the command 'no nat #' where # is the manual NAT line number with the extended keyword.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 02-JUN-2015 |
|
Known Affected Releases: | 9.1(2.1) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.83), 100.8(38.18), 100.8(40.7), 100.8(41.2), 100.8(60.16), 100.9(0.48), 100.9(10.1), 100.9(6.24), 100.9(7.26) |
|
|
| |
| |
Bug Id: | CSCth58048 |
Title: | Assert Failure caused Traceback in Thread Name: Dispatch Unit |
|
Description: | Symptom:
ASA experiences a crash due to an Assert Failure. The ASA will generate a crashinfo file and reload.
Conditions:
The 'show crashinfo' output will show a recent traceback in Thread Name: Dispatch Unit. It will also read "Abort: Assert failure".
Workaround:
Unknown
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 03-JUN-2015 |
|
Known Affected Releases: | 8.2(2.17), 8.2(3), 8.2(3.5) |
|
Known Fixed Releases: | 100.7(13.15), 100.7(13.65), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(18.9), 100.7(19.8), 100.7(6.42), 100.7(6.62), 100.7(8.34) |
|
|
| |
| |
Bug Id: | CSCtn08326 |
Title: | ESMTP Inspection Incorrectly Detects End of Data |
|
Description: | Symptom:
When using Extended Simple Mail Transfer Protocol (ESMTP) Inspection on Adaptive Security Appliance (ASA), certain patterns within e-mails that span multiple TCP segments may cause the inspection engine to incorrectly detect an end-of-data condition and prevent the message from being sent.
Conditions:
ESMTP Inspection enabled.
Workaround:
Disable ESMTP Inspection with no inspect esmtp command.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 03-JUN-2015 |
|
Known Affected Releases: | 8.2(4), 8.3(2.11), 8.4, 8.4(1) |
|
Known Fixed Releases: | 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.30), 100.7(8.23), 100.7(9.13), 100.8(0.2), 100.8(10.1), 100.8(12.1), 8.0(5.24) |
|
|
| |
| |
Bug Id: | CSCus92856 |
Title: | ASA traceback in DATAPATH Thread due to Double Block Free |
|
Description: | Symptom:
ASA reloads and generates crashinfo inThread DATAPATH
Issue is specific to cluster with multi-context and interface sharing. Issue was exposed by fragmentation happening in shared interface
Conditions:
Clustering is enabled on ASA
Workaround:
Avoid using loopback/shared interface
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 03-JUN-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9) |
|
|
| |
| |
Bug Id: | CSCtf14727 |
Title: | ASP table entry causes FW to stop encrypting traffic |
|
Description: | Symptom: The ASA stops encrypting traffic to remote peer.
Conditions:The ASP classify table contains entries with the same user data that match different vpn contexts, leading to spi mis-match.
Workaround:Reload the ASA
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 03-JUN-2015 |
|
Known Affected Releases: | 8.2(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut01856 |
Title: | ASA dropping traffic with TCP syslog configured in multicontext mode |
|
Description: | Symptom:
ASA dropping traffic in multiple-context mode with TCP syslog server unreachable.
Conditions:
-ASA in multiple context mode
-TCP syslog server configured on one of the contexts.
-"no logging permit host-down" configured on a context.
Workaround:
On removing and adding the context , which is having the issue,back the issue goes away.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 03-JUN-2015 |
|
Known Affected Releases: | 9.2(2.8) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) |
|
|
| |
| |
Bug Id: | CSCtk10911 |
Title: | HA replication code stuck - "Unable to sync configuration from Active" |
|
Description: | Symptom:
Standby ASA is stuck in "Sync Config" and is showing the following messages
Detected an Active mate
Unable to sync configuration from Active
The issue remains after the standby is reloaded or after reconfiguring failover on the standby.
Conditions:
ASA pair configured for failover. Has been seen in 8.1(2) software. This is a rare occurrence.
Workaround:
Reload the active ASA to restore the HA function
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.1(2.13) |
|
Known Fixed Releases: | 100.5(5.55), 100.7(0.71), 100.7(11.2), 100.7(6.16), 100.7(8.3), 8.2(4.1), 8.2(5), 8.3(2.12), 8.4(1.1), 8.4(1.99) |
|
|
| |
| |
Bug Id: | CSCuu23104 |
Title: | ASA: Traceback Unicorn Proxy Thread on version 9.4.1 |
|
Description: | Symptom:
ASA Traceback with thread name Unicorn Proxy.
Conditions:
ASA running version 9.4.1
Workaround:
None
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut18717 |
Title: | ASA - Standby traceback in Thread Name: fover_parse |
|
Description: | Symptom:
Standby ASA traceback in thread name fover_parse during upgrade from 8.6.1.12 to 9.0.4.29 after Beginning configuration replication from mate.
Conditions:
ASA is A/S failover pair
Workaround:
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.0(4.29) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtq92619 |
Title: | ASA IPsec doesn't start Quick Mode for some SA with IKEv1 SA up |
|
Description: | Symptom:
ASA may fail to initiate a Phase 2 SA when interesting traffic arrives at the ASA.
Conditions:
ASA 8.4.1.10 Static Lan-to-lan connection that has been up for about 3 weeks.
Phase 1 SA is still established
Phase 2 SA for another line in the same crypto map entry is up and works fine.
Workaround:
- Reload ASA
- Remove crypto map entry and re-enter it.
- Upgrade to a version that includes a fix for CSCty16864 which is caused by
the same underlying issue to resolve the problem.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.4(1.10), 8.4(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud37992 |
Title: | HTTP Deep Packet Inspection Denial of Service Vulnerability |
|
Description: | Summary
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability
These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN
Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-5512 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom:
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.4(4.1) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(13.111), 100.7(13.116), 100.7(6.105), 100.7(6.121), 100.8(27.30), 100.8(27.85), 100.8(34.1), 100.8(38.28), 100.8(38.4) |
|
|
| |
| |
Bug Id: | CSCus70693 |
Title: | ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: |
|
Description: | After upgrade to 9.3.2 SSL VPNs stop working.
Symptom:
SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect:
"Could not connect to server. Please verify Internet connectivity and server address."
In the DART:
Type : Error
Source : acvpnui
Description : Function: ConnectMgr::run
File: .\ConnectMgr.cpp
Line: 674
Invoked Function: ConnectMgr::initiateConnect
Return Code: -29622263 (0xFE3C0009)
Description: CONNECTMGR_ERROR_UNEXPECTED
This errors are seen:
"%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)."
These errors are seen while debugs enabled:
RC4-SHA / RC4-MD5
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838
AES256-SHA / AES128-SHA / DES-CBC3-SHA
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639
Tests:
+ AnyConnect 3.1.05160 uses TLS 1.0 - fails
+ AnyConnect 4.0.00057 uses TLS 1.2 - fails
+ with IE TLS 1.0 - fails
+ with IE TLS 1.1/1.2 - fails
+ with Mozilla Firefox TLS 1.0 - fails
but
+ Mozilla Firefox TLS 1.1/1.2 - work ok
+ Chrome also uses TLS 1.2 - works ok.
Conditions:
ASA running 9.3.2 (the issue is not seen on the 9.3.1)
Certificate with:
- RSA keys size: 2048 bits
- Signature Algorithm: sha256RSA
- Signature Hash Algorithm: sha256
It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet.
Workaround:
+ Downgrade
+ try to regenerate the certificate
+ for WebVPN use Firefox/Chrome and TLS 1.2
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13), 100.14(6.9) |
|
|
| |
| |
Bug Id: | CSCub08310 |
Title: | ASA "write standby" fails with "Failed to initialize interface" error |
|
Description: | Symptom:
"write standby" command may fail to synchronize configuration from active ASA to standby ASA. The following error messages may be printed on the standby unit:
Beginning configuration replication from mate.
ERROR: open(np/port/ec/40/10/23/24/25/26/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1) failed.
ERROR: open(Po11) failed.
ERROR: Failed to initialize interface inside
ERROR: Add interface failed.
if "debug fover fail" is enabled. This causes all "nameif" commands being lost from context configuration and standby configuration becomes unsynchronized with active:
Number of interfaces on Active and Standby are not consistent.
If the problem persists, you should disable and re-enable failover
on the Standby.
Conditions:
ASA 8.4(3.9). Exact conditions are not known yet.
Workaround:
Don't use "write standby".
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.4(3.9) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus91445 |
Title: | BGPv6: Error when changing AS Number with ASDM |
|
Description: | Symptom:
When changing the AS Number for BGP routing, a syntax error occurs on the 'router bgp' command. This is the ASDM error:
[OK] no router bgp 109
[ERROR] router bgp 6501
router bgp 6501
^
ERROR: % Invalid input detected at '^' marker.
router bgp 6501
After this, all of the existing BGP configuration is lost and the user will need to reenter it manually.
Conditions:
There is IPv6 configuration for BGP.
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtt11835 |
Title: | Traceback in Thread Name: tacplus_snd |
|
Description: | Symptom:
ASA Reloads with Traceback in Thread Name: tacplus_snd
Conditions:
ASA configured to use TACACS+
Workaround:
Do not remove the tacacs server from the configuration while associated tacacs
sessions are active
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.4(2) |
|
Known Fixed Releases: | 100.7(13.43), 100.7(14.36), 100.7(17.5), 100.7(18.4), 100.7(6.51), 100.7(8.34), 100.8(0.39), 100.8(11.4), 100.8(15.17), 100.8(19.34) |
|
|
| |
| |
Bug Id: | CSCuu27193 |
Title: | ASA Traceback in Thread Name: Dispatch Unit |
|
Description: | Symptom:
ASA 5505 running version Traceback in 'Thread Name:Dispatch Unit.
Conditions:
ASA 5505 running version 9.1.6
Workaround:
None
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud70273 |
Title: | ASA may generate Traceback while running packet-tracer |
|
Description: | Symptom:
A Cisco ASA may crash and generate a traceback when using the packet-tracer feature via the CLI or by
ASDM.
Conditions:
This is seen in very rare situations and does not appear to be easily reproducible. Identifying that you
have hit this crash is not possible without crash analysis. Please refer to the bug details for fixed in
version.
Workaround:
There is no workaround at this time.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 8.4(5), 8.6(1.5) |
|
Known Fixed Releases: | 100.7(6.115), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.19), 8.2(5.42), 8.4(5.102), 8.4(6) |
|
|
| |
| |
Bug Id: | CSCuu69152 |
Title: | ASA crash in Thread Name: CP HA Processing. |
|
Description: | Symptom:
ASA failover pair crashing in Thread Name: CP HA Processing.
Conditions:
L2L VPN Tunnel is configured on the ASA
Workaround:
No workaround
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 04-JUN-2015 |
|
Known Affected Releases: | 9.2(2.8) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCte66568 |
Title: | Double authentication broken in 8.2.2 when use-primary-username is conf. |
|
Description: | Symptom:
AnyConnect fails when double authentication is used.
Conditions:
Discovered using ASA 8.2.2 with double authentication configured under the tunnel group in use.
Workaround:
1) Upgrade the ASA to version 8.4(4)1 or later
2) Downgrade AnyConnect to 3.0.08057
3) Under the tunnel-group settings, go to secondary-authentication-server-group and remove "use-primary-username" from the command (this change will prompt users to enter their username twice when authenticating)
4) Downgrade the ASA to version 8.2(1)
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 8.2, 8.2(2), 8.2(5), 8.3 |
|
Known Fixed Releases: | 100.4(0.35), 100.7(2.1), 8.2(2.3), 8.2(2.99), 8.2(4), 8.3(0.23), 8.3(1), 8.3(1.100), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCts48937 |
Title: | Memory leak in DP udp host logging resulting in 1550 byte blocks leak |
|
Description: | Symptom:
When the command "management-access" is configured, in conjunction with a UDP syslog server destination, the ASA might exhaust the available blocks of memory used for processing traffic; this could cause the ASA to fail to pass traffic or de-stabilize a redundant failover pair of ASAs.
If this problem is encountered, the following syslog might be logged by the ASA:
%ASA-3-3321007: System is low on free memory blocks of size ( CNT out of MAX)
And the output of 'show block' could show the available blocks of a size has gone to 0, like in the output below:
ciscoASA# show blocks
SIZE MAX LOW CNT
0 400 383 400
4 100 98 99
80 403 377 403
256 1200 1165 1195
1550 6479 6384 6476
2048 1200 0 123 <---- Problem here
2560 264 263 264
4096 100 100 100
8192 100 100 100
16384 102 102 102
65536 16 16 16
ciscoASA#
Conditions:
To encounter this problem, all of the following conditions must be met:
1) The ASA must have the command 'management-access' configured, with an interface specified for that access. For example, to enable the management-access feature on the inside interface, the command would be 'management-access inside'
2) The ASA must be configured to send UDP syslogs to a syslog server located out the same interface as defined in the 'management-access' command. For example: 'logging host inside 10.1.2.3'
Workaround:
Remove the management-access command, or disable UDP syslogging.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 8.3(2), 8.4(1) |
|
Known Fixed Releases: | 100.7(13.31), 100.7(14.21), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.25), 100.8(10.35), 100.8(12.32), 100.8(15.5), 100.8(19.14) |
|
|
| |
| |
Bug Id: | CSCua21363 |
Title: | 1550 byte block depletion related to TCP |
|
Description: | Symptom:
Traffic to/through the ASA may slow down or stop.
Conditions:
ASA5585 running special engineering image based on 8.4.3. The 1550 and 4096 byte blocks have intermittently been depleted since loading the new image, thus resulting in a cessation of traffic to/through the device.
Workaround:
None.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: | 100.7(6.90), 100.8(0.210), 100.8(11.33), 100.8(27.19), 100.8(33.16), 100.8(34.1), 100.8(36.2), 100.9(0.1), 100.9(3.2), 8.4(4.4) |
|
|
| |
| |
Bug Id: | CSCuu42174 |
Title: | Crypto RSA keys removed from Standby Unit with "wr standby" in Multimode |
|
Description: | Symptom:
RSA keys removed from the ASA Standby unit with "wr standby"
Conditions:
ASA device in Multiple context and Active/Active Failover.
Workaround:
Don't use "wr standby" command from the system context
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut71408 |
Title: | ASA reload when unconfiguring/configuring eigrp and ospf routing process |
|
Description: | Symptom:
ASA reload when unconfiguring/configuring eigrp and ospf routing process
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 100.14(4.31) |
|
Known Fixed Releases: | 100.14(4.32), 100.14(6.11), 100.14(7.12), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) |
|
|
| |
| |
Bug Id: | CSCut63305 |
Title: | ASA Observing stale summary route and VRF context create failure |
|
Description: | Symptom:
ASA Observing stale summary route and VRF context create failure
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 100.14(4.27) |
|
Known Fixed Releases: | 100.14(4.30), 100.14(6.11), 100.14(7.12), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) |
|
|
| |
| |
Bug Id: | CSCut62535 |
Title: | ASA reload after unconfiguring OSPF and running show run router command |
|
Description: | Symptom:
ASA reload after unconfiguring OSPF and running show run router command
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 100.14(4.27) |
|
Known Fixed Releases: | 100.14(4.30), 100.14(6.11), 100.14(7.12), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) |
|
|
| |
| |
Bug Id: | CSCut72078 |
Title: | ASA reload when executing the command clear ipv6 route man all |
|
Description: | Symptom:
ASA reload when executing the command clear ipv6 route man all
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 100.14(4.31) |
|
Known Fixed Releases: | 100.14(4.34), 100.14(6.11), 100.14(7.12), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) |
|
|
| |
| |
Bug Id: | CSCut06081 |
Title: | ASA context create fail in multi-mode when IPv4 static route is present |
|
Description: | Symptom:
ASA context create fail in multi-mode when recreating same context again
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 05-JUN-2015 |
|
Known Affected Releases: | 100.13(0.8) |
|
Known Fixed Releases: | 100.14(4.9), 100.14(6.11), 100.14(7.12), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) |
|
|
| |
| |
Bug Id: | CSCuq26046 |
Title: | ASA - Traceback in thread name SSH while changing NAT configuration |
|
Description: | Symptom:
ASA traceback in thread name SSH during NAT reconfiguration.
Conditions:
ASA running 8.4.7.15.
Workaround:
Not known.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 06-JUN-2015 |
|
Known Affected Releases: | 8.4(7.15) |
|
Known Fixed Releases: | 100.11(0.43), 100.12(0.34), 100.12(10.31), 100.12(15.9), 100.12(21.1), 100.12(6.3), 100.12(9.11), 100.7(6.134), 100.8(40.82), 8.4(7.23) |
|
|
| |
| |
Bug Id: | CSCur69803 |
Title: | acl rules are not removed when service object-group entry is deleted. |
|
Description: | Symptom:
ACL rules are not removed when service object-group entry is deleted.
Conditions:
This problem occurs when object-group-search access-control is enabled.
Workaround:
1) Remove the access-list and reapply it.
2) Remove the object-group-search access-control
3) Reload or reboot the device.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 06-JUN-2015 |
|
Known Affected Releases: | 100.12(0.82), 9.1 |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.99), 100.12(23.4), 100.12(24.4), 100.12(30.2), 100.13(0.11), 100.13(1.6), 100.13(11.20), 100.13(12.42), 100.13(16.18) |
|
|
| |
| |
Bug Id: | CSCut86775 |
Title: | VPN traceback due to memory corruption |
|
Description: | Symptom:
ASA with WebVPN portal crashes
Conditions:
Not yet fully known
Workaround:
None
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 07-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut28210 |
Title: | AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue |
|
Description: | Symptom:
Unable to authenticate with SDI authentication server(RSA Authentication Manager)
Ex. "no response from authentication server" with [Test] in AAAServer Group on ASDM.
Conditions:
-Using RSA Authentication Manager 8.1 or 6.1 as AAA server with ASA 9.3(2)
-The issue does NOT appear on ASA 9.2(2)8 or ASA 9.3(1)
Workaround:
-Using ASA 9.2(2)8.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 07-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4), 100.14(3.4) |
|
|
| |
| |
Bug Id: | CSCts50723 |
Title: | ASA: Builds conn for packets not destined to ASA's MAC in port-channel |
|
Description: | Symptom:
When the ASA is configured with a port-channel interface, the firewall may process and build conns for packets not destined to its interface MAC address that are received on that port-channel. In certain scenarios, this could cause flooded packet storms in the network.
Conditions:
The ASA must be configured with all of the following conditions:
1) At least 1 port-channel interface
2) The 'same-security-traffic permit intra-interface' command
Workaround:
If the ASA does not need to hairpin traffic, disable 'same-security-traffic permit intra-interface'.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 08-JUN-2015 |
|
Known Affected Releases: | 8.4(2) |
|
Known Fixed Releases: | 100.7(13.95), 100.7(13.96), 100.7(6.90), 100.7(6.92), 100.8(0.228), 100.8(11.35), 100.8(11.49), 100.8(27.19), 100.8(27.25), 100.8(33.19) |
|
|
| |
| |
Bug Id: | CSCui25105 |
Title: | ASA may stop hashing and stop redirecting traffic to WCCP servers |
|
Description: | Symptom:
An ASA configured to redirect WCCP traffic to a WCCP caching server such as the Ironport WSA web filter, may stop redirecting traffic. Further investigation shows that the ASA fails to hash the incoming traffic to any WCCP bucket and therefore processes the traffic without redirecting it per configuration.
Conditions:
This has been seen while running ASA code versions 9.1(1) and 9.1(2) but very well may exist with other code versions. Current information indicates it may have something to do with utilizing more than one caching server, but details in that regard are inconclusive.
Workaround:
None at this time.
More Info:
You can check to see if you are hitting this condition by looking at the output of 'show wccp detail' and looking for the State to show as 'Usable' and the 'Hash Allotment' as 0% for all servers. For example:
ASA# sh wccp detail
WCCP Cache-Engine information:
Web Cache ID:
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Hash Allotment: 0 (0.00%)
Packets Redirected: 0
Connect Time: 1w0d
Web Cache ID:
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Hash Allotment: 0 (0.00%)
Packets Redirected: 0
Connect Time: 1w0d
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 08-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuh25271 |
Title: | Upgrade fails w/ msg "No Cfg structure found in downloaded image file." |
|
Description: | Symptom:
Upgrade fails with error message "No Cfg structure found in downloaded image file."
Conditions:
Upgrade from version without fix for CSCua99091 (e.g. 9.1.1) to image with fix for CSCud21312 (e.g. 9.1.2.2).
Workaround:
If the customer is running an image without the fix for CSCua99091 (e.g. 8.4.4, 9.1.1) then the customer needs to do an intermediate upgrade to a version that includes the fix for CSCua99091 (e.g. 8.4.6, 9.1.2) and then upgrade to the desired image (e.g. 9.1.2.2)
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 08-JUN-2015 |
|
Known Affected Releases: | 8.2(0), 8.4(0.1), 8.5(1), 8.6(0), 9.0(1), 9.1(1), 9.1(1.1), 9.1(2.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur06331 |
Title: | ASA Traceback with spin_lock in DATAPATH |
|
Description: | Symptom:
Hardware : ASA5585-SSP-60
Software : 9.1(4)5
Problem Description : ASA Traceback with spin_lock in DATAPATH
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 08-JUN-2015 |
|
Known Affected Releases: | 9.1(4.5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtl44287 |
Title: | Routing:Traceback observed on standby unit when exec clear conf all |
|
Description: | Symptom:
=========
Traceback observed on standby unit when exec clear conf all
Condition
===========
When I am doing a clear conf all on the primary active unit, I am observing a
crash on the secondary standby unit.Enable the telnet access on mgmt interface
and configure the dns server parameters.Launch the telnet console using mgmt ip
and then do a ping tcp 23. Do clear conf all from the
console, Observing traceback on the stanbdy unit
Other simple senario is, do "clear conf interface" on the ASA Primary and copy
the old running cfg from the flash to running-config. Traceback is observed on
the secondary unit.
Work around
==========
None
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 08-JUN-2015 |
|
Known Affected Releases: | 8.4(0.120) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut28217 |
Title: | Active ASA in failover setup reboots on its own |
|
Description: | Symptom:
Active ASA in failover setup reboots on its own.
Conditions:
Active ASA in failover setup reboots on its own.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 9.0(4) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) |
|
|
| |
| |
Bug Id: | CSCus32005 |
Title: | ASA - Traceback in thread name SSH while applying BGP show commands |
|
Description: | Symptom:
ASA traceback in thread name SSH during performing BGP show commands.
Conditions:
ASA running 9.2.2.4
Workaround:
not known
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 9.2(2.4) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.4) |
|
|
| |
| |
Bug Id: | CSCua36443 |
Title: | ASA may reload with traceback in IPsec message handler |
|
Description: | Symptom:
ASA may generate a traceback and reload in the IPsec message handler
Conditions:
The issue has been seen on ASA 8.4(4), other versions may also be affected
Workaround:
No known workaround at this time
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 8.4(0.4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCum77083 |
Title: | traceback in Thread Name: IKEv2 Daemon |
|
Description: | Symptom:
ASA reloads with Thread Name: IKEv2 Daemon
Conditions:
ASA running 9.1 or later code and configured to terminate IKEv2 connections.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 100.8(38.104) |
|
Known Fixed Releases: | 100.10(9.5), 100.11(4.1), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3), 100.8(67.1) |
|
|
| |
| |
Bug Id: | CSCtt36737 |
Title: | AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability |
|
Description: | Summary
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability
These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL
VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-3415 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 8.4(2.1), 8.6(1) |
|
Known Fixed Releases: | 100.7(13.43), 100.7(13.65), 100.7(14.37), 100.7(17.7), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62), 8.4(2.102) |
|
|
| |
| |
Bug Id: | CSCun00055 |
Title: | ASA: ASA 5585 Tracebacks in Datapath |
|
Description: | Symptom:
ASA 5585 tracebacks is Datapath
Conditions:
Root cause is unknown for this crash.
Workaround:
No Workarounds as of now.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 9.0(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuh69931 |
Title: | ASA 5512 - 9.1.2 Traceback in Thread Name: ssh |
|
Description: | Symptom:
ASA SSHv2 rekey causes traceback.
Conditions:
ASA SSHv2 rekey occurs after data or time (55 minutes) trigger. If the connection is closing while this is ongoing, a traceback will occur.
Workaround:
none at this time.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 9.1(2) |
|
Known Fixed Releases: | 100.8(27.84), 100.8(38.21), 100.8(40.10), 100.8(41.2), 100.8(60.26), 100.9(0.53), 100.9(10.1), 100.9(6.28), 100.9(7.33), 9.1(2.5) |
|
|
| |
| |
Bug Id: | CSCuf93071 |
Title: | ASA 8.4.4.1 traceback in threadname Datapath |
|
Description: | Symptom:
ASA5585-SSP-60 running 8.4.4.1 crashed in threadname 'datapath'
Conditions:
Workaround:
Disable IPS.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 8.2, 8.4(3.10), 8.4(4.1) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.120), 100.8(27.85), 100.8(38.23), 100.8(40.13), 100.8(41.2), 100.8(60.30), 100.9(0.54), 100.9(10.1), 100.9(6.29) |
|
|
| |
| |
Bug Id: | CSCuo95074 |
Title: | ASA AnyConnect failure or crash in SSL Client compression with low mem |
|
Description: | Symptom:
AnyConnect clients are able to connect, but get immediately disconnected. The following are seen in syslogs:
%ASA-6-725007 SSL session with remote_device interface_name : IP_address / port terminated.
%ASA-6-722023: Group group User user-name IP IP_address SVC connection terminated with compression
%ASA-6-716058: Group group User user IP ip AnyConnect session lost connection. Waiting to resume.
%ASA-5-722037: Group group User user-name IP IP_address SVC closing connection: Compression error.
%ASA-6-722027: Group group User user-name IP IP_address SVC decompression history reset
%ASA-6-716059: Group group User user IP ip AnyConnect session resumed. Connection from ip2 .
%ASA-3-722021: Group group User user-name IP IP_address Unable to start compression due to lack of memory resources
ASA can also crash with traceback pointing to "ssl_compress_record" when low memory is observed.
Conditions:
Compression is configured for AnyConnect.
Workaround:
Disable compression for AnyConnect.
Downgrade to 8.4.6.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.10(17.2), 100.10(2.26), 100.10(7.13), 100.11(0.17), 100.11(5.21), 100.11(6.1), 100.12(11.9), 100.12(12.1), 100.12(15.2), 100.12(8.5) |
|
|
| |
| |
Bug Id: | CSCto59377 |
Title: | Traceback in Thread Name: DATAPATH-6-2319 |
|
Description: | Symptom:
ASA reloads with traceback in Thread Name: DATAPATH-6-2319
Conditions:
First observed on ASA5585 platform under stress test
Workaround:
None
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 100.8, 100.8(5.2), 8.4(1.6), 8.4(7.23) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu29947 |
Title: | ASA: Traceback in Dispatch Unit |
|
Description: | Symptom:
ASA caused a traceback in dispatch unit running 8.4.7.23
Conditions:
unknown at this point
Workaround:
N/A
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 09-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut91972 |
Title: | RAMC: Traceback while bring up RA with IPv4 DTLS Certs |
|
Description: | Symptom:
Crash when attempt Anyconnect DTLS Connection with Cert authentication
Conditions:
Crash when attempt Anyconnect DTLS Connection with Cert authentication
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 10-JUN-2015 |
|
Known Affected Releases: | 100.15(2.14) |
|
Known Fixed Releases: | 100.15(2.20) |
|
|
| |
| |
Bug Id: | CSCte21219 |
Title: | Certificate authentication failing on ASA: incorrect key for validation |
|
Description: | Symptom:
When using IPSEC or SSL and using certificate validation of the clients that are connecting to the ASA, validation will fail.
Errors similar to the following may be seen in the ca debugs:
CERT-C: I pkixpath.c(1137) : Error #72eh
CRYPTO_PKI: Certificate validation: Failed, status: 1838. Attempting to retrieve revocation status if necessary
CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838
Conditions:
2 CA certificates installed in trustpoints used with vaildation that the same CN but use a different RSA key for each certificate.
Workaround:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 10-JUN-2015 |
|
Known Affected Releases: | 8.2(1) |
|
Known Fixed Releases: | 100.4(0.35), 100.7(2.1), 8.0(5.10), 8.2(2.5), 8.2(2.99), 8.2(4), 8.3(0.21), 8.3(1), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCuq47586 |
Title: | Standby ASA reboots when write standby is used on the active ASA |
|
Description: | Symptom:
standby ASA crashes when write standby is used from active ASA
Conditions:
ASA in failover pair, make a configuration change to one of the contexts, issue the write standby command, standby ASA crashes and reboots
Workaround:
use write memory instead
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 10-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCub59136 |
Title: | ASA: Manual NAT rules are not processed in order |
|
Description: | This bug identifies the same problem as CSCtq47028. CSCtq47028 is listed as resolved, but did not in fact resolve this problem, hence this bug is filed to continue to track it.
Symptom:
In ASA 8.3 and later, Manual NAT rules (Section 1) may not be processed in the order they appear in the output of show running-config nat and show nat. In certain cases, a rule which performs a translation between 2 objects/object-groups will take precedence over a rule that does not perform any translation.
Conditions:
The ASA must be running a software version of 8.3 or higher. The following is an example of an affected configuration:
object-group network src-networkA
network-object 10.1.1.0 255.255.255.0
object-group network src-networkB
network-object 10.2.2.0 255.255.255.0
object-group network dst-networkA
network-object 192.168.1.0 255.255.255.0
object network dst-hostA
host 172.16.1.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
nat (inside,outside) source static src-networkA src-networkA destination static dst-networkA dst-networkA
nat (inside,outside) source dynamic src-networkA interface destination static obj_any dst-hostA
In the above example, a packet with a source of a host in src-networkA and a destination of a host in dst-networkA will NOT be processed by the 1st line, and instead will match the 2nd line and be translated.
Workaround:
As a workaround, NAT rules can be modified to prevent this condition by avoiding re-using objects/object-groups in a single rule. Using the above example, the NAT rules could be changed to the following, thereby causing the 1st NAT rule to be applied to the previously indicated traffic flow:
object-group network src-networkA-mapped
network-object 10.1.1.0 255.255.255.0
object-group network dst-networkA-mapped
network-object 192.168.1.0 255.255.255.0
nat (inside,outside) source static src-networkA src-networkA-mapped destination static dst-networkA dst-networkA-mapped
nat (inside,outside) source dynamic src-networkA interface destination static obj_any dst-hostA
Notice that no object/object-group is re-used within the same rule. This will force the ASA to process the NAT rules in the order they appear in the configuration.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 10-JUN-2015 |
|
Known Affected Releases: | 100.7(21.1), 8.4(2), 8.4(4.2), 8.4(4.3), 8.4(4.5) |
|
Known Fixed Releases: | 100.7(13.98), 100.7(6.94), 100.8(0.235), 100.8(11.37), 100.8(27.19), 100.8(33.21), 100.8(34.1), 100.8(37.7), 100.8(39.1), 100.9(0.1) |
|
|
| |
| |
Bug Id: | CSCui86820 |
Title: | ASA - Some redirected CWS tower traffic being sent to actual server |
|
Description: | Symptom:
ASA running scansafe inspection will redirect http traffic to the tower as part of the filtering. All communication to the site should be passed through the tower. When the ASA receives a partial packet and is unable to reassemble, the ASA ends up sending the request back to the server instead of the scansafe tower which can cause performance problems on the http download.
Conditions:
- ASA running 9.x code with scansafe inspection enabled.
- Large http downloads with possible packet loss involved in the internet
Workaround:
none at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 10-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(1.8), 9.1(2), 9.1(3) |
|
Known Fixed Releases: | 100.10(0.19), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.43), 100.8(40.26), 100.8(41.2), 100.8(45.4), 100.8(46.5), 100.8(48.1) |
|
|
| |
| |
Bug Id: | CSCsq68617 |
Title: | High CPU caused by the radius_snd process if AAA server is down or slow |
|
Description: |
Symptom:
ASA5540 shows high CPU around 90%
Conditions:
The appliance is receiving a discrete number of EzVPN concurrent requests. The authentication is performed via radius server and the AAA server is down or not reachable
Workaround:
none
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.0(2), 8.0(3), 8.0(3.15) |
|
Known Fixed Releases: | 7.2(4.31), 8.0(4.5), 8.0(5), 8.1(1.100), 8.1(101.4), 8.2(0.140) |
|
|
| |
| |
Bug Id: | CSCuo00904 |
Title: | ASA Page Fault: Invalid Permission in thread name DATAPATH |
|
Description: | Symptom:
The Adaptive Security Appliance(ASA) reloads with thread name DATAPATH with a page fault of Invalid permission.
Conditions:
ASAsm running 8.5.1.16 code.
Workaround:
None at this time.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.5(1.16) |
|
Known Fixed Releases: | 100.10(0.88), 100.10(2.14), 100.10(6.16), 100.10(7.3), 100.11(0.6), 100.11(4.1), 100.11(5.1), 100.7(6.131), 100.8(40.68), 100.8(56.49) |
|
|
| |
| |
Bug Id: | CSCui45340 |
Title: | ASA-SM assert traceback in timer-infra |
|
Description: | Symptom:
ASA Service Module crashes during normal operation. A show crash will be generated and can be used in correlation with other other information gathered by TAC to denote this defect.
Conditions:
ASA Service Module in production on 8.5.1.7.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.5(1.7) |
|
Known Fixed Releases: | 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.56), 100.8(40.33), 100.8(45.7), 100.8(46.28), 100.8(52.2) |
|
|
| |
| |
Bug Id: | CSCuj79509 |
Title: | ASA Physical Interface Failure Does not Trigger Failover |
|
Description: | Symptom:
ASA Failover pair, a physical interface went down, yet no failover happened.
Conditions:
-- Physical interface configured with nameif IP address and security level (issue also affects port channel interfaces).
-- Interface monitored (physical interfaces and port channel interfaces are monitored by default).
-- Failed interface does not have a standby IP configured.
Workaround:
-- configure standby IP (recommended configuration) however this may not be applicable for outside interfaces if no standby public IP is available.
-- monitor VLAN interface associated with the physical interface (if configured).
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.2(5.3), 8.4(2.1), 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.42), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.70), 100.8(40.46), 100.8(46.40), 100.8(51.8), 100.9(10.17) |
|
|
| |
| |
Bug Id: | CSCut56198 |
Title: | Clustering: Traceback in DATAPATH with transparent FW |
|
Description: | Symptom:
ASA traceback occurred on one of the slave units in a 4 node cluster in the DATAPATH thread. Stack trace indicates that the ASA was doing a transparent firewall operation.
Conditions:
Cisco ASA running release 9.2.1.213 and configured as a cluster slave with multi-context configuration which included mixed-mode contexts.
Workaround:
None
Further Problem Description:
Please see Eng-note.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.2(1.213), 9.3(2.108) |
|
Known Fixed Releases: | 100.11(0.57), 100.11(0.58), 100.12(0.120), 100.12(0.121), 100.13(0.61), 100.13(21.12), 100.13(21.13), 100.13(28.2), 100.14(0.7), 100.14(0.8) |
|
|
| |
| |
Bug Id: | CSCue51351 |
Title: | ASA: Huge NAT config causes traceback due to unbalanced p3 tree |
|
Description: | Symptom:
ASA running 8.4(4)9 version code may generate a traceback with Thread Name: DATAPATH-7-2315 and reload.
Conditions:
Observed on ASA5585-SSP-60 running in failover environment.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.4(4.9), 8.4(5), 9.1(2), 9.2(2.4), 9.2(2.8) |
|
Known Fixed Releases: | 100.10(0.99), 100.10(12.10), 100.10(17.1), 100.10(2.20), 100.10(7.10), 100.11(2.1), 100.11(4.1), 100.8(38.114), 100.8(40.59), 100.8(55.1) |
|
|
| |
| |
Bug Id: | CSCut49034 |
Title: | ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
Description: | Symptom:
CPU on standby ASA spikes to 100%
Conditions:
Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN.
Stateful failover configured on an active-standby failover pair.
Workaround:
None
Further Problem Description:
High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled.
Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN.
When this particular connection goes through the ASA, we find that the active ASA builds a single connection.
standby ASA builds numerous connections with same source and destination ports.
Connection on the primary/active:
act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO
Connections on secondary:(close to 2500)
stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO
We see a lot of connection teardown on the standby for this connection.
Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O
Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O
We also see a lot of reset packets in asp drops in the standby ASA.
1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54
66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738)
Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection
The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop.
We see overruns on the failover interface of the standby unit.
stby/sec/alan3usv01# show int gig0/3
Interface GigabitEthernet0/3 "failover1", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address 5475.d091.518f, MTU 1500
IP address 10.99.101.114, subnet mask 255.255.255.248
432217782 packets input, 556229026142 bytes, 0 no buffer
Received 556 broadcasts, 0 runts, 0 giants
204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort
And we see a lot of packets being transferred from active to standby ASA.
In the failover debugs we only find the following messages in the debugs of fover rx.
lu_rx: HA TRANS: receive message for client vpnfo, length 48
lu_rx: HA TRANS: receive message for client vpnfo, length 72
lu_rx: HA TRANS: receive message for client vpnfo, length 72
The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA.
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.1(2), 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut12311 |
Title: | Traceback in DATAPATH Thread with SFR Redirection Enabled |
|
Description: | Symptom:
Adaptive Security Appliance (ASA) unexpectedly reloads when FirePOWER services module traffic redirection is enabled and certain fragmented traffic is received.
Conditions:
Traffic is redirected to FirePOWER services module.
Workaround:
Disable traffic redirection to FirePOWER services module.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.3 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut45114 |
Title: | 2048-byte block leak if DNS server replies with "No such name" |
|
Description: | Symptom:
The ASA may become responsive due to excessive loss of 2048-byte memory blocks.
Conditions:
Many DNS lookups for bad hostnames are done from the ASA, so that the DNS server replies "no such name".
Workaround:
A reboot is required to recover the lost memory blocks.
Further Problem Description:
To monitor block utilization, use the CLI command "show blocks".
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.3(2.101) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) |
|
|
| |
| |
Bug Id: | CSCuu55258 |
Title: | ASA 9.4: very slow RX speed for SFR module |
|
Description: | Symptom:
Low transfer speed from SFR module, causing failure when applying SFR policy.
Conditions:
Running ASA 9.4
Workaround:
Use ASA9.3 or 9.2 code.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.4, 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur07369 |
Title: | SXP Version Mismatch Between ASA & N7K with clustering |
|
Description: | Symptom:
SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol.
Conditions:
(1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit.
Workaround:
- Upgrade SXP peer to run SXP version 2 or above, or
- Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCty96930 |
Title: | ASA5585 SSP-60: 8.4.2 Crash thread accept/http on capture command |
|
Description: | Symptom:
ASA5585 running 8.4.2 may crash while configuring capture command.
Conditions:
Still under investigation
Workaround:
Do not use the "capture cap access-list greg interface inside" command
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.4(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtg14086 |
Title: | ASA traceback with no traffic going through |
|
Description: | Symptom:
ASA reloads
Conditions:
This has been seen on 5580-40 running 8.2.2
Workaround:
None at this time.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.2(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtb35842 |
Title: | traceback eip:lavg_dp_work+1 at slib/loadavg.c:241 with vpn & failover |
|
Description: |
Symptom:
Traceback may occur with VPN, faiover and high session count
Conditions:
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 100.5(0.22), 100.5(0.24) |
|
Known Fixed Releases: | 8.0(4.100), 8.0(4.45), 8.1(2.35), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCtb45354 |
Title: | ASA traceback thread name dispatch unit, assertion calendar_queue.h |
|
Description: |
Symptom:
ASA traceback on thread name Dispatch Unit, abort Assert failure
Conditions:
On a failover environment, the standby unit is the one seen that crashes
Workaround:
No known workaround
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.0(4.39), 8.2(2) |
|
Known Fixed Releases: | 100.4(0.30), 8.0(5.6), 8.1(2.39), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1) |
|
|
| |
| |
Bug Id: | CSCua24960 |
Title: | Traceback in CP Midpath Processing - SSL DHE cipher |
|
Description: | Symptom:
Upgrade to 8.4.4 causes a traceback in a failover pair of 5585's
Conditions:
Upgrade from 8.3.4
Workaround:
none at this time
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 8.4(4) |
|
Known Fixed Releases: | 100.7(23.1), 100.7(6.83), 100.8(34.1), 8.4(4.2), 8.4(4.99), 8.4(5) |
|
|
| |
| |
Bug Id: | CSCus73993 |
Title: | ASA memory corruption - traceback in Thread Name: CERT API |
|
Description: | Symptom:
ASA Traceback in Thread Name: CERT API due to memory corruption.
Conditions:
ASA running affected software.
Workaround:
Unknown
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 11-JUN-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtj11690 |
Title: | Packet-tracer not working in Multi Routed mode |
|
Description: | Symptom:
When running the packet-tracer command in a multi context ASA configuration, the below action is seen even though if the actual packet is allowed.
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed
Conditions:
Multicontext ASA with or without shared interfaces.
Workaround:
None at this time. This is a cosmetic issue only. Traffic is not affected by this bug.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 100.7(5.20), 7.2(2), 8.4(0.15) |
|
Known Fixed Releases: | 100.5(5.43), 100.7(0.59), 100.7(5.23), 100.7(6.8), 100.7(8.1), 100.7(9.1), 8.2(4.101), 8.2(4.6), 8.2(5), 8.3(2.14) |
|
|
| |
| |
Bug Id: | CSCto06207 |
Title: | Pre-filled Username From Certificate Denial of Service Vulnerability |
|
Description: | Symptom:
A vulnerability exists within the prefilling username from the certificate function of the Cisco ASA that may allow an authenticated remote
attacker to trigger the reload of the affected system.
The vulnerability is due to improper freed of the memory of the calling process. An attacker may be able to trigger this race condition by trying
to generate multiple Anyconnect sessions.
Conditions:
ASA configured with Anyconnect and certificate authentication.
Additionally, pre-fill username option should be also active for the crash to happen.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5410 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.4(1) |
|
Known Fixed Releases: | 100.7(13.13), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.39), 100.8(0.31), 100.8(0.9), 100.8(10.9), 100.8(15.1) |
|
|
| |
| |
Bug Id: | CSCul05079 |
Title: | ASA Memory usage in a context rises |
|
Description: | Symptom:
In ASA running multi-context mode, the reported memory usage in at least one of contexts rises steadily, even though system context doesn't show any new allocations/changes.
Conditions:
Multi-context mode
Workaround:
None currently
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 9.1(3) |
|
Known Fixed Releases: | 100.10(9.6), 100.11(0.3), 100.8(38.130), 100.8(40.66), 100.8(56.35), 100.8(64.9), 100.8(65.4), 100.8(66.8), 9.1(5.13), 9.2(0.101) |
|
|
| |
| |
Bug Id: | CSCtx58556 |
Title: | ActiveX RDP Plugin fails to connect from IE6-9 after upgrade to 8.4(3) |
|
Description: | Symptom:
After an upgrade to 8.4(3), Windows XP/7 users are unable to connect to an RDP resource using the RDP ActiveX plugin via the WebVPN portal page in IE6-9.
Conditions:
Customer must be using ASA 8.4(3) and Internet Explorer with the RDP ActiveX plugin.
Workaround:
- Use the Java Plugin. This can be accomplished by adding '?ForceJava=yes' to the end of the RDP bookmark. For instance 'rdp://myterminalserver/?ForceJava=true'.
- You can also use Firefox/Chrome to force the use of Java RDP plugin.
- Downgrade to 8.4(2)x and remove the ActiveX plugin from Internet Explorer. You will also need to remove references to the ActiveX plugin from your Windows Registry. You can reference bug ID CSCtx57453 for further information. After removing the ActiveX plugin and cleaning up the registry, reconnect to the ASA 8.4(2)x to re-download the ActiveX plugin.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: | 100.7(13.57), 100.7(18.10), 100.7(19.8), 100.7(6.63), 100.8(0.61), 100.8(11.10), 100.8(14.8), 100.8(24.32), 100.8(30.6), 100.8(32.3) |
|
|
| |
| |
Bug Id: | CSCtn69856 |
Title: | Memory Block Leak Denial of Service Vulnerability |
|
Description: | Symptom:
A vulnerability exists within the IPSec error handling code of Cisco ASA where a remote authenticated attacker may be able to trigger a memory
block leak by sending crafter fragmented packets.
Conditions:
ASA configured with IPsec and IPsec tunnel active
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5047 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.2(4), 8.4(1) |
|
Known Fixed Releases: | 100.7(13.89), 100.7(6.86), 100.8(0.192), 100.8(11.30), 100.8(27.19), 100.8(33.13), 100.8(34.1), 100.8(35.2), 100.8(36.1), 100.9(0.1) |
|
|
| |
| |
Bug Id: | CSCus56590 |
Title: | ASA - Traceback in Thread Name: fover_parse |
|
Description: | Symptom:
Standby ASA would enter a boot loop after attempting to replicate the configuration from the Active member, generating a Trace back with the name :
fover_parse
Standby ASA finishes the bulk sync in failover but never gives "sync config finished " message to active, this is the point where it reloads.
Conditions:
ASA with failover
Versions : 9.3.2 and 9.4.1
Workaround:
Go in to version 9.3.1, 9.3.2.104
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) |
|
|
| |
| |
Bug Id: | CSCtn90643 |
Title: | Traceback while replicating xlates on standby |
|
Description: | Symptom:
Standy ASA has problem replicating nat pool xlates and then tracebacks.
Conditions:
Cisco ASA 5585 running release 8.4.1. Large number of nat translations and heavy load of TCP and UDP data connections on active unit.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-5420 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.4(1) |
|
Known Fixed Releases: | 100.7(13.1), 100.7(13.3), 100.7(14.1), 100.7(15.1), 100.7(15.3), 100.7(6.33), 100.7(6.38), 100.7(8.26), 100.7(8.34), 100.7(9.18) |
|
|
| |
| |
Bug Id: | CSCta46747 |
Title: | Traceback while executing show run after modifying the access-list |
|
Description: | Symptom:
After modifying the access-list using ASDM or CLI, if customer is trying to
view the access-list in another ASDM or CLI session, the ASA may crash.
Conditions:
ASA5500 being managed via ASDM or CLI session such as SSH, telnet, or serial
console.
Workaround:
Use a single ASDM or CLI session to edit and view ACL changes.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.8/3.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.0(4.28) |
|
Known Fixed Releases: | 8.2(5.31) |
|
|
| |
| |
Bug Id: | CSCts69531 |
Title: | Traceback in Dispatch Unit on Standby with timeout floating-conn |
|
Description: | Symptom:
Primary ASA5540 in failover rebooted in Thread Name: Dispatch Unit after assuming Standby role.
Conditions:
ASA5540 running 8.2.5 code. ''timeout floating-conn'' is configured. Immediately after issuing an ''failover active'' on the Secondary unit,
the Prmary-Standby reloaded.
Workaround:
Remove ''timeout floating-conn'' from the configuration.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 8.6(1.2) |
|
Known Fixed Releases: | 100.7(13.34), 100.7(13.65), 100.7(14.24), 100.7(17.5), 100.7(18.2), 100.7(18.9), 100.7(19.8), 100.7(6.44), 100.7(6.62), 100.7(8.34) |
|
|
| |
| |
Bug Id: | CSCuq03645 |
Title: | ASA-SM: Vlans assigned are not recognized by the configuration |
|
Description: | Symptom:
VLANs assigned to the ASA will be pushed down as visible in the output of "show vlan" but will not be configurable as the ASA will not recognize the vlan when attempting to configure it.
Conditions:
Was first noticed in an ASA-SM running 8.5(1)11 in multi-context mode.
Workaround:
Reload the ASA.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.5(1.11) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCub11582 |
Title: | ASA5550 continous reboot with tls-proxy maximum session 4500 |
|
Description: | Symptom:
When "tls-proxy maximum-session 4500" is configured, Image asa84x reboots on ASA5550 during bootup.
Conditions:
1, Image 8.3 does not have this issue.
2, When "tls-proxy maximum-session" is bigger than 4440, ASA5550 will crash.
Workaround:
1, downgrade to 8.3
or
2, set "tls-proxy maximum-session" less than 4440 for img 8.4
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-JUN-2015 |
|
Known Affected Releases: | 8.4(3), 9.0(0.120) |
|
Known Fixed Releases: | 100.7(13.100), 100.7(6.94), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.2) |
|
|
| |
| |
Bug Id: | CSCur51645 |
Title: | Linux Kernel ptrace Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-4699
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-4699 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 9.4(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31444 |
Title: | Linux Kernel compat_put_timeval() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-4467
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-4467 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31791 |
Title: | Linux Kernel next_pidmap() Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1593
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1593 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31756 |
Title: | Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-2692
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-2692 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31873 |
Title: | Linux Kernel IA32SysCall Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3301
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UR
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3301 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31660 |
Title: | Linux Kernel binfmt_elf.c regset Handling Local Denial of Service Vuln |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-1097
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-1097 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31798 |
Title: | Linux Kernel wait_for_unix_gc() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4249
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4249 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31804 |
Title: | Linux Kernel Transparent Interprocess Communication Protocol Local Den |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-1187
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-1187 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31865 |
Title: | Libcg Project libcgroup Library Task Controller List Processing Privil |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1006
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:W/RC:UR
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1006 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.11(0.50), 100.8(40.89), 9.2(3.101) |
|
|
| |
| |
Bug Id: | CSCuf31760 |
Title: | Linux Kernel Block Layer IOCTL Request Processing Denial of Service Vu |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4162
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4162 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31750 |
Title: | Linux Kernel Virtual Machine Local Guest System Denial of Service Vuln |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-3290
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-3290 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54965 |
Title: | cURL and libcurl Certificate Validation Remote SSL Server Spoofing Vul |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4545
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-4545 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.7(1), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31475 |
Title: | Linux Kernel KVM Device Assignment Page Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-2121
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-2121 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31448 |
Title: | Linux Kernel futex_lock_pi() Denial of Service Vuln CVE-2010-0623 |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-0623
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-0623 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31665 |
Title: | Linux Kernel execve() Memory Allocation Local Denial of Service Vulner |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4243
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4243 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31853 |
Title: | Linux Kernel setup_routing_entry() KVM Function Local Buffer Overflow |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-2137
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-2137 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31740 |
Title: | Linux Kernel LDM Partition Tables Handling Buffer Overflow Vulnerabili |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1017
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1017 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31842 |
Title: | Linux Kernel taskstats.c Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2484
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2484 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31541 |
Title: | Linux Kernel setup_arg_pages() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3858
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3858 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31673 |
Title: | Linux Kernel inotify_init() Double Free Error Denial of Service Vulner |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1479
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1479 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31577 |
Title: | GNU glibc LD_AUDIT Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3856
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3856 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31536 |
Title: | Linux Kernel inotify_init() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4250
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4250 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31547 |
Title: | Linux Kernel Clone() Function clone_io Local Denial of Service Vulnera |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-0879
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-0879 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31612 |
Title: | Linux Kernel mprotect_fixup() Memory Corruption Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4169
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4169 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31788 |
Title: | Linux Kernel napi_reuse_skb() Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1576
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1576 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31463 |
Title: | Linux Kernel epoll Implementation Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1083
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1083 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31654 |
Title: | Linux Kernel GUID Partition Tables Handling Arbitrary Code Execution V |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1776
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1776 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.12(10.47), 100.8(40.84), 9.0(4.25), 9.1(5.100), 9.1(5.20), 9.2(2.100), 99.1(2.27), 99.1(3.9) |
|
|
| |
| |
Bug Id: | CSCuf31621 |
Title: | Linux Kernel KVM Programmable Interrupt Timer Denial of Service Vulner |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-4622
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-4622 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31742 |
Title: | Linux Kernel ldm_get_vblks Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1012
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1012 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31447 |
Title: | Linux Kernel wake_futex_pi() Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-0622
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-0622 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31585 |
Title: | Linux Kernel Remote Operations Service Element Protocol Implementation |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3310
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3310 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31705 |
Title: | Linux Kernel set_ftrace_filter Local Denial of Service Vulnerability |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3079
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3079 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.11(0.43), 100.12(0.37), 100.12(10.35), 100.12(15.10), 100.12(21.3), 100.12(6.4), 100.8(40.82), 9.2(2.100), 9.3(1.99), 9.3(2) |
|
|
| |
| |
Bug Id: | CSCuh88056 |
Title: | Linux Kernel fuse_direct_io() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-4021
Cisco has analyzed these vulnerabilities and concluded that the product
is not impacted
Conditions:
Not applicable
Workaround:
Not applicable
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria
for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change
in the severity of this issue, please contact psirt@cisco.com for
another evaluation.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui50798 |
Title: | Linux Kernel tcp_read_sock() Function Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-2128
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-2128 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31527 |
Title: | Linux Kernel sock_alloc_send_pskb() Function Local Denial of Service V |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-2136
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-2136 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31870 |
Title: | Linux Kernel execve() Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-2848
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-2848 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31441 |
Title: | Linux Kernel PER_CLEAR_ON_SETID Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-1895
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-1895 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54979 |
Title: | Linux Kernel KVM Subsystem Programmable Interval Timer Emulation Denia |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3611
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3611 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54877 |
Title: | GNU glibc Heap gconv_translit_find() Function Local Code Execution Vul |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-5119
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-5119 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31859 |
Title: | Linux Kernel SELinux mmap_min_addr Local Privilege Escalation Vulnerab |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-2695
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-2695 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCul47481 |
Title: | ASA WebVPN Login portal returns to login page after successful login |
|
Description: | Symptom:
After a period of operation, a users are unable to login to the Clientless WebVPN portal. After logging in, the user is redirected back to the login page. The problem happens after authentication, so failed logins still report as failures. Reloading the ASA or failing over to the standby ASA resolves the issue for a period of time.
Conditions:
Clientless WebVPN on ASA.
Workaround:
The problem appears to happen after a period of operation after upgrading to 8.4.7 (This issue has not been reported against 8.4.5/9.0.3 releases). Reloading the ASA or failing over to the standby unit should resolve the issue for a period of time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(7) |
|
Known Fixed Releases: | 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.95), 100.8(40.56), 100.9(10.23), 8.4(7.8), 9.0(4.2) |
|
|
| |
| |
Bug Id: | CSCuf31675 |
Title: | Linux Kernel Kernel-Based Virtual Machine Local Denial of Service Vuln |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-2287
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-2287 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31685 |
Title: | Linux Kernel Network Lock Manager nlmclnt_lock() Denial of Service Vul |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2491
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2491 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31611 |
Title: | Linux Kernel Address Limit Override Arbitrary Code Execution Vulnerabi |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4258
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4258 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31805 |
Title: | Linux Kernel VLAN Tag Remote Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4263
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4263 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31838 |
Title: | Linux Kernel mremap() Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2496
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2496 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31607 |
Title: | Linux Kernel Invalid fs and gs Registry KVM Denial of Service Vulnerab |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-3698
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-3698 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1), 100.13(17.1) |
|
|
| |
| |
Bug Id: | CSCuh47484 |
Title: | Kernel KVM kvm_set_memory_region() Function Local Escalation of Privil |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-1943
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-1943 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31786 |
Title: | Linux Kernel page_count Parameter Processing Local Buffer Overflow Vul |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-1746
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:UC
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-1746 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31814 |
Title: | Linux Kernel pipe.c Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-3547
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-3547 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31727 |
Title: | Linux Kernel inet_diag_bc_audit() Local Denial of Service Vulnerabilit |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2213
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2213 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31848 |
Title: | Linux Kernel MSS Processing Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4165
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:N/A:N/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4165 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54978 |
Title: | Linux Kernel KVM Subsystem VM Exits Local Denial of Service Vulnerabil |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3646
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3646 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31726 |
Title: | uLinux Kernel agp_generic_remove_memory() Local Privilege Escalation Vu |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2022
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2022 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.11(0.50), 100.12(0.70), 100.12(6.20), 100.13(0.6), 100.13(11.11), 100.13(12.16), 100.13(15.7), 100.13(16.2), 100.13(17.2), 100.13(18.1) |
|
|
| |
| |
Bug Id: | CSCuf31571 |
Title: | Linux Kernel Memory Management Quota Handling Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2012-2133
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2012-2133 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31846 |
Title: | Linux Kernel PERF_COUNT_SW_CPU_CLOCK Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2918
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2918 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31824 |
Title: | Linux Kernel Transparent Huge Pages Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-0999
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-0999 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31618 |
Title: | Linux Kernel Multicast IPv4 Traffic on HiperSockets Device Denial of S |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-4251
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-4251 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 1 Catastrophic |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54853 |
Title: | Linux Kernel NF_CONNTRACK Local Information Disclosure Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-1690
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-1690 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 9.4(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31701 |
Title: | Linux Kernel create_pit_timer() Function Denial of Service Vulnerabili |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-4622
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-4622 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68863 |
Title: | GNU libtasn1 Multiple Buffer Boundary Checks Denial of Service Vulnera |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3467
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3467 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29837 |
Title: | cURL and libcurl Certificate Field Wildcard Value Processing Spoofing |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0139
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:TF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0139 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.7(1), 9.2(1), 9.3(2.200), 9.4(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54856 |
Title: | XMLSoft libxml2 Entity Expansion Handling Denial of Service Vulnerabil |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0191
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0191 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31564 |
Title: | Linux Kernel mmap and mremap Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-0291
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-0291 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31652 |
Title: | Linux Kernel-Based Virtual Machine Local Denial of Service Vulnerabili |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2009-4031
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2009-4031 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31835 |
Title: | Linux Kernel KVM Local Denial of Service Vulnerability |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-0309
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-0309 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | 100.11(0.51), 100.8(40.87), 9.2(3.101) |
|
|
| |
| |
Bug Id: | CSCur68856 |
Title: | Linux Kernel IPv6 Router Advertisement Packet Processing Denial of Ser |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-2309
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-2309 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68874 |
Title: | Linux Kernel ath_tx_aggr_sleep() Function Race Condition Denial of Ser |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-2672
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-2672 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur54947 |
Title: | GnuPG and Libgcrypt Private Key Information Disclosure Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4242
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 2.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-4242 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.2(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29840 |
Title: | Glibc wordexp Function Command Substitution Arbitrary Command Executio |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-7817
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 3.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-7817 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29848 |
Title: | Linux Kernel syscall Tracing Functionality Local Denial of Service Vul |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-7825
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-7825 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68844 |
Title: | Xen QEMU SCSI REPORT LUNS Memory Corruption Code Execution Vulnerabili |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4344
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-4344 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68878 |
Title: | Red Hat qemu-kvm High Resolution Display Memory Leak Information Discl |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3615
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 2.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:TF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3615 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCti43763 |
Title: | Management connection fail after multiple tries with SNMP connections. |
|
Description: | Symptom:
Management connections may fail after multiple tries with SNMP connections in background.
Conditions:
This bug can be identified by doing "show asp table socket"
If you see management connection in a CLOSEWAIT state and then you do "show counters protocol npshim" and see the pending connections counter increment for every management connection attempt then you are hitting this bug.
First found in following scenario:
ASDM will fail to load after multiple SNMP and HTTPS requests to the ASA.
Workaround:
Currently, only reloading the ASA resolves the issue.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.0(5.20), 8.2(2), 8.2(3) |
|
Known Fixed Releases: | 100.5(5.43), 8.0(5.21), 8.1(2.49), 8.2(3.109), 8.2(3.6), 8.2(4), 8.3(2.7) |
|
|
| |
| |
Bug Id: | CSCur68843 |
Title: | GnuTLS Regression Error Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-2116
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-2116 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68870 |
Title: | Linux Kernel SCTP NULL Pointer Dereference Remote Denial of Service Vu |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-5077
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-5077 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCte55194 |
Title: | "possible channel leak" and hang when loading a large configuration |
|
Description: | Symptom:
CLI access to the ASA may hang with one of the following messages when processing an extremely large configuration:
release: possible channel leak in fover_parse
release: possible channel leak in pix_flash_config_thread.
release: possible channel leak in ssh
Conditions:
Uername from Cert feature
Workaround:
Downgrade to 8.2(1)
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.2(2), 8.2(2.4), 8.3(1) |
|
Known Fixed Releases: | 100.5(5.14), 100.7(0.10), 100.7(6.1), 8.2(2.102), 8.2(2.13), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCur68869 |
Title: | Linux Kernel PPP L2TP Sockets Local Elevated Privileges Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-4943
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-4943 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68859 |
Title: | Linux Kernel n_tty_write Function Buffer Overflow Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0196
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0196 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29845 |
Title: | Linux Kernel Netlink Message Security Bypass Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0181
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 1.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0181 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68872 |
Title: | Linux Kernel ping_init_sock() Function Use-After-Free Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-2851
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-2851 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68862 |
Title: | GNU libtasn1 asn1_get_bit_der() Incorrect Length Report Code Execution |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3468
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3468 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29842 |
Title: | Linux Kernel Memory Fault Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-9322
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-9322 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68868 |
Title: | Linux Kernel aio_read_events_ring() Function Information Disclosure Vu |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0206
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 1.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0206 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68871 |
Title: | QEMU L2 Table Size Validation Integer Overflow Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0222
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0222 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68854 |
Title: | Linux Kernel compat_sys_recvmmsg Function Local Privilege Escalation V |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0038
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0038 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut29843 |
Title: | cURL and libcurl Connection Reuse Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0138
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0138 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 8.7(1), 9.2(1), 9.3(2.200), 9.4(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68875 |
Title: | Linux Kernel Network Packet Processing Null Pointer Dereference Denial |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3535
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3535 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 13-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu16772 |
Title: | IPv6 ICMP PTB messages not changing TCP SEQ across ASA FW |
|
Description: | Symptom:
Customer sees the the ICMP PTB message go over the FW, but the SEQ number does not get updated.
Conditions:
ICMP PTB messages being sent across the ASA, but the TCP SEQ matching the SEQ number when the ASA has
enabled SNR.But cannot disable SNR as that would be a security issue.
TCP sessions over the FW have the TCP Sequence number randomized by default (SNR). This is to prevent external malicious intent by calculating the next SEQ number and sending packets over the FW. As such the Inside and Outside TCP Sequence numbers are altered by the ASA, and re-written as packets flow in/out.
Workaround:
Disable sequence number randomization (SNR).
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 8.4(7.240) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCum12183 |
Title: | ASA Ver 8.4(6)6 traceback with Thread Name: DATAPATH-2-1145 |
|
Description: | Symptom:
ASA Firewall running Version 8.4(6)6 traceback in DATAPATH-2-1145.
Conditions:
ASA is running version 8.4(6)6 and VPN environments in Failover configuration.
Workaround:
None
Further Problem Description:
None
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 8.4(6.6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur64589 |
Title: | DATAPATH Traceback in snp_mp_svc_udp_upstream_data function |
|
Description: | Symptom:
ASA Traceback with Thread Name: DATAPATH.
Conditions:
Cisco ASA running release 9.1.5.19.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23), 9.1(5.12), 9.1(5.19) |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.5), 100.13(11.19), 100.13(12.41), 100.13(16.18), 100.13(18.7) |
|
|
| |
| |
Bug Id: | CSCuf71119 |
Title: | Incorrect NAT rules picked up due to divert entries |
|
Description: | Symptom:
Unidirectional NAT functionality not working as expected.
Conditions:
ASA running on ASA 8.4.3 or higher
Workaround:
1) Creating specific NAT rules
2) Use "any" in the egress interface to force route lookup
Further Problem Description
Upon upgrade from ASA 8.4.2.x to ASA 8.4.3 or higher, incorrect nat rule gets
picked up due to nat-divert rules.
Case 1:
########
ASA# sho run nat
nat (dmz,outside) source static Mail01_DMZ MAIL_NAT_IP_WAN service SMTP SMTP
unidirectional
..
nat (outside,dmz) source static any any destination static MAIL_NAT_IP_WAN
Mail01_DMZ service SMTP SMTP unidirectional
On ASA 8.4.2.x :
===============
We see packet from DMZ network with random port to inside network on
port 25, doesn't need a NAT and ingress and egress are expected and based on
route lookup.
On ASA 8.4.5 :
==============
For the same traffic, we see traffic hitting nat for DMZ to outside :
nat (dmz,outside) source static Mail01_DMZ MAIL_NAT_IP_WAN service SMTP SMTP
unidirectional
The traffic gets untranslated due to the above and egresses out to the outside
interface
using the above NAT.
Case 2:
########
ASA# sho run nat
nat (inside,outside) source dynamic OBJ_NATTESTREAL OBJ_NATTESTMAPPED_OUTSIDE
service OBJ_TCP_SMTP OBJ_TCP_SMTP
..
nat (inside,dmz1) source dynamic OBJ_NATTESTREAL OBJ_NATTESTMAPPED_DMZ1 service
OBJ_TCP_SMTP OBJ_TCP_SMTP
In 8.4.5, the first rule gets picked up always and traffic diverted to outside
ifc even if
destination resides in dmz1 interface.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 8.4(3), 8.4(5), 8.4(5.6), 9.0(0.108) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.118), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.20), 100.9(0.50), 100.9(10.1), 100.9(6.28) |
|
|
| |
| |
Bug Id: | CSCuu57547 |
Title: | ASA SIP inspected traffic matches wrong NAT rule |
|
Description: | Symptom:
ASA SIP inspected traffic matches wrong NAT rule
This has as an effect SIP streams like BFCP traffic (source port UDP 5070) to get diverted to wrong egress interface.
Conditions:
Workaround:
Disable SIP inspection
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 9.0(1), 9.1(5), 9.1(6.4), 9.2(3.4), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui63073 |
Title: | 5580-20 crashes while running aggressive ipv4 webvpn tput/cap test. |
|
Description: | Symptom:
The 5580-20 is crashing when ASA 9.0.3 image is running a very aggressive webvpn ipv4 tput/cap test
Conditions:
This is the usual tput/cap test with a 40/sec session bring up rate. This is 4 times faster than
the normal 10/sec session bring up rate.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-JUN-2015 |
|
Known Affected Releases: | 9.0(2), 9.0(3) |
|
Known Fixed Releases: | 100.10(0.13), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(27.94), 100.8(38.33), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1) |
|
|
| |
| |
Bug Id: | CSCut30741 |
Title: | ASA redirection to Scansafe tower fails with log id "775002" in syslog |
|
Description: | Symptom:
ASA redirection to Scansafe tower fails with log id "775002" in syslog even when the platform limit for connections was not reached.
Conditions:
Was noticed in version 9.0(2) but could affect any release.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.0(2) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.116), 100.13(0.52), 100.13(21.9), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) |
|
|
| |
| |
Bug Id: | CSCtz26123 |
Title: | ASA traceback in SiteMinder SSO when users log into ssl vpn web portal |
|
Description: | Symptom:
When users log into ssl vpn web portal the ASA crashes and reboots.
Conditions:
Logging into ASA Webvpn Portal
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.4(2), 8.4(3), 8.4(3.9) |
|
Known Fixed Releases: | 100.7(13.80), 100.7(21.7), 100.7(6.80), 100.8(0.149), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) |
|
|
| |
| |
Bug Id: | CSCue18975 |
Title: | IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability |
|
Description: | Summary
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability
These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN
Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-5507 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom:
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 100.8(50.20), 100.9(7.14), 100.9(7.15), 9.1(1.4) |
|
Known Fixed Releases: | 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.19), 100.9(8.1), 9.0(2.100), 9.0(2.2), 9.0(3) |
|
|
| |
| |
Bug Id: | CSCus57241 |
Title: | ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions |
|
Description: | Symptom:
After upgrade from 9.2.(2.4) to 9.3(2) , VPN remote access connections are intermittently matching the DfltAccessPolicy instead of matching the appropriate policy. If the DfltAccessPolicy policy's action is to terminate, the VPN RA sessions will not establish.
Conditions:
- DAP is configured
- ASA upgraded from 9.2(2.4) to 9.3(2)
Workaround:
- allow permit in the default policy (action=continue), if your security policy allows for this.
-Downgrade to ASA pre-9.3.2 release, if at all possible.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | 100.12(0.112), 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2), 100.14(12.1) |
|
|
| |
| |
Bug Id: | CSCus62884 |
Title: | ASA 9.1.5 does not always drop connections after receiving RST+ACK flag |
|
Description: | Symptom:
ASA does not always drop connections after receiving RST+ACK flag
Conditions:
Verify that the problem occurs when the server receives duplicate packets from the client to the server and replies to both SYN
Example
Server packets
client -> server SYN (seq=3922308568) ------> 1st SYN
client -> server SYN (seq=3922308568) --------> 2nd SYN
client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN
client <- server RST+ACK (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN
Firewall packets
client -> server SYN (seq=3922308568)
client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN
client <- server RST+ack (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN, which the Firewall doesn't have it
In the working and not working scenario the Firewall always sends one SYN packet.
Workaround:
TCPbypass
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.115), 100.13(0.46), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7), 100.14(26.2) |
|
|
| |
| |
Bug Id: | CSCuu86165 |
Title: | ASA 9.3: Active ASA denies AnyConnect sessions - incorrect license limit |
|
Description: | Symptom:
ASA may start denying new AnyConnect connections with the following logs:
syslog:
%ASA-4-113029: Group User IP <192.168.1.1> Session could not be established: session limit of 250 reached.
debug aaa shim:
AAA/SHIM: authenticating , tgroup=ANYCONNECT
AAA/SHIM: AAA response=ACCEPT
AAA/SHIM: license limit reached 250
AAA/SHIM: Error failed to update license
However, total active AnyConnect VPN sessions on the ASA is 4 [show vpn-sessiondb summary]
Conditions:
ASA Failover Pair running on 9.3(2). The ASA is configured as AnyConnect VPN Server.
ASA-Pri-act has 250 AnyConnect Premium Peers license
ASA-Sec-stby has 2 AnyConnect Premium Peers license.
The total failover AnyConnect license count is 250 [Platform limit (250 + 2)] for instance on 5515.
Workaround:
Reload both the ASAs simultaneously
Further Problem Description:
This issue rarely occurs. However, should you ever come across this, collect the following *during the time of the issue* and reach out to Cisco TAC:
- any configuration changes
- any failover transitions
- syslogs
- show tech
- show vpb-sessiondb summary
- debugs during session establishment:
debug vpn-sessiondb 255
debug aaa shim 255
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq57307 |
Title: | ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
Description: | Symptom:
The ASA may experience a memory leak each time a VPN tunnel is built and torn down.
Conditions:
The ASA must be configured with a QoS policy that matches on per-flow destination addresses for a particular tunnel-group. For example:
class-map vpn-class
match flow ip destination-address <<<<<<<<<<<<<
match tunnel-group 10.38.110.250
!
policy-map outside-policy
class vpn-class
police output 30000000
Workaround:
Temporarily disable the QoS policy
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.4(5) |
|
Known Fixed Releases: | 100.11(0.57), 100.11(0.58), 100.12(0.116), 100.12(0.121), 100.13(0.52), 100.13(0.63), 100.13(21.13), 100.13(21.9), 100.13(28.2), 100.14(0.4) |
|
|
| |
| |
Bug Id: | CSCtr65014 |
Title: | vpn-filter removed incorrectly from ASP table blocks L2L traffic |
|
Description: | Symptom:
Users can ping from the ASA's local LAN across a lan-to-lan tunnel to a remote host but not from the same remote host to the same local host.
Traffic is encrypted and decrypted successfully on the ipsec SAs, but after inbound traffic gets decrypted it is dropped by the ASA ASP rule 'acl-drop'. Verify this with an asp-type capture with the trace option and/or packet-tracer.
The vpn-filter that the l2l tunnel is associated with only has outbound rules installed - the inbound rules were deleted incorrectly. Verify with 'show asp table filter access-list '.
Conditions:
Vpn-filter applied to a group-policy and multiple tunnels landing on that vpn-filter.
Workaround:
Clear all tunnels that are landing on that group-policy using the command: 'vpn-sessiondb logoff ipaddress x.x.x.x'
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 8.3(2), 8.3(2.13) |
|
Known Fixed Releases: | 100.7(13.77), 100.7(6.79), 100.8(0.140), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) |
|
|
| |
| |
Bug Id: | CSCui79979 |
Title: | ASA 9.1.2 - Traceback in Thread Name: fover_parse during configuration |
|
Description: | Symptom:
Primary ASA running in A/A failover might crash during reconfiguration.
Conditions:
Failover enabled on ASA
Workaround:
Not known
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.1(2), 9.1(3) |
|
Known Fixed Releases: | 100.10(0.75), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.8(38.109), 100.8(40.58), 100.8(56.15), 100.9(10.26), 9.0(4.8) |
|
|
| |
| |
Bug Id: | CSCue63881 |
Title: | ASA SSHv2 Denial of Service Vulnerability |
|
Description: | Symptoms:
ASA cannot be accessed via SSH.
Conditions:
This may happen both in routed or transparent mode for both multicontext or single mode ASA. This can be triggered by IPv4 and IPv6 packets. Only
traffic directed to the ASA can trigger this vulnerability.
Workaround:
Using HTTPS management interface or console can be used as temporary workaround.
Further Problem Description:
A vulnerability in the implementation of the Secure SHell (SSH) function could allow an unauthenticated, remote attacker to deny SSH management
access to legitimate users.
The vulnerability is due to improper implementation of the logic to terminate SSH sessions. An attacker could exploit this vulnerability by
starting an SSH session to the affected system. This vulnerability is affecting both SSHv1 and v2. An exploit could allow the attacker to deny
SSH management access to legitimate user. The attacker will be able to deny the access for 60 seconds, after which, the affected system will
release the resource and users will be able to use the SSH service again. However, repeated exploitation may lead to a denial of service condition.
This bug is fixing the issue for SSHv2 only connection. SSHv1 will be fixed in a separate bug: CSCuf51892.
Issue on SSHv1 can be workaround by forcing the ASA to accept only SSHv2 connection by the config mode command:
ssh version 2
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2013-1193 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1193
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.4(4.1) |
|
Known Fixed Releases: | 100.7(13.111), 100.7(6.111), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.2(5.45) |
|
|
| |
| |
Bug Id: | CSCta55072 |
Title: | ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure |
|
Description: | Symptom:
ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure
Conditions:
Running 8.2.1version.
The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash.
If there is no limit for inside hosts with the license, the crash won't be triggered.
Workaround:
No workaround
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.2(1) |
|
Known Fixed Releases: | 100.3(0.3), 100.4(0.7), 100.4(0.9), 8.1(2.31), 8.1(2.32), 8.2(1.10), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCuu20067 |
Title: | ASA:Traceback in Thread Name: Unicorn Proxy Thread |
|
Description: | Symptom:
ASA Traceback with Thread Name:- Unicorn Proxy Thread
Conditions:
ASA device configured with VPN load balancing
Workaround:
NONE
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 9.1(5.12) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu72066 |
Title: | Traceback in snp_inject_new_pkt+36 at np/soft-np |
|
Description: | Symptom:
Traceback is observed in Thread Name: DATAPATH-16-2555 snp_inject_new_pkt
Conditions:
When interface involved in TD traffic is removed.
Workaround:
Do not remove the interface involved during TD traffic being sent.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 100.15(1.13), 9.1(6), 9.1(6.6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtg88576 |
Title: | asa standby unit crashes with assertion in snp_sp_action.c |
|
Description: | Symptom:
ASA is configured in active/standby failover mode to process 100 mbps of multicast traffic. All traffic is fragmented udp. At the same time, an expect script is used to continuously change active unit config, and another script to perform a few show and clear commands on the standby unit.
The standby unit gives the following after a few hours.
core0: An internal error occurred. Specifically, a programming assertion was
violated. Copy the error message exactly as it appears, and get the
output of the show version command and the contents of the configuration
file. Then call your technical support representative.
assertion "count > 0" failed: file "snp_sp_action.c", line 2066
Conditions:
It occurs after several hours after long term multicast traffic and continuous config changes and show/clear commands.
Workaround:
N/A. After reboot things were back to normal.
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 8.2(2.15) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCto61126 |
Title: | CSC: HTTP 204 messages cause connections to timeout and fail. |
|
Description: | Symptom:
If the CSC Modules processes a HTTP 204 No Content message returned from a Webserver, the connection associated with that Request and Response will hang on the CSC module and it will not be able to process more requests on that HTTP session. This is seen as the web browser hanging while accessing sites. The issue was first reported with Search Results from Yahoo.com which utilize HTTP 204 responses.
Conditions:
This is seen on all current builds of CSC code and only when processing HTTP 204 No Content messages.
Workaround:
None at this time.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 6.3(1172.3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCti05907 |
Title: | CSC: Block email with attachments despite GUI setting not to block |
|
Description: | Symptom:
CSC-SSM strips or deletes emails with any file type attachments
Conditions:
Content Filtering is enabled and GUI setting indicate not to block emails with attachments
Workaround:
Temporary disable content filtering if possible
Further Problem Description
The rule configuration is likely corrupted. Reimage to reset to factory default
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 6.3 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCty04397 |
Title: | CSC: iwss-process crash when handling a large file |
|
Description: | Symptom:
In some circumstances you may see notification of the CSC Module 'reloading' due to pattern file or config change multiple times during the day. These events do not match up with the configured update timer or any config changes.
Conditions:
This has been seen on CSC module version 6.6.1125.0 and seems to be related to scanning very large files.
Workaround:
None at this time
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-JUN-2015 |
|
Known Affected Releases: | 6.6(1125.0) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur05643 |
Title: | Cisco Adaptive Security Appliance (ASA) CVE-2014-6271 and CVE-2014-7169 |
|
Description: | Symptom:
The Cisco Adaptive Security Appliance (ASA) Software includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-6271
CVE-2014-7169
This bug has been opened to address the potential impact on this product.
Conditions:
Devices with default configuration.
Workaround:
Not Available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation
are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.1(2.7) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuc08994 |
Title: | CSC: iwss-process may crash in certain traffic conditions |
|
Description: | Symptom:
The CSC module may unexpectedly reload logging the following syslog:
ASA-SSM-CSC-20-K9 Module in slot 1, application reloading "CSC SSM", version "6.6.1125.0" CSC SSM scan services are reloading because of a pattern file or configuration update.
Conditions:
This is seen with the CSC module running code version 6.6.1125.0 and with HTTP Scanning enabled.
Workaround:
None at this time. The outages are very short lived while the iwss-process reloads.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 6.6(1125.0) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuj50870 |
Title: | ASA in failover pair may panic in shrlock_unjoin |
|
Description: | Symptom:
ASA may crash with the following message on console:
Message #220 : Panic: DATAPATH-15-1947 - Message #221 : ERROR: shrlock_unjoin_domain Domain member count underflow
Conditions:
This was observed on ASA in failover pair. Both active and standby units may crash.
Workaround:
None.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 100.9, 100.9(0.54), 100.9(7.25), 100.9(7.27), 9.0(3), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.58), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(40.56), 9.0(4.1), 9.0(4.140), 9.1(4.1), 9.1(4.115), 9.1(5) |
|
|
| |
| |
Bug Id: | CSCul36176 |
Title: | Cisco ASA VPN Denial of Service Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3383 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 100.10(0.42), 100.8(38.72), 100.8(40.45), 9.1(4.3), 9.1(5) |
|
Known Fixed Releases: | 100.10(0.46), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.74), 100.8(40.48), 100.8(46.47), 100.8(51.10), 100.9(10.18), 9.1(5.1) |
|
|
| |
| |
Bug Id: | CSCus86728 |
Title: | Traceback Thread Name: Dispatch Unit |
|
Description: | Symptom:
First Traceback Thread Name: Dispatch Unit
Conditions:
Workaround:
Unknown
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCul46582 |
Title: | ASA: Out of order Fin packet leaves connection half closed |
|
Description: | Symptom:
During the session closing ASA receive out of order FIN packets from one host. ASA keeps this connection as half-closed.
Conditions:
ASA receive out of order FIN packet only from one host (in this case from client)
Server Client
--> (SEQ=407)(ACK=1453)(CTL=FIN,ACK) -->
<-- (SEQ=1454)(ACK=408)(CTL=ACK) <--
<-- (SEQ=1453)(ACK=407)(CTL=FIN,ACK) <--
--> (SEQ=408)(ACK=1454)(CTL=ACK) -->
During the recreation I changed manually the sequence:
Server Client
--> (SEQ=407)(ACK=1453)(CTL=FIN,ACK) -->
<-- (SEQ=1453)(ACK=407)(CTL=FIN,ACK) <--
<-- (SEQ=1454)(ACK=408)(CTL=ACK) <--
--> (SEQ=408)(ACK=1454)(CTL=ACK) -->
Then connection is tear down normally.
Workaround:
configure tcp bypass for affected traffic
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.5(1.16), 9.1(3) |
|
Known Fixed Releases: | 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.8(40.56), 9.0(4.1), 9.0(4.141), 9.1(4.1), 9.1(4.115), 9.1(5) |
|
|
| |
| |
Bug Id: | CSCuh33570 |
Title: | ASA: Watchdog traceback in SSH thread |
|
Description: | Symptom:
Under rare conditions, an ASA may generate a traceback and reload in the SSH thread.
Conditions:
The traceback occurs when an active SSH management session is disconnected during rekey. This rekey can be either data or time based.
Workaround:
There is no known workaround at this time.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.1(2) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28), 100.9(7.29) |
|
|
| |
| |
Bug Id: | CSCuq27342 |
Title: | Traceback and reload triggered by failover configuration |
|
Description: | Symptom:
When configuring a failover interface using the command "failover lan interface " on ASA5585, the ASA might crash with a traceback and reload. The crash would occur righter after the software responds and executes the code for setting up the failover interface. If a crash occurs during normal system operation then it is not due to this bug.
Conditions:
Configure a failover interface using the "failover lan interface " command. The chances of a crash are statistically very low, but may increase if traffic into the CPU from network interfaces is high. In lab testing it was only reproducible on a single instance of 5585 and using ASDM with an HTTP interface to the device to send over the configuration commands. In theory though it could occur through console CLI configuration as well.
Workaround:
The problem is only triggered when configuring a failover interface with the above given command. Once the failover interface configuration is complete, if no crash occurs then the problem will not present itself.
Further Problem Description:
If a coredump is captured, then it can be compared to information in this DDTS to determine with high likelihood whether or not it was due to failover interface configuration.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.1(3), 9.1(4.5), 9.2(2.8) |
|
Known Fixed Releases: | 100.11(0.56), 100.11(0.57), 100.12(0.113), 100.12(0.115), 100.13(0.34), 100.13(0.49), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.13(21.8) |
|
|
| |
| |
Bug Id: | CSCts72188 |
Title: | ASA: SSH process may exist after being orphaned from SSH session |
|
Description: | Symptom:
The SSH process may still be running even after the SSH session that spawned the SSH process has closed out on an ASA firewall. CPU spike may be
seen due to these stuck ssh processes.
Conditions:
This was identified on an ASA failover pair running 8.2.4(1)
Workaround:
Failover to the other unit. If this is not a failover pair then reload is the only other option.
Further Problem Description:
Gather the output of the following and open a TAC case.
sh proc | i ssh
ASA# sh proc | i ssh
Mwe 08c2e084 7214a764 7249a300 1 721489b0 7132/8192 listen/ssh
Mwe 08be148b 7181278c 09f8050c 5 718108f8 7312/8192 ssh/timer
Mrd 08899185 7262787c 09f81014 595408460 72620728 26900/32768 ssh Mrd 08899185 726308cc 09f81014 572091828 72629778 26900/32768 ssh Mrd
08899185 72750e94 09f81014 538272393 72749d40 26908/32768 ssh Mrd 08899185 727769cc 09f81014 549586257 7276f878 26900/32768 ssh Mrd 08899185
726e86fc 09f81014 526485007 726e15a8 26900/32768 ssh
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-5411 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.2(4.1) |
|
Known Fixed Releases: | 100.7(13.73), 100.7(6.78), 100.8(0.128), 100.8(11.20), 100.8(27.7), 100.8(33.4), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.29) |
|
|
| |
| |
Bug Id: | CSCuo19916 |
Title: | ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet |
|
Description: | Symptom:
When using cut-through-proxy, virtual http, and virtual telnet on an ASA, clients may receive 302
Moved responses for the redirect that contain no location. With some browsers (confirmed on
IE9), this behavior causes the client to continuously reset and restart the connection which results
in a DOS situation for the ASA and any associated syslogs servers due to thousands of
connection builds/teardowns within very short period of time.
Conditions:
1. Must be using cut-through-proxy on the ASA
2. Must have a virtual HTTP configured as the redirect destination IP in the authentication proxy
ACL
3. Must also have virtual telnet configured on the ASA with the same IP as virtual HTTP
Workaround:
1. Disable virtual telnet (host will still not get the login page but authentication will be successful)
2. Utilize the aaa authentication listener with the redirect keyword and trigger the authentication
based on regular HTTP traffic traversing the ASA and do not redirect to the virtual HTTP address
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.4(7), 9.1(2) |
|
Known Fixed Releases: | 100.10(0.95), 100.10(12.8), 100.10(17.1), 100.10(2.18), 100.10(6.0.40), 100.10(7.8), 100.11(2.4), 100.11(3.3), 100.11(5.3), 100.11(6.1) |
|
|
| |
| |
Bug Id: | CSCuo58584 |
Title: | Cisco ASA fix for CSCun56954 |
|
Description: | Symptom:
This bug is tracking the necessary change on the ASA side to fix a vulnerability in the FirePOWER services.
For additional info refer to the Cisco Security Advisory: Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of
Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
Conditions:
See Cisco Security Advisory
Workaround:
See Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18), 100.13(18.7) |
|
|
| |
| |
Bug Id: | CSCut11895 |
Title: | Failover assembly remained in active-active state permanantly |
|
Description: | Symptom:
Both the primary and secondary ASA assume the active role simultaneously until a manual reload is executed
Conditions:
The problem was encountered while applying a test load of 750 vpn sessions using tls1.2 with ECDHE-ECDSA-AES256-SHA384.
Another test scenario was when the Primary ASA was power-cycled.
Workaround:
Disable and enable failover again on the secondary unit or reload secondary unit.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 100.13(0.32), 9.4(0.113) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.9), 100.14(0.4), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) |
|
|
| |
| |
Bug Id: | CSCus11465 |
Title: | ASA teardown connection after receiving same direction fins |
|
Description: | Symptom:
ASA version 9.2.2.4 or 9.3.1 will teardown tcp connection after it receiving fin ack fin ack of the same direction
Conditions:
ASA version 9.2.2.4 or 9.3.1
receiving fin ack fin ack of the same direction
Workaround:
using tcp bypass
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.2(2), 9.3(1) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) |
|
|
| |
| |
Bug Id: | CSCue31900 |
Title: | Flapping the CCL or Data spanned port-channel causes intermittent crash |
|
Description: | I have an ASA cluster in routed, multi-context, spanned Po mode. When flapping
either the CCL or spanned data etherchannel it can crash.
Workaround:
This issue is related to having open telnet sessions. A workaround is to use SSH.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.0(1), 9.0(1.107) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.86), 100.8(38.15), 100.8(40.4), 100.8(41.2), 100.8(60.7), 100.9(0.43), 100.9(6.19), 100.9(7.21), 9.0(2.100) |
|
|
| |
| |
Bug Id: | CSCte69623 |
Title: | df election in pim bidir mode fails after failover to secondary unit |
|
Description: | Symptom:
ASA in PIM bidir mode. It has 3 networks, and shows df neighbors properly on all networks. After that, failover is triggered. The new active ASA only sees 2 df neighbors.
Conditions:
PIM bidir mode, after a failover. This issue was seen once a long time ago and has not surfaced since.
Workaround:
Reboot the new active ASA.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.2(1.192) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui40499 |
Title: | ICMP inspection closes TCP conns with "Flow closed by inspection" |
|
Description: | Symptom:
This DDTS is a Duplicate of CSCuh13899
The ASA might tear down TCP connections with this syslog:
Jul 31 2013 10:45:27: %ASA-6-302014: Teardown TCP connection 163 for
outside:10.1.100.4/62750(LOCAL\cisco) to dmz:14.36.103.220/5901 duration 0:00:05 bytes
1382784 Flow closed by inspection (cisco)
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.4(5.7), 9.0(2.3), 9.1(1.5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus51289 |
Title: | ASA: Traceback when removing manual NAT rule |
|
Description: | Symptom:
ASA: Traceback when removing manual NAT rule
Conditions:
The user must be removing a manual NAT rule from the configuration with the following characteristics:
1. The destination portion of the rule must contain an object with a large range of addresses
and
2. The rule must contain a service object
An example rule that may trigger this crash is:
object network src
host 192.168.10.1
object network dest
range 10.0.0.0 10.255.255.255
object service port
service tcp source eq 80
nat (inside,outside) source static src src destination static dest dest service port port
no nat (inside,outside) source static src src destination static dest dest service port port
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 8.4(5), 9.1(6) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) |
|
|
| |
| |
Bug Id: | CSCus64082 |
Title: | ASA fails to sync objects with name ANY after upgrade from 8.4 to 9.x |
|
Description: | Symptom:
Standby ASA fails to sync objects with name ANY used in ACE after the zero downtime upgrade from 8.4.x/8.6.x to 9.x.
The below errors are seen on the console during the configuration replication:
ERROR: specified object does not exist
ERROR: object () does not exist.
Due to missing configuration the standby ASA may enter into a boot loop.
Conditions:
ASA configured with object name ANY and that object is used in an access-list.
object network ANY
subnet 0.0.0.0 0.0.0.0
access-list outside-in extended permit tcp object ANY host
Workaround:
1. Use any other object name apart from 'ANY'
2. Rather than using object name 'ANY' use keyword 'any' in ACL configuration
3. Upgrade both the ASAs at the same time
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 17-JUN-2015 |
|
Known Affected Releases: | 9.1(2), 9.1(5) |
|
Known Fixed Releases: | 100.11(0.56), 100.8(40.95), 9.0(4.31), 9.1(6.2), 9.2(3.101) |
|
|
| |
| |
Bug Id: | CSCuc75090 |
Title: | Crypto IPSec SA's are created by dynamic crypto map for static peers |
|
Description: | Symptom:
When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and
setup by the dynamic crypto map instance.
Conditions:
This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services.
The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end.
Workaround:
N/A
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 8.4(4.9) |
|
Known Fixed Releases: | 100.7(13.110), 100.7(6.106), 100.8(27.30), 100.8(38.4), 100.8(50.15), 100.9(0.20), 100.9(4.1), 100.9(7.1), 100.9(9.1), 8.2(5.39) |
|
|
| |
| |
Bug Id: | CSCto32012 |
Title: | Routing: page fault traceback in Thread Name: EIGRP-IPv4: PDM |
|
Description: | Symptom:
Traceback in routing: page fault crash in Thread Name: EIGRP-IPv4: PDM, eip meth_ch_ioctl
Conditions:
Standby firewall and config sync during reload
Workaround:
When performing an hitless upgrade, before rebooting the standby unit, on the standby unit (secondary):
1. Remove the EIGRP process (by "no router eigrp" command).
2. Do a write mem on the secondary (standby)
3. Reload the standby
4. Upon loading the new image in the standby unit, the config sync from the active will take place (without traceback); since the config is synced, EIGRP will get enabled on the standby unit as well after the sync.
5. Make the secondary unit (with the new image) the active
6. Remove the EIGRP process from the primary (the new standby)
7. Do a write mem
8. Reload the standby
9. Upon loading the new image in the standby unit (primary), the config sync from the active (secondary) will take place.
10. Make the primary active again.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 8.2(4), 8.4(2) |
|
Known Fixed Releases: | 100.7(13.77), 100.7(6.79), 100.8(0.139), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.8(36.1), 100.9(0.1), 100.9(2.1) |
|
|
| |
| |
Bug Id: | CSCuq62597 |
Title: | ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg for uninitialized |
|
Description: | Symptom:
While connecting to ASA using L2TP and with split-tunnel configured you may see in "debug dhcpd packet 255" and "debug dhcpd event 255" following message:
DHCPC: DHCP daemon got msg for uninitialized context.
or
DHCPD: checking for expired leases.
DHCPD: illegal hardware address length (6).
DHCPD: cannot determine client hardware address.
DHCP: Unable to load workspace.
Conditions:
When configuring L2TP over IPSec with split-tunnnel, add "intercept-dhcp enable" will generate debug error messages as decribed in the "Symptoms" section.
Workaround:
There are two workarounds for this issue:
1. dhcprelay timeout
2. Uses "intercept-dhcp enable" under group-policy.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.1(5), 9.2(2.4) |
|
Known Fixed Releases: | 100.11(0.49), 100.12(0.57), 100.13(0.4), 100.13(11.6), 100.13(12.10), 100.13(13.1), 100.13(14.3), 100.13(15.4), 100.13(16.1), 100.13(17.1) |
|
|
| |
| |
Bug Id: | CSCuq99821 |
Title: | ASA/ASASM drops SIP invite packets with From field containing "" and \ |
|
Description: | Symptom:
ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field:
"\"210*******\"" ;tag=SD7osu201-gK0d0f565b
Conditions:
ASA/ASASM running 9.1.4.6 with SIP inspection turned on.
Workaround:
disable SIP inspection.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.1(4.6) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41), 100.14(5.13) |
|
|
| |
| |
Bug Id: | CSCuu67159 |
Title: | ASA: crash in DATAPATH-2-1157 |
|
Description: | Symptom:
ASA crashed while configuring routing in context
Conditions:
ASA in multicontext mode
Workaround:
none
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCto84937 |
Title: | Potential Dynamic NAT TCP Handshake Race Condition |
|
Description: | Symptom:
ASA configured to use dynamic NAT appears to allow an inbound TCP handshake to complete under certain circumstances:
1) ACL that permits TCP traffic from outside to inside.
2) This packet sequence:
Host A inside firewall, Host B outside firewall
* Host A sends a SYN packet from port X to Host B.
* Host B replies with a RST/ACK to Host A.
* Host B sends a SYN to Host A on port X.
* Host A replies with a SYN/ACK to Host B.
Conditions:
Cisco ASA configured with NAT.
Workaround:
This is NOT a bug.
NAT on ASA is used to do address/port translation. It does
*not* do access-control. Access-list on the ASA is used to do L2-L4
access-control. TCP normalizer is used to do protocol enforcement.
I want to mention this to ensure we don't muddle NAT,
access-control, and protocol enforcement.
Two, the observed behavior in CSCto84937 is known as ''endpoint
independent''. To see a justification, see RFC4787. It is
pretty heavy reading, so let me see if I can make it simpler.
Using the '':/ notation, assume the *first*
inside session creates this PAT binding.
source ''inside:I/i'' translates into source ''outside:G/g''
This binding will live on the ASA for at least 30 seconds. A host
on the outside can connect outside:G/G and have such connection be
translated to ''inside:I/i'' *only* *only* if such connection is
permitted by access-list. This is nearly identical in the case of
no NAT; except that the first packet must be from the inside.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 8.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuo08511 |
Title: | ASA 9.0.4.1 traceback in webvpn datapath |
|
Description: | Symptom:
ASA reload unexpectedly at random times
Conditions:
Crash due to Webvpn-datapath
Workaround:
NONE
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.0(4.1) |
|
Known Fixed Releases: | 100.10(0.88), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(0.6), 100.11(5.1), 100.7(6.131), 100.8(40.68), 100.8(56.49), 100.8(64.15) |
|
|
| |
| |
Bug Id: | CSCup47885 |
Title: | ASA: Page fault traceback in DATAPATH when DNS inspection is enabled |
|
Description: | Symptom:
An ASA may generate a traceback and reload in the DATAPATH thread while processing DNS traffic when DNS inspection is enabled.
Conditions:
The ASA must be running 9.1.5.7 or higher.
This issue will trigger when we do DNS reverse loop up with DNS inspection enabled.
When a customer do reverse look up on IP addresses and receives a PTR Reply with more number of records they will hit this issue.
This issue will not be seen without reverse loop up
Workaround:
There is no known workaround at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.1(5.7), 9.2(2) |
|
Known Fixed Releases: | 100.11(0.37), 100.11(5.46), 100.11(6.8), 100.12(0.19), 100.12(1.13), 100.12(10.4), 100.12(12.4), 100.12(13.11), 100.12(15.4), 100.12(16.9) |
|
|
| |
| |
Bug Id: | CSCur98502 |
Title: | ASA: 'no monitor-interface service-module' command gone after reload. |
|
Description: | Symptom:
'no monitor-interface service-module' gone from configuration.
Conditions:
ASA 9.3(1) with failover configuration. 'no monitor-interface service-module' configured and ASA reloaded.
Workaround:
Avoid reloading ASA or put the command manually after reload.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.3(1) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(16.31), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) |
|
|
| |
| |
Bug Id: | CSCsi28027 |
Title: | Crash/hang after receiving fragmented ping over EOBC channel |
|
Description: | Symptom:
The device will crash or hang and then reload if it receives a fragmented
ICMP message on the EOBC port. The ICMP packets can be
sent from the Supervisor or another line card in the chasis.
Conditions:
The device must receive a fragmented ICMP message on the EOBC port.
Workaround:
None.
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 7.0 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus78450 |
Title: | Certificate Validation Failure after upgrade post 9.1.5(12) |
|
Description: | Symptom:
--Certificate Validation Failure message on user PC after upgrading the ASA to any version in 9.1.5(x) post 9.1.5(12)
--The debug crypto ca 255 shows the following message:
CRYPTO_PKI: Certificate validation: Failed, status: 530CRYPTO_PKI: PKI Verify Cetificate Check Cert Revocation unknown error 530
CRYPTO_PKI: PKI Verify Certificate error. No trust point found
Conditions:
ASA running any version above 9.1.5(12) using server-side certificate authentication with ID certificate issued by a third party CA.
Workaround:
--Remove all the configured trustpoints and re-build them by importing the chain.
--Use a self-signed certificate
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-JUN-2015 |
|
Known Affected Releases: | 9.1(5.16) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) |
|
|
| |
| |
Bug Id: | CSCuu55006 |
Title: | ASA:Traceback with Thread Name Checkheaps when object-group is modified |
|
Description: | Symptom:
ASA 5515 running version code 9.1(3) may generate a traceback with Thread Name: Checkheaps when an object-group is modified.
Conditions:
Observed on ASA 5515 with CX module inline
Workaround:
none
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCun26772 |
Title: | Invalid user names are logged in syslogs |
|
Description: | Symptom:
ASA logs invalid user name in their logs when user attempt to authenticate with incorrect user-id.
Conditions:
AAA and logging enabled
Workaround:
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or
involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please
contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.2(0.2) |
|
Known Fixed Releases: | 100.10(9.6), 100.11(2.1), 100.8(38.125), 100.8(40.63), 100.8(56.31), 100.8(65.4), 9.0(4.25), 9.1(5.15), 9.2(0.99), 9.2(1) |
|
|
| |
| |
Bug Id: | CSCuq34213 |
Title: | Double Free when processing DTLS packets |
|
Description: | Symptom:
This product includes a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
* Double Free when processing DTLS packets (CVE-2014-3505)
This bug has been opened to investigate and address the potential impact on this product.
Conditions:
Cisco ASA running release 8.2.1 or later with a default configuration.
Workaround:
None.
Further Problem Description:
This bug is one of 9 disclosed by the OpenSSL organization as part of their August advisory (see https://www.openssl.org/news/secadv_20140806.txt for details).
1. Double Free when processing DTLS packets (CVE-2014-3505)
2. DTLS memory exhaustion (CVE-2014-3506)
3. DTLS memory leak from zero-length fragments (CVE-2014-3507)
4. Information leak in pretty printing functions (CVE-2014-3508)
5. Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
6. OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
7. OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
8. SRP buffer overrun (CVE-2014-3512)
9. Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
Only numbers 1 and 3 were found to be vulnerabilities in the ASA and were resolved with bugs:
CSCuq34213 Double Free when processing DTLS packets
CSCuq34226 OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln
The remaining issues have bugs created but have been junked as the ASA was found to not be vulnerable:
CSCuq34216 OpenSSL DTLS Memory Exhaustion Denial of Service Vulnerability
CSCuq34229 OpenSSL Pretty Printing Functions Stack Information Disclosure Vuln
CSCuq34234 OpenSSL ssl_parse_serverhello_tlsext Race Condition Vulnerability
CSCuq34299 OpenSSL DTLS Anonymous ECDH Denial of Service Vulnerability
CSCuq34304 OpenSSL TLS Protocol Downgrade Man-in-the-Middle Vulnerability
CSCuq34311 OpenSSL SRP Buffer Overflow Denial of Service Vulnerability
CSCuq34313 OpenSSL SRP Ciphersuite Denial of Service Vulnerability
Cisco Adaptive Security Appliance (ASA) Software v9.0.4 and later is NOT impacted by this bug.
Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains. Cisco recommends that customers upgrade to a fixed release.
Cisco Adaptive Security Appliance (ASA) Software v7.x is NOT impacted by these vulnerabilities.
PSIRT Evaluation:
The Cisco PSIRT has assessed these vulnerabilities using the Base and Temporal CVSS scores from the National Vulnerability Database (NVD).
Details about the third-party software vulnerabilities listed above, as well as their CVSS score can be found at the following URL:
http://web.nvd.nist.gov/view/vuln/search
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 100.12(10), 8.2(5.50), 8.3(2.41), 8.4(7.22), 8.6(1.14), 8.7(1.12), 9.1(5.11), 9.2(2.4), 9.3(1) |
|
Known Fixed Releases: | 100.11(0.42), 100.12(10.32), 100.12(21.2), 100.12(9.13), 100.7(6.134), 100.8(40.83), 8.3(2.43), 8.4(7.23), 9.0(4.22), 9.1(5.13) |
|
|
| |
| |
Bug Id: | CSCua92556 |
Title: | ASA sip inspect - Pre-allocate SIP NOTIFY TCP secondary channel |
|
Description: | Symptom:
ASA Creates multiple duplicate secondary pinholes
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:00:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:02:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:04:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:06:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:08:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:10:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:12:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:14:20, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:16:19, bytes 0, flags Ti
TCP outside 10.234.87.4:2436 inside 10.19.10.7:0, idle 0:18:19, bytes 0, flags Ti
Conditions:
Sip inspection should be enabled on ASA
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.2(4.4) |
|
Known Fixed Releases: | 100.7(13.95), 100.7(6.91), 100.8(0.223), 100.8(11.34), 100.8(27.19), 100.8(33.18), 100.8(34.1), 100.8(36.3), 100.9(0.1), 100.9(3.3) |
|
|
| |
| |
Bug Id: | CSCuf68858 |
Title: | ASA: Page fault traceback in dbgtrace when running debug in SSH session |
|
Description: | Symptom:
When running debugs from 2 different SSH sessions, the ASA may generate a traceback and reload in the dbgtrace thread when one of the SSH sessions closes.
Conditions:
This issue occurs when 2 SSH sessions have enabled debugs and one session disconnects while the debug is still running.
Workaround:
Disable debugs with the 'undebug all' command before closing the SSH session.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.4(5), 8.4(5.7) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(40.3), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(6.17), 100.9(7.20), 8.4(6.1) |
|
|
| |
| |
Bug Id: | CSCur54943 |
Title: | Linux Kernel KVM Subsystem invept Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-3645
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3645 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCun69561 |
Title: | ASA Crafted Radius DoS Vulnerability |
|
Description: | Symptom:
ASA crash in thread name radius_rcv_auth
Conditions:
ASA receives a RADIUS packet with a crafted attribute value during a radius exchange. Knowledge of the shared key is needed in order to exploit the vulnerability
Workaround:
none
Further Problem Description:
A vulnerability in the implementation of the RADIUS code of Cisco ASA
Software could allow an authenticated, remote attacker to cause the reload
of the affected system.
The vulnerability is due to insufficient validation of RADIUS packets
including crafted attributes. . An attacker could exploit this vulnerability
by sending crafted RADIUS packets to the affected system.
The attacker needs to know the RADIUS shared secret and inject the crafted
packet while a RADIUS exchange is in progress.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3264 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3264
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.0(1), 9.1(1), 9.2(0.3) |
|
Known Fixed Releases: | 100.10(0.87), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(2.1), 100.11(5.1), 100.8(38.133), 100.8(40.68), 100.8(56.47), 100.8(64.14) |
|
|
| |
| |
Bug Id: | CSCur68845 |
Title: | Linux Kernel Networking recvmsg Memory Leak Local Information Disclosu |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-6405
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-6405 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud16590 |
Title: | ASA may traceback in thread emweb/https |
|
Description: | Summary
Cisco ASA Software is affected by the following vulnerabilities:
IKE Version 1 Denial of Service Vulnerability
Crafted URL Denial of Service Vulnerability
Denial of Service During Validation of Crafted Certificates
DNS Inspection Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of
the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco
FWSM. This advisory is available at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
CVE ID CVE-2013-1150 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.4(5) |
|
Known Fixed Releases: | 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 7.2(5.9), 8.0(5.29) |
|
|
| |
| |
Bug Id: | CSCur68866 |
Title: | QEMU virtqueue_map_sg() Function Input Validation Buffer Overflow Vuln |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4535
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-4535 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu74125 |
Title: | ASA traceback in thread name: DATAPATH |
|
Description: | Symptom:
ASA reloads due to a traceback in thread name: DATAPATH
Conditions:
unknown
Workaround:
none
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.3(2.160) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCue02226 |
Title: | ASA 9.1.1 - WCCPv2 return packets are dropped |
|
Description: | Symptom:
When using WCCPv2, traffic returned from IronPort to ASA 9.1.1 in GRE tunnel is being dropped on ASA
1. SYN packet sent from User's PC reaches the ASA inside interface,
2. then using GRE the SYN packet is redirected from ASA to IronPort,
3. next, when the packet is returned back from IronPort to ASA in GRE, but ASA drops it with "Drop-reason: (no-route) No route to host".
Conditions:
ASA 9.1.1
IronPort used for http/https traffic inspection
Workaround:
Disable Bypass on IronPort or exclude specific traffic from ACL that redirects traffic to IronPort.
or
Enable management-access on ASA on the interface with highest IP address.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.1(1) |
|
Known Fixed Releases: | 100.8(27.63), 100.8(60.1), 100.9(0.36), 100.9(4.5), 100.9(6.11), 100.9(7.19), 9.0(2.100), 9.0(2.7), 9.0(3), 9.1(1.101) |
|
|
| |
| |
Bug Id: | CSCtr39013 |
Title: | ASA - panic traceback when issuing show route interface_name |
|
Description: | Symptom:
Under very rare conditions, the ASA may crash due to doing show route interface_name IP_address netmask command.
Conditions:
ASA running 8.2.5 or 8.4.2 code.
Workaround:
Do not use the more specific route command. You are able to view the route table by doing show route.
Further Problem Description
The following forms of "show route" commands may result in a crash
show route
show route outside
show route inside 192.168.0.0 255.255.0.0
Other forms of show route though not tested may result in a crash as well.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.0(3), 8.2, 8.2(4.11), 8.2(5), 8.3(2.13), 8.4(2) |
|
Known Fixed Releases: | 100.7(13.21), 100.7(14.10), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.53), 100.8(0.17), 100.8(10.20), 100.8(12.23) |
|
|
| |
| |
Bug Id: | CSCum55917 |
Title: | ASA Traceback in Thread Name: fover_fail_check |
|
Description: | Symptom:
ASA may run into a 1550 block depletion and trigger a assert traceback in thread name: fover_fail_check
Conditions:
ASA running release 9.0.3 (specific conditions are under investigation) or release 9.1.4 with DHCP relay enabled.
Workaround:
In the case where DHCP relay is configured, disabling DHCP relay may keep the issue from occurring.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.1(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui41969 |
Title: | Authentication is successful, but http browser with error msg displayed |
|
Description: | Symptom:
Sometime custmer's screen displayed reject message (" Authentication Rejected! Please
contact I.T. Department " ) after reloading ASA (after multiple times reloading or clear uauth) , but in
fact authentication is ok . You can see:
Show uauth" is OK tufw05# sho uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 2
user 'tualan' at 172.31.16.124, authenticated
access-list acl_itnetadm (*)
absolute timeout: 18:00:00
inactivity timeout: 1:15:00
Conditions:
Reloading asa mulitple times
Workaround:
If the issue happens, "clear uauth" or reload asa again.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.6(1.10) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.36), 100.13(1.38), 100.13(19.9), 100.13(21.6), 100.13(23.4), 100.13(23.5), 100.13(24.4) |
|
|
| |
| |
Bug Id: | CSCtr33200 |
Title: | ASA may traceback when looking at routing table |
|
Description: | Symptom:
In certain rare cases, the ASA may crash when looking at the routing table using the output of "show route".
Conditions:
This was observed on an ASA running both Webvpn and L2L tunnels.
Workaround:
None.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.3(2.13) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu82278 |
Title: | ASA traceback in Thread Name: tmatch compile thread |
|
Description: | Symptom:
ASA can crash in Thread Name: tmatch compile thread.
CPU hogs for Process: 'tmatch compile thread' can be seen the time around the ASA crash.
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCta02170 |
Title: | ASA5550 or ASA with 4GE-SSM may crash due to block corruption |
|
Description: | Symptom:
ASA reloads due to block corruption.
Conditions:
ASA5550 or ASA with 4GE I/O module running 8.2.1 code and using interfaces in slot 0 and slot 1.
Workaround:
Do not use interfaces in slot 1 since this triggers the problem.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5726 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.2(1) |
|
Known Fixed Releases: | 100.3(0.10), 100.3(0.13), 100.4(0.18), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCui77398 |
Title: | Cisco ASA Crafted ICMP Packet Denial of Service Vulnerability |
|
Description: | Summary
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability
Crafted ICMP Packet Denial of Service Vulnerability
These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL
VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management
(ASDM).
Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.
Successful exploitation of the Crafted ICMP Packet Denial of Service Vulnerability may result in valid connections passing through or directed to
the affected system to be torn down or cause a reload of the system, leading to a denial of service (DoS) condition.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
8.5/7.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:C
CVE ID has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 8.4(7), 9.0(3), 9.0(3.2), 9.1(2.101), 9.1(2.7), 9.1(3.249) |
|
Known Fixed Releases: | 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.118), 100.7(6.122), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2) |
|
|
| |
| |
Bug Id: | CSCuu87823 |
Title: | ASAv traceback in DATAPATH when used for WebVPN |
|
Description: | Symptom:
ASAv traceback in DATAPATH when used for WebVPN
Conditions:
ASAv running release 9.4.1 and configured for WebVPN
Workaround:
None
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui61335 |
Title: | Traceback in Thread: DATAPATH-3-1281 Page fault: Address not mapped |
|
Description: | Symptom:
ASA crashes when syncing with cluster master:
Thread Name: DATAPATH-0-1267
Page fault: Address not mapped
Conditions:
ASA configured in cluster. Slave synching with cluster master
Workaround:
Other than disabling the cluster member,l none at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.1(2) |
|
Known Fixed Releases: | 100.10(0.16), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.37), 100.8(40.24), 100.8(41.2), 100.8(45.2), 100.8(46.3), 100.8(49.1) |
|
|
| |
| |
Bug Id: | CSCui06108 |
Title: | LU allocate xlate failed after Standby ASA traceback |
|
Description: | Symptom:
The %ASA-3-210007: LU allocate xlate failed syslog message appears after a failure (traceback) on the Standby unit.
Conditions:
Cisco ASA running release 9.0.2.
Workaround:
None.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-JUN-2015 |
|
Known Affected Releases: | 9.0(2), 9.1(4) |
|
Known Fixed Releases: | 100.10(0.20), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.43), 100.8(40.28), 100.8(41.2), 100.8(45.4), 100.8(46.5), 100.8(48.1) |
|
|
| |
| |
Bug Id: | CSCue46275 |
Title: | Connections not timing out when the route changes on the ASA |
|
Description: | Symptom:
Connections on the ASA are not timing out after a route change
Conditions:
timeout floating-conn was set to 30 seconds
Workaround:
clear out the connections manually
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 8.3(2), 8.4(5), 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.24), 100.9(0.52), 100.9(10.1), 100.9(6.28) |
|
|
| |
| |
Bug Id: | CSCus89013 |
Title: | Multiple Child SAs created |
|
Description: | Symptom:
Multiple Child SA creatted
BXB-3-5520-ASA3(config)# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:903
Tunnel-id Local Remote Status Role
162705863 80.1.1.1/500 70.1.1.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5804 sec
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0x3c02014/0x23cc61ca
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0x755d4447/0x1f426716
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0xb196ff93/0x9fbacd9c
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0xba728d67/0x6e159e3d
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0xec951076/0x4d20bdd6
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0x80dc69fe/0x9a072e95
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0xc719b56e/0xf1e350a3
Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535
remote selector 60.1.1.11/0 - 60.1.1.11/65535
ESP spi in/out: 0x4ebdbb5d/0x89d5e9c2
Conditions:
Create a crypto map with two sequence number and then try to connect via 2nd sequence number. Make 1st sequence number not matching on both peers
Workaround:
Connect via crypto map's first sequence number
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus62863 |
Title: | Kenton 5516: Interface dropping ARPs after flapping under traffic load |
|
Description: | Symptom:
5506 drops packets under load.
Conditions:
5506 running 9.4.1 may experience interface flaps under load, resulting in packet loss.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 100.13(0.16), 9.4(0.53), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30), 100.15(0.11), 100.15(1.5) |
|
|
| |
| |
Bug Id: | CSCue97782 |
Title: | ASA: Old connections tear down IPsec VPN tunnel on switchover |
|
Description: | Symptom:
L2L IPsec VPN can flap in case of redundant topology, such as shown below:
+ out1 ---\
inside ASA -| ISP--- Peer
+ out2 ---/
Conditions:
This may happen in all ASA versions when ISP fails and IP SLA is used to change routing. Routing change causes existing tunnel teardown and new tunnel reestablishment. New TCP or UDP connections will be opened over new tunnel, but old TCP or UDP connections remain in the ASA connection table pointing to the old interface. This may sometimes trigger reestablishment of VPN tunnel when traffic is sent over these old connections.
Workaround:
None.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.3(2), 9.0(1), 9.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu16907 |
Title: | ASA: Watchdog traceback in DATAPATH |
|
Description: | Symptom:
ASA Watchdog traceback after an upgrade in failover environment.
Conditions:
ASA in failover pair environment, upgraded to 9.1.(5)21.
Workaround:
None
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtr63728 |
Title: | SIP Inspection Media Update Denial of Service Vulnerability |
|
Description: | Symptom:
Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities:
DHCP Memory Allocation Denial of Service Vulnerability
SSL VPN Authentication Denial of Service Vulnerability
SIP Inspection Media Update Denial of Service Vulnerability
DCERPC Inspection Buffer Overflow Vulnerability
Two DCERPC Inspection Denial Of Service Vulnerabilities
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Conditions:
See PSIRT Security Advisory.
Workaround
See PSIRT Security Advisory.
Further Problem Description:
See PSIRT Security Advisory.
PSIRT Evaluation:
Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa
Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above.
A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm
The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 8.4(2) |
|
Known Fixed Releases: | 100.7(13.33), 100.7(14.23), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.28), 100.8(10.40), 100.8(15.7), 100.8(19.16), 100.8(2.16) |
|
|
| |
| |
Bug Id: | CSCut67965 |
Title: | CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached |
|
Description: | Symptom:
ASA running 9.4.1 stops accepting IKEv2 connections.
Conditions:
ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached".
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.28), 100.14(10.23), 100.14(5.17), 100.14(7.33), 100.15(0.13), 100.15(1.15), 100.15(2.47) |
|
|
| |
| |
Bug Id: | CSCtf47041 |
Title: | Active ASA unit tracebacks in Thread Name: ssh |
|
Description: | Symptom:
Active ASA unit tracebacks in Thread Name: ssh
Conditions:
NA
Workaround:
NA
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.2(2) |
|
Known Fixed Releases: | 100.4(0.50), 100.5(5.10), 100.7(2.4), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.2), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCuc51614 |
Title: | Weblaunch of AC IKEv2 connection should re-DAP if NAC is not configured |
|
Description: | Symptom:
DAP re-evaluation is missing during the weblaunch of AnyConnect IKEv2 connection when the client type switches from clientless to the AnyConnect.
Conditions:
The weblaunch of AnyConnect IKEv2 connection without NAC configuration triggers the issue.
Workaround:
None
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.4 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu32905 |
Title: | ASA WebVPN: Javascript fails to execute when accessing internal portal |
|
Description: | Symptom:
On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js.
Conditions:
Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6).
Workaround:
None.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 100.8(40.67), 9.1(6) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCuu45813 |
Title: | ASA Name Constraints dirName improperly verified |
|
Description: | Symptom:
When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error:
CERT-C: I pkixpath.c(2726) : Error #751h
CRYPTO_PKI:Invalid certificate received (status = 1873)
CRYPTO_PKI:Invalid RA certificate received
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(2), 9.3(1), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCui53710 |
Title: | ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups |
|
Description: | Symptom:
When upgrading an Adaptive Security Appliance (ASA) from 8.2 and earlier software to 8.3 and later software, Access Control List (ACL) entries which reference object groups may be fully expanded even when the object group in question is not directly referenced in NAT policies. As the result, ACL sizes may increase significantly and the convenience of using object-groups for rule set management is lost.
Conditions:
A member of the object group is referenced within NAT and/or ACL policies.
Workaround:
Rebuild the ACLs to use object groups after the migration.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.3(2), 8.4(1), 8.4(1.50), 8.4(6), 9.0(3), 9.1(2) |
|
Known Fixed Releases: | 100.10(0.51), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.79), 100.8(40.51), 100.8(46.53), 100.8(51.13), 100.8(56.1), 100.8(56.10) |
|
|
| |
| |
Bug Id: | CSCuu46569 |
Title: | ASA CA certificate import fails with different types of Name Constraints |
|
Description: | Symptom:
When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error:
CERT-C: I pkixpath.c(2726) : Error #751h
CRYPTO_PKI:Invalid certificate received (status = 1873)
CRYPTO_PKI:Invalid RA certificate received
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(2), 9.3(1), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCut75983 |
Title: | ASA Traceback in PPP |
|
Description: | Symptom:
ASA traceback in ppp_timer_thread.
Conditions:
ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA)
Workaround:
none
Further Problem Description:
ASA reloaded on its own.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 8.4(7) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCur20322 |
Title: | ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment |
|
Description: | Symptom:
ASA in an L2 cluster environment causes a DATAPATH traceback. The unit comes back up but will not join the cluster and results in an RPC_SYSTEMERROR failure. Manual joining into the cluster causes an immediate crash after entering "enable".
Conditions:
ASA operating in 9.2.1 code and in multi-context.
ASA in a cluster L2 environment.
Workaround:
No workaround at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) |
|
|
| |
| |
Bug Id: | CSCue59676 |
Title: | ASA shared port-channel subinterfaces and multicontext traffic failure |
|
Description: | Symptom:
An ASA configured in multi context mode, with port-channels divided into subinterfaces, may experience an issue where traffic to certain contexts will fail if the port-channel has more than one active interface member.
Conditions:
To confirm you are hitting this bug, check the output of 'show controller ' for each physical member of the port channel. Affected ASAs will show only the first member in Promiscuous mode and the rest in Disabled.
Out of the 'show controller' depends on the platform of ASA.
Some of the platforms show the output below.
show controller GigabitEthernet 0/0 | i Promiscuous Mode
Unicast Promiscuous Mode: Enabled (5) <----
show controller GigabitEthernet 0/1 | i Promiscuous Mode
Unicast Promiscuous Mode: Disabled (0) <----
And some of the platforms show the output below.
show controller GigabitEthernet 0/0 | i RX Control
RX Control: 0x00007fff18536100 = 0x0440800a
show controller GigabitEthernet 0/1 | i RX Control
RX Control: 0x00007fff18536100 = 0x04408002
First bit of a(1010) means Promiscuous, and 2(0010) means Not Promiscuous.
Traffic failure observed when number of MAC addresses allocated to each interface exceeded the count of RX address array.
RX address array can be seen via "show controller" output.
Workaround:
Reduce the number of contexts or subinterfaces so as count of mac addresses allocated to interfaces not exceed the count of RX address array.
Deleting the context experience the problem and reconfiguring it sometimes resolves the issue for that context, but the problem may then move to another context.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.4(4.6), 8.4(5) |
|
Known Fixed Releases: | 100.7(13.111), 100.7(6.110), 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.4(5.7) |
|
|
| |
| |
Bug Id: | CSCur68847 |
Title: | Linux Kernel farsync.c Information Disclosure Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-1444
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-1444 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCts45638 |
Title: | 8.4.2.2: Thread Name: DATAPATH-0-1272 Page fault: Unknown |
|
Description: | Symptom:
ASA may crash unexpectedly due to a traceback.
Conditions:
The problem is related to traffic matching PAT rules.
Workaround:
There is no known workaround. This defect can be matched by TAC after decoding the output of 'show crashinfo'.
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.4(2), 8.4(2.2) |
|
Known Fixed Releases: | 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.7(8.34), 100.8(0.30), 100.8(0.36), 100.8(0.46), 100.8(0.54) |
|
|
| |
| |
Bug Id: | CSCur68848 |
Title: | Linux Kernel KVM Virtual APIC Accesses Local Privilege Escalation Vuln |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-6368
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-6368 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68873 |
Title: | Linux Kernel Reliable Datagram Sockets Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-7339
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-7339 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuj82692 |
Title: | ASA 8.4.7 - Traceback with assertion in thread name Dispatch Unit |
|
Description: | Symptom:
Standalone ASA traceback in thread name Dispatch Unit
Conditions:
ASA version 8.4.7
Workaround:
not known
Further Problem Description:
ASA crashes during propagation of VOIP traffic. If the VOIP inspections are disabled, the crashes are not seen.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.4(6.3), 8.4(7) |
|
Known Fixed Releases: | 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.94), 100.8(40.56), 100.9(10.23), 8.4(7.8), 9.0(4.1) |
|
|
| |
| |
Bug Id: | CSCuq34226 |
Title: | OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln |
|
Description: | Symptom:
The Cisco Adaptive Security Appliance (ASA) Software version 8.2 and later includes a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
* DTLS memory leak from zero-length fragments (CVE-2014-3507)
This bug has been opened to investigate and address the potential impact on this product.
Conditions:
Cisco ASA running release 8.2.1 or later with a default configuration.
Workaround:
None.
Further Problem Description:
This bug is one of 9 disclosed by the OpenSSL organization as part of their August advisory (see https://www.openssl.org/news/secadv_20140806.txt for details).
1. Double Free when processing DTLS packets (CVE-2014-3505)
2. DTLS memory exhaustion (CVE-2014-3506)
3. DTLS memory leak from zero-length fragments (CVE-2014-3507)
4. Information leak in pretty printing functions (CVE-2014-3508)
5. Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
6. OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
7. OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
8. SRP buffer overrun (CVE-2014-3512)
9. Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
Only numbers 1 and 3 were found to be vulnerabilities in the ASA and were resolved with bugs:
CSCuq34213 Double Free when processing DTLS packets
CSCuq34226 OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln
The remaining issues had bugs created but have been junked as the ASA was found to be not vulnerable.
Cisco Adaptive Security Appliance (ASA) Software v9.0.4 and later is NOT impacted by this bug.
Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains. Cisco recommends that customers upgrade to a fixed release.
Cisco Adaptive Security Appliance (ASA) Software v7.x is NOT impacted by these vulnerabilities.
PSIRT Evaluation:
The Cisco PSIRT has assessed these vulnerabilities using the Base and Temporal CVSS scores from the National Vulnerability Database (NVD).
Details about the third-party software vulnerabilities listed above, as well as their CVSS score can be found at the following URL:
http://web.nvd.nist.gov/view/vuln/search
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 100.12(10), 8.2(5.50), 8.3(2.41), 8.4(7.22), 8.6(1.14), 8.7(1.12), 9.1(5.11), 9.2(2.4), 9.3(1) |
|
Known Fixed Releases: | 100.11(0.42), 100.12(10.32), 100.12(21.2), 100.12(9.13), 100.7(6.134), 100.8(40.83), 15.2(2.6.25)EA, 8.3(2.43), 9.0(4.22), 9.1(5.13) |
|
|
| |
| |
Bug Id: | CSCur59704 |
Title: | ASA: Traceback in idfw_proc |
|
Description: | Symptom:
ASA traceback on Thread name: idfw_proc
Conditions:
The issue is related to usage of FQDN objects along with 'object-group-search access-control' feature.
Workaround:
Disable 'object-group-search access-control' or do not use FQDN objects.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.0(4) |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.104), 100.13(0.12), 100.13(1.15), 100.13(16.23), 100.13(19.6), 100.13(20.3), 100.13(21.3), 100.13(23.1), 100.7(6.137) |
|
|
| |
| |
Bug Id: | CSCur68857 |
Title: | Linux Kernel ioctx_alloc Local Denial of Service Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-7348
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 2.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:TF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2013-7348 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtt96550 |
Title: | x-late Pairing Denial of Service Vulnerability |
|
Description: | Symptom:
A vulnerability exists in the xlate code of the Cisco ASA that may allow an unauthenticated remote attacker to trigger the reload of the affected
system.
The vulnerability is due to a improper deletion of one xlate while still active pairing. The attacker should be able to exploit this race
condition in order to trigger this vulnerability.
Conditions:
This race condition may be triggered by the following inspection engines:
H323, skinny, sip, rtsp
Workaround:
if possible disable the above inspections
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5412 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.2(4.4), 8.2(5.15), 8.4(2) |
|
Known Fixed Releases: | 100.7(13.46), 100.7(14.41), 100.7(17.11), 100.7(18.4), 100.7(6.54), 100.7(8.34), 100.8(0.44), 100.8(0.49), 100.8(0.51), 100.8(0.52) |
|
|
| |
| |
Bug Id: | CSCuu55785 |
Title: | ASA ISE And Hostscan are not supported together |
|
Description: | Symptom:
When using pre-login checks with Hostscan and NAC agent for post login, an incorrect DAP is pushed after the CoA reauthentication is sent.
This is because ISE and Hostscan are not supported together on the same connection. This is a documentation bug meant to clarify this design limitation in the deployment guides.
Conditions:
ASA configured with CoA for posture.
ASA Hostscan pre-login check attributes used in DAP Policies. NAC agent used for post-login compliance
Workaround:
Remove Hostscan attributes in the DAP check
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.2(1), 9.2(2), 9.3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu60257 |
Title: | Unicorn Proxy Thread crash when customized webvpn welcome page accessed |
|
Description: | Symptom:
ASA presenting crashes caused by "Unicorn Proxy Thread" whenever the customized welcome Webvpn portal is loaded.
Conditions:
> ASA running code 9.4.1
> Webvpn welcome page customized with main logo changed.
Workaround:
Remove the webvpn customization settings from the unit (being tested).
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur68876 |
Title: | Linux Kernel Futex Subsystem Local Privilege Escalation Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-0205
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 6.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-0205 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtr54561 |
Title: | ASA 8.4.2 traceback on Dispatch Unit |
|
Description: | Symptom:
ASA traceback on Dispatch Unit
Conditions:
ASA running 8.4.2
Workaround:
No known workaround
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.4(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut92194 |
Title: | ASA crash in Thread Name: CP Processing |
|
Description: | Symptom:
ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing.
Conditions:
ASA is configured for Websense url filtering.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10) |
|
|
| |
| |
Bug Id: | CSCtz70573 |
Title: | SMP ASA traceback on periodic_handler for inspecting icmp or dns trafic |
|
Description: | Symptom:
ASA may reload with traceback in Thread Name: DATAPATH-20-2333.
Conditions:
ASA running 8.x on multi-core platforms.
Workaround:
Disable ICMP and DNS inspection.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 100.7(6.103), 8.4(1), 8.4(3), 8.4(4), 8.4(5), 8.5(1.9), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.32), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.110), 100.7(6.106), 100.7(6.125), 100.8(27.31), 100.8(38.4), 100.8(38.59) |
|
|
| |
| |
Bug Id: | CSCut27332 |
Title: | ASA traceback in aaa_shim_thread |
|
Description: | Symptom:
ASA traceback in aaa_shim_thread
Conditions:
ASA running 9.3.2
High load with AnyConnect 3.0 or newer
Heavy DAP or dynamic ACL usage with large aggregate ACLs
Failover configuration
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(3), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6), 100.14(3.5) |
|
|
| |
| |
Bug Id: | CSCur68846 |
Title: | Linux Kernel wanxl.c Information Disclosure Vulnerability |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-1445
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 1.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-1445 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.200), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtn40707 |
Title: | assert traceback for ifc cfg removal with same-security intra-interface |
|
Description: | Symptom:
Tracebacks seen on standby ASA in thread name: fover_parse when write standby was issued
Conditions:
Active/Standby failover.
This crash will be hit if there are any flows with egress and ingress interface based on same interface (i.e. same-security intra-interface
configured) and clear config interface was issued on that ifc either directly or through config replication...
Write standby was issued on active firewall when standby crashed.
Workaround:
none at this time
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 100.8(0.60), 100.8(2.22), 8.2(5.5), 8.3(1.6), 8.4(2) |
|
Known Fixed Releases: | 100.7(13.59), 100.7(18.11), 100.7(19.9), 100.7(20.2), 100.7(6.64), 100.8(0.68), 100.8(11.11), 100.8(14.10), 100.8(24.36), 100.8(32.5) |
|
|
| |
| |
Bug Id: | CSCuu48626 |
Title: | ASA - access list address argument changed from host 0.0.0.0 to host :: |
|
Description: | Symptom:
ASA changes the configured access-list address argument from "host 0.0.0.0" to "host ::"
Conditions:
ASA version 9.3.2 and 9.3.3
Workaround:
The check can be bypassed by using an object in the ACL:
1. Create a network object for host 0/0
object network HOST-0
host 0.0.0.0
2. Use this network-object in an extended access-list:
access-list NAME extended permit ip object HOST-0 any
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(3) |
|
Known Fixed Releases: | 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15), 100.15(2.47) |
|
|
| |
| |
Bug Id: | CSCur55125 |
Title: | cURL and libcurl GSSAPI Authentication Mechanism Unsafe Authentication |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-2192
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-2192 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 22-JUN-2015 |
|
Known Affected Releases: | 8.7(1), 9.2(1), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut45659 |
Title: | ASA: Intermittent failure in assigning IP address to AnyConnect client |
|
Description: | Symptom:
After upgrade to 9.1.5 or later releases, the ASA may fail to assign an IP address to the AnyConnect client intermittently. This will result in a VPN connection failure and the user will be displayed the following message 'AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again'
Conditions:
1. ASA running 9.1.5 or later release
2. IP address assigned either via local pool or external DHCP server
Workaround:
Reboot of the ASA appears to resolve the issue
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.1(5), 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf52468 |
Title: | ASA Digital Certificate Authentication Bypass Vulnerability |
|
Description: | Summary
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
SQL*Net Inspection Engine Denial of Service Vulnerability
Digital Certificate Authentication Bypass Vulnerability
Remote Access VPN Authentication Bypass Vulnerability
Digital Certificate HTTP Authentication Bypass Vulnerability
HTTP Deep Packet Inspection Denial of Service Vulnerability
DNS Inspection Denial of Service Vulnerability
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
Clientless SSL VPN Denial of Service Vulnerability
These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service
Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN
Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability,
and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to
the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could
result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the
SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-5509 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.38), 100.9(4.5), 100.9(6.16), 100.9(7.20), 9.0(2.100), 9.0(2.5), 9.0(3) |
|
|
| |
| |
Bug Id: | CSCtw68156 |
Title: | Memory leak by chunk_create_internal |
|
Description: | Symptom:
Free memory keeps decreasing over time.
Conditions:
This has been seen on ASA running 8.2.4
Workaround:
Reload the ASA before free memory gets too close to 0%
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.2(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus30833 |
Title: | ASA: Page fault traceback in SXP CORE thread |
|
Description: | Symptom:
An ASA configured for CTS may generate a traceback and reload. The traceback will contain the following strings:
Thread Name: SXP CORE
Page fault: Unknown
Conditions:
The ASA must be configured to receive and process SXP packets from one or more devices. For example:
cts sxp enable
cts sxp connection peer 192.168.110.100 password none mode peer speaker
Workaround:
There is no known workaround at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.38), 100.13(19.9), 100.13(21.6), 100.13(23.5), 100.13(24.4), 100.8(40.94), 9.2(3.101) |
|
|
| |
| |
Bug Id: | CSCua52914 |
Title: | 1550 byte block depletion due to webvpn snp_fp_svc_ob_tunnel_flow |
|
Description: | <B>Symptom:</B>
An ASA firewall may run out of 1550 byte blocks and as a result, cease to pass traffic.
Management to/from the box may also be affected. The depletion can be seen in the output of
'show blocks' with a focus on the 1550 byte blocks.
<B>Conditions:</B>
This has been seen on ASA code version 8.6.1 and may exist on other versions as well. Initial
debugging seems to implicate some webvpn functionality as the root cause, so having webvpn
traffic appears to be a requirement.
<B>Workaround:</B>
At this point, the only option is to reload the ASA to restore the lost memory blocks.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.6(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq65542 |
Title: | Cisco ASA Software Version Information Disclosure Vulnerability |
|
Description: | Symptoms:
A vulnerability in the SSL VPN code of Cisco ASA Software could allow an
unauthenticated, remote attacker to obtain information about the Cisco
ASA Software version. This information could be used for reconnaisance
attacks..
The vulnerability is due to a verbose output returned when a specific
URL is submitted to the affected system.. An attacker could exploit this
vulnerability by browsing a specific URL. SSL VPN feature needs to be
enabled for a system to be vulnerable .
This vulnerability was reported to Cisco by Alec STUART-MUIRK
Conditions:
SSL VPN needs to be configued on the system.
Workaround:
none
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2014-3398 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3398
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.1(5.3) |
|
Known Fixed Releases: | 100.11(0.46), 100.12(0.43), 100.12(10.47), 100.12(6.5), 100.13(0.2), 100.13(11.1), 100.13(12.1), 100.13(13.1), 100.13(14.1), 100.13(15.1) |
|
|
| |
| |
Bug Id: | CSCuh19234 |
Title: | Traceback after upgrade from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3) |
|
Description: | Symptom:
Crash happens during upgrade migration from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3). Causing bootloop.
Conditions:
ASA with version pre-8.3
Workaround:
Manual migration of the config
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.4(6), 9.0(3), 9.1(2) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28) |
|
|
| |
| |
Bug Id: | CSCuq72664 |
Title: | ASA - 80 Byte memory block depletion |
|
Description: | Symptom:
ASA block 80 gets depleted causing outage to Anyconnect and affecting SSH sessions to the box
Other symptoms
1) show block shows 80 byte blocks being at 0
2) syslogs generated: %ASA-3-321007: System is low on free memory blocks of size 80 (0 CNT out of 2500 MAX)
Conditions:
Workaround:
Use anyconnect ssl compression none
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# anyconnect ssl compression none
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.2(2.4), 9.3(1) |
|
Known Fixed Releases: | 100.11(0.46), 100.12(0.46), 100.12(10.47), 100.12(6.7), 100.13(0.2), 100.13(11.1), 100.13(12.1), 100.13(13.1), 100.13(14.1), 100.13(15.1) |
|
|
| |
| |
Bug Id: | CSCtx43501 |
Title: | CPU hog due to snmp polling of ASA memory pool information |
|
Description: | Symptom:
The ASA provides access to three different memory pools via SNMP.
1) The "System memory" pool (which is a superset of 2 and 3 below)
2) The MEMPOOL_DMA pool
3) The MEMPOOL_GLOBAL_SHARED pool
If the MEMPOOL_GLOBAL_SHARED pool information is queried via SNMP, a CPU hog might occur. The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough through the ASA, packets might be dropped.
If an ASA is experiencing this problem, it could generate syslogs that look like this:
%ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a
0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca
0x00000000004245a5
Also, the output of 'show process cpu-hog' will show entries for SNMP:
Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12
LASTHOG At: 12:47:00 CST Jan 23 2012
PC: 8c45b98 (suspend)
Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12
LASTHOG At: 12:47:00 CST Jan 23 2012
PC: 8c45b98 (suspend)
Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33
Conditions:
To encounter this problem, memory information for the "Global Shared" pool must be queried via SNMP.
Workaround:
Avoid polling the memory information for the Global Shared pool:
Exclude:
.1.3.6.1.4.1.9.9.48.1.1.1.X.7 - "MEMPOOL_GLOBAL_SHARED"
where X is the integer corresponding to a particular statistic about the pool.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C
CVE ID CVE-2012-4664 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.1(2.23), 8.2(3.6), 8.4(2.8), 8.4(3.8), 8.4(4), 9.1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud05798 |
Title: | FIPS Self-Test failure,fips_continuous_rng_test [-1:8:0:4:4] |
|
Description: | Symptom:
ASA running 8.3.2 reloaded due to the FIPS system detecting a failure. The Specific failure was due to a check of the Random Number Generator. This is not a crash, but a purposefully forced reload by the FIPS system.
The console may show:
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
***
ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:8:0:4:4]
Shutting down isakmp
Shutting down webvpn
Shutting down File system
Conditions:
This occurs when FIPS is enabled on the firewall and an anomaly is detected with the random number generator.
Workaround:
Unknown at this time.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.3(2) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(6.117), 100.7(6.118), 100.8(27.83), 100.8(38.15), 100.8(38.16), 100.8(40.4), 100.8(41.2), 100.8(60.10), 100.8(60.7) |
|
|
| |
| |
Bug Id: | CSCuq20232 |
Title: | ASA 8.2.5 CPU hog in accept/http |
|
Description: | Symptom:
ASDM access failure as there are hanged sessions
ASDM is not able to access asdm_handler service on device It is likely the user password has expired or the maximum number of sessions has ben exceeded on the device
Conditions:
NA
Workaround:
NA
Further Problem Description:
ASDM access failure as there are hanged sessions
ASDM is not able to access asdm_handler service on device It is likely the user password has expired or the maximum number of sessions has ben exceeded on the device
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.2(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut46019 |
Title: | MARCH 2015 OpenSSL Vulnerabilities |
|
Description: |
Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-0286, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
First Fixed Information:
8.2.5.58 (April 2015)
8.3.2.45 (April 2015)
8.4.7.29 (April 2015)
8.5.1.25 (April 2015)
8.6.1.18 (April 2015)
8.7.1.17 (April 2015)
9.0.4.34 (April 2015)
9.1.6.2 (24-Apr-2015)
9.2.3.5 (April 2015)
9.3.3.1 (8-May-2015)
9.4.1.1 (8-May-2015)
Published advisory is at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl
Workaround:
Not available.
More Info:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.1/6.9
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 8.2(5), 9.2(1), 9.3(2) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.123), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) |
|
|
| |
| |
Bug Id: | CSCut65365 |
Title: | Threat Detection Statistics causes a high rate of CPU hogs on DATAPATH |
|
Description: | Symptom:
An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates. Inspecting the output of 'show process cpu-usage' shows that the majority (90% or higher) is used by a processes whose name includes DATAPATH.
In addition, looking at the ouptut of 'show process cpu-hog' shows that the DATAPATH process identified above is experiencing a high rate of very short CPU hogs. For example:
Process: DATAPATH-0-1749, NUMHOG: 22115786, MAXHOG: 113, LASTHOG: 16
LASTHOG At: 10:12:41 CDT Mar 31 2015
PC: 0x0000000000000000 (suspend)
Call stack: 0x00000000004381fa 0x000000000071c19d 0x000000000171061d
0x00000000017199bc 0x000000363b608201
Process: DATAPATH-0-1749, PROC_PC_TOTAL: 390365697, MAXHOG: 129, LASTHOG: 12
LASTHOG At: 10:12:42 CDT Mar 31 2015
PC: 0x0000000000000000 (suspend)
Conditions:
This is seen on later versions of ASA code, and it seems to be primarily affecting code trains from 9.3.x and onwards with Threat Detection Statistics configured:
threat-detection statistics
Consult the bug notes for fixed in build information.
Workaround:
In many instances, disabling threat detection statistics appears to resolve the high-cpu condition. This can be done by issuing the following command in global configuration:
no threat-detection statistics
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 23-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuc80080 |
Title: | DNS Inspection Denial of Service Vulnerability |
|
Description: | Symptom:
Cisco ASA Software is affected by the following vulnerabilities:
IKE Version 1 Denial of Service Vulnerability
Crafted URL Denial of Service Vulnerability
Denial of Service During Validation of Crafted Certificates
DNS Inspection Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Conditions:
See PSIRT Security Advisory.
Workaround
See PSIRT Security Advisory.
Further Problem Description:
See PSIRT Security Advisory.
PSIRT Evaluation:
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of
the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco
FWSM. This advisory is available at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.0(1), 9.1(0.2) |
|
Known Fixed Releases: | 100.8(0.245), 100.8(11.45), 100.8(27.20), 100.8(34.1), 100.8(38.3), 100.8(39.2), 100.9(0.6), 9.0(1.100), 9.0(1.2), 9.0(2) |
|
|
| |
| |
Bug Id: | CSCuu85497 |
Title: | ASA Webvpn traceback followed by an unexpected reload |
|
Description: | Symptom:
ASA stops responding to ASDM/webvpn/anyconnect and users see a blank page when they connect [users start seeing a blank page ]. After a while the whole box crashes without generating a crashino .
Conditions:
The issue has been seen after an upgrade to 9.2.3.4
Workaround:
Reload the ASA .
Further Problem Description:
The issue starts with the users reporting that they are unable to use clientless or anyconnect vpn . And at the same time there is no ASDM access to the device . Later the customer notices that they lose the access to the ASA [including icmp and telnet] . We found later that this is because the ASA crashes without generating a crashinfo [a silent crash].
recorded crash events for webvpn :
ASA Crash Recovery Dump: Timestamp 2015-05-07 10:11:32
ASA Crash Recovery Dump: Timestamp 2015-05-07 10:11:34
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.2(3.4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu28858 |
Title: | ASA sends PIM join to both upstream neighbors |
|
Description: | Symptom:
ASA sends PIM join to multiple upstream neighbors when an equal cost route exists for upstream traffic
Conditions:
ASA configured with an equal cost route upstream
Workaround:
configure a static route
or
configure dynamic routing to force one route over the other.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.0(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuf31658 |
Title: | Linux Kernel nfs_readdata_release() and nfs_writedata_release() Functi |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2011-4325
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2011-4325 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 1 Catastrophic |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur30351 |
Title: | CSC-SSM : Evaluation of SSLv3 POODLE vulnerability |
|
Description: | Symptom:
This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3566
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
For CSC web console, we suggest disabling SSLv3 and enabling TLS on browser or CSC web server (tomcat).
To disable the SSLv3, you need change the server.xml: (/opt/trend/isvw/common/Tomcat/conf/)
(1)remove the attribute
sslProtocol="TLS",
(2)add attribute
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
For example, it is like:
SSLEnabled="true" maxThreads="150" secure="true"
keystoreFile="/opt/trend/isvw/config/.keystore"
keystorePass="changeit" keystoreType="JKS"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
Then restart the UI service. (/opt/trend/isvw/script/ISui restart)
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-3566 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 6.6, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 99.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud62661 |
Title: | STI Flash write failure corrupts large files |
|
Description: | Symptom:
After copying a new ASA image file to flash, the ASA may fail to boot.
Conditions:
Monitor the ASA's console. The ASA gets stuck booting at "Loading disk0:/asa901-k8.bin..."
Workaround:
Boot from another image or from a tftp server, format the flash, and then re-copy the images to the flash.
1) Commands to boot to TFTP from Rommon mode:
address 192.168.2.1
interface Ethernet0/2
server 192.168.2.100
file asa901-k8.bin
tftp
2) Format flash, copy the ASA and ASDM images.
format disk0:
copy tftp disk0:
3) Verify the image was copied correctly by checking the md5 checksum against what is listed on cisco.com.
verify disk0:/asa901-k8.bin
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4, 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.7(6.112), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.19), 8.4(5.8), 8.4(5.99), 8.4(6) |
|
|
| |
| |
Bug Id: | CSCur07061 |
Title: | Traceback on standby ASA during hitless upgrade |
|
Description: | Regression caused by a fix in CSCuq37448
Symptom:ASA system traceback was observed in data path.
Conditions:Cisco ASA running release 9.1.5.16.
Workaround:NA
More Info:This issue was seen in one case when doing system test with ASAv during hitless upgrade. In another the trace indicated it might be related to using the capture feature on an ASA-SM. However, the issue is not related to failover or packet capture.
In the bug fix of CSCuq37448, we added code for detecting and handling IPSec HA packets. That fix failed to handle certain corner cases and could subsequently cause a traceback. The fix removes the special handling.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 100.12(0.56), 100.13(11.7) |
|
Known Fixed Releases: | 100.11(0.50), 100.11(0.57), 100.12(0.118), 100.12(0.70), 100.12(6.20), 100.13(0.58), 100.13(0.6), 100.13(11.10), 100.13(12.16), 100.13(15.7) |
|
|
| |
| |
Bug Id: | CSCul98420 |
Title: | 'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination |
|
Description: | Symptom:
Adaptive Security Appliance (ASA) or ASA Services Module implicitly perform a destination route lookup for Twice NAT entries with an identity destination translation even when the route-lookup keyword is not used.
Conditions:
Using an identity destination translation with Twice NAT such as this:
nat (inside,outside2) source dynamic 192_168_1_20 interface destination static ANY ANY service HTTP HTTP
and running a software image with the fix for CSCuf71119.
Workaround:
None.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4(6.4) |
|
Known Fixed Releases: | 100.10(9.5), 100.11(4.1), 100.7(6.129), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3) |
|
|
| |
| |
Bug Id: | CSCuq29136 |
Title: | Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/6.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3392 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.1(5.3) |
|
Known Fixed Releases: | 100.11(0.42), 100.12(0.31), 100.12(10.21), 100.12(15.8), 100.12(21.1), 100.12(6.2), 100.12(9.9), 100.7(6.134), 100.8(40.82), 8.2(5.51) |
|
|
| |
| |
Bug Id: | CSCuj86222 |
Title: | ASA Drops OoO TCP Segments when Proxying Conns for ScanSafe Redirection |
|
Description: | Symptom:
Users may experience significant and excessive performance degradation while redirecting HTTP/HTTPS traffic to CWS/ScanSafe when packet loss is incurred during transmission over the internet. This is especially noticeable for larger file downloads that are redirected through the towers.
Conditions:
1. User must be redirecting traffic through an ASA to Cisco Cloud Web Security towers
2. Packet loss is incurred on the connection while in transit across the internet which causes TCP segments to arrive out-of-order to the outside interface of the ASA
Workaround:
1. Identify cause of packet loss and correct the issue OR
2. Perform browser-based redirection to the CWS towers
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(2), 9.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq50366 |
Title: | Traceback may occur on bring up of multiple SSL sessions w/DHE |
|
Description: | Symptom:
On rare occasions it is possible that a traceback may occur when bringing up multiple SSL sessions with DHE.
Conditions:
Workaround:
Use a different cipher than DHE or upgrade to a version with the fix for this issue.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 100.12(10.28), 100.12(10.32), 100.12(2.14), 9.1(5.19), 9.1(5.21), 9.2(2.4) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(10.33), 100.12(21.2), 100.12(9.14), 100.8(40.94), 9.1(5.101), 9.2(3.1), 9.3(2.1) |
|
|
| |
| |
Bug Id: | CSCuq59114 |
Title: | ASA traceback in cluster with DATAPATH thread |
|
Description: | Symptom:
ASA crashed with DATAPATH thread.
Conditions:
Seen in ASA5585 running 9.1(4)5 running in cluster.
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.1(4.5) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(16.31), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) |
|
|
| |
| |
Bug Id: | CSCuf31803 |
Title: | Linux Kernel nfs_wait_on_request() Local Denial of Service Vulnerabili |
|
Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2010-1087
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 4.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2010-1087 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCui98316 |
Title: | ASA traceback in Thread Name: tmatch compile thread |
|
Description: | Symptom:
ASA reloads unexpectedly with traceback in Thread Name: tmatch compile thread.
Conditions:
There is no known trigger.
Workaround:
There is no workaround at this time.
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4(5.2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq41510 |
Title: | Cisco ASA VNMC Input Validation Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/6.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3390 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.11(0.44), 100.12(0.38), 100.12(10.37), 100.12(15.10), 100.12(21.3), 100.12(6.4), 9.2(2.7), 9.3(1.1), 9.3(1.99), 9.3(2) |
|
|
| |
| |
Bug Id: | CSCut40270 |
Title: | ASA: Traceback in Thread Name DATAPATH |
|
Description: | Symptom:
ASA can unexpectedly reload and generate a traceback in Thread Name DATAPATH
Conditions:
ASA running 9.2(3)3 software version
Workaround:
n/a
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.2(3.3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtq86859 |
Title: | Traceback in Thread Name: IP SLA Mon Event Processor |
|
Description: | Symptom:
ASA reload. Traceback in Thread Name: IP SLA Mon Event Processor
Conditions:
IP SLA configured on ASA. Commonly used on ASA for route-tracking feature
Workaround:
Disable IP SLA feature on ASA.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.3(2.4) |
|
Known Fixed Releases: | 100.7(13.31), 100.7(14.20), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.11) |
|
|
| |
| |
Bug Id: | CSCub38407 |
Title: | Add text section to coredump |
|
Description: | Symptoms:
CiscoFireSIGHT contains a stored XSS vulnerability
Conditions:
none
Workaround:
Additional mitigation at: http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.4 |
|
Known Fixed Releases: | 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59), 100.8(56.17) |
|
|
| |
| |
Bug Id: | CSCup22532 |
Title: | Multiple Vulnerabilities in OpenSSL - June 2014 |
|
Description: | Symptom:
The following Cisco products
Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including:
8.0.2 - 8.0.5.39,
8.1.1 - 8.1.2.56,
8.2.1 - 8.2.5.49,
8.3.1 - 8.3.2.40,
8.4.1 - 8.4.7.20,
8.5.1 - 8.5.1.20,
8.6.1 - 8.6.1.13,
8.7.1 - 8.7.1.11,
9.0.1 - 9.0.4.13,
9.1.1 - 9.1.5.7, and
9.2.1
include a version of openssl that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0224 - SSL/TLS MITM vulnerability
This bug has been opened to address the potential impact on this product.
Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted:
CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
Conditions:
The Cisco Adaptive Security Appliance (ASA) running software v9.2.1 is vulnerable to CVE-2014-0195 - DTLS invalid fragment vulnerability when SSLVPN is enabled and configured to use DTLS. Previous ASA software releases are NOT affected by this vulnerability.
The Cisco Adaptive Security Appliance (ASA) running software v8.0 and later is vulnerable to CVE-2014-0224 - SSL/TLS MITM vulnerability when using the following configurations:
* When SSLVPN is enabled and configured to allow clientless VPN tunnels, OR
* When TLS-proxy is configured (either stand-alone or in conjunction with the phone proxy feature), OR
* When the ASA is configured to join an Active Directory domain using the 'kcd-server' command.
When the ASA is acting as a server (or listener) it is not vulnerable. However, since there are no tools available for testing when we are a client, we have to assume that we could be vulnerable. The ASA must be acting as a client, connecting to a server with the SSL vulnerability and the MITM attacker must be on the network between the ASA and the server.
Note that "WebVPN" and "SSLVPN" are synonymous.
Workaround:
CCVE-2014-0195: This vulnerability impacts only DTLS connectivity on 9.2.1 and later
1. Disable DTLS connectivity to the ASA by changing all of the WebVPN-enabled interfaces to include 'tls-only'.
asa(config)# webvpn
asa(config-webvpn)# enable outside tls-only
INFO: WebVPN is enabled on 'outside', DTLS is disabled on 'outside'.
CVE-2014-0224: This defect impacts SSL connectivity in certain circumstances.
1. Disable SSLVPN clientless connectivity by removing all 'vpn-tunnel-protocol' commands with 'ssl-clientless' from your group-policies.
asa(config)# group-policy my_policy attributes
asa(config-group-policy)# no vpn-tunnel-protocol ssl-clientless
asa(config-group-policy)# show run group-policy
group-policy my_policy internal
group-policy my_policy attributes
vpn-tunnel-protocol ssl-client
2. Disable TLS-proxy by removing any 'tls-proxy' commands and associated 'policy-map' commands. For instance, if you had an incoming and outgoing proxy, like:
tls-proxy my_proxy_out
server trust-point foreign_trust
client trust-point local_trust
client cipher-suite 3des-sha1 null-sha1 aes128-sha1 aes256-sha1 rc4-sha1
!
tls-proxy my_proxy_in
server trust-point local_trust
client trust-point foreign_trust
client ciphe
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.0, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2(1) |
|
Known Fixed Releases: | 100.11(0.18), 100.11(0.21), 100.11(5.25), 100.11(5.28), 100.11(6.1), 100.12(10.4), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10) |
|
|
| |
| |
Bug Id: | CSCtr38262 |
Title: | ASA traceback in Thread Name: logger_save with logging flash-bufferwrap |
|
Description: | Symptom:
ASA unexpectedly reboots. After that a show crashinfo shows a traceback in Thread Name: logger_save
Conditions:
When "logging flash-bufferwrap" is configured". This is similar to what already reported in CSCtd29482.
Workaround:
Disable "logging flash-bufferwrap"
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuo26918 |
Title: | ASA traceback in Thread Name: IKE Receiver due to 'Address not mapped' |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3383 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq47574 |
Title: | Cisco ASA VNMC Input Validation Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/6.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3390 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 24-JUN-2015 |
|
Known Affected Releases: | 8.7(1.12) |
|
Known Fixed Releases: | 8.7(1.14) |
|
|
| |
| |
Bug Id: | CSCuu77680 |
Title: | ASA traceback in Thread: Uauth_Proxy, assert in "hash_table_simple.c" |
|
Description: | Symptom:
ASA crash on thread name Uauth_Proxy
Conditions:
Running 9.1.6 and AuthProxy is enabled
Workaround:
There is no known workaround
Further Problem Description:
Enable corefile to collect more information.
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu18989 |
Title: | ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit |
|
Description: | Symptom:
It was noticed that when the maximum number of simultaneous connection limit is set, ASA might drop the connection with the error message ' %ASA-3-201011: Connection limit exceeded' even when it is clearly not close to hitting the maximum limit specified.
Conditions:
ASA 5585 running 9.4(1) version code
Workaround:
none
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.4(1), 9.5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuv01177 |
Title: | ASA: traceback in IDFW AD agent |
|
Description: | Symptom:
ASA5585 in failover pair may traceback in IDFW process.
Conditions:
ASA running IDFW features.
Workaround:
Disable IDFW.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.2(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCug33233 |
Title: | Cisco ASA Management Connections Denial of Service |
|
Description: | Symptoms:
ASA becomes unresponsive to management connection. This includes management over SSH, Telnet and HTTP(S)
Conditions:
This is seen when management traffic is allowed on more then one interface (e.g. inside and outside) and on one of this interface, management
connection are allowed via VPN tunnel.
Workaround:
none
Further Problem Description:
A vulnerability in in the code of the function that is creating management flows of the Cisco ASA Software could allow an unauthenticated, remote
attacker to to cause the affected system to become unresponsive to management session requests over SSH, Telnet and HTTP(S).
The vulnerability is due to a memory leak when the management flow is created. An attacker could exploit this vulnerability by creating several
management session requests.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2013-6707 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6707
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.0(2), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.9), 100.10(1.10), 100.8(27.89), 100.8(38.30), 100.8(40.20), 100.8(41.2), 100.8(60.37), 100.9(10.4), 100.9(6.35), 9.0(3.100) |
|
|
| |
| |
Bug Id: | CSCug64098 |
Title: | ASA 9.1.1-7 traceback with Checkheaps thread |
|
Description: | Symptom:
ASA would crash on anyconnect connection establishment
CHECKHEAPS HAS DETECTED A MEMORY CORRUPTION
Reason: Allocated buffer corrupted
core0: An internal error occurred. Specifically, a programming assertion was
violated.
assertion "0" failed: file "malloc.c", line 3063
Conditions:
Anyconnect connection establishment to the box
Workaround:
None.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.1(1.7) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.24), 100.9(0.52), 100.9(10.1), 100.9(6.28), 100.9(7.32) |
|
|
| |
| |
Bug Id: | CSCuu77207 |
Title: | ASA - URL filter - crash on thread name uauth_urlb clean |
|
Description: | Symptom:
ASAs running URL filtering (Websense) and traffic redirection to the SFr module may experience a crash on the thread name uauth_urlb clean process.
Conditions:
- Seen on 9.4.1 ASA code
- URL filtering configured and being used
- Higher amounts of traffic (500+ mbps)
- Traffic redirection to the SFr module
Workaround:
Possible temporary workarounds:
- Disable of the traffic redirection to SFr module
- Disable URL filtering (websense)
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCug51375 |
Title: | ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
Description: | Symptom:ASA negotiates connections over SSLv3 in spite of it being configured to negotiate TLSv1.
ASA(config)# sh run ssl
ssl server-version tlsv1-only
Conditions:Cisco ASA running release 8.2 and later.
If the 'ssl server-version' or 'ssl client-version' value is modified after boot, the changes may not be applied properly. This could lead to the default of SSLv3 being enabled.
Workaround:There is no workaround.
More Info:Upgrade to one of the Known Fixed Release:
* 8.2.5.55 or later
* 8.4.7.26 or later
* 8.5.1.23 or later
* 8.6.1.16 or later
* 8.7.1.15 or later
* 9.0.4.26 or later
* 9.1.5.21 or later
* 9.2.3 or later
* 9.3.1.1 or later
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.1(1.105) |
|
Known Fixed Releases: | 100.10(0.6), 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(11.18), 100.13(12.41) |
|
|
| |
| |
Bug Id: | CSCtn56501 |
Title: | ASA may generate crypto archive with IPSec Ring timeout crash type |
|
Description: | Symptom:
Crashes seen on ASA crypto engine:
Syslog messages 402125-402127 indicating crypto chip crash and soft-reset, on multiple occasions, which leads to a situation where:
1. Packets that should be serviced by the crypto engine [SSH, IPSec] are dropped
2. Crypto Archive files are generated:
#show flash:/crypto_archive
1 590756 Oct 11 2012 19:06:28 crypto_archive/crypto_eng0_arch_1.bin
2 590756 Oct 11 2012 19:07:04 crypto_archive/crypto_eng0_arch_2.bin
3. Syslog such as:
ASA-4-402125 CRYPTO: The ASA hardware accelerator Ipsec ring timed out (Desc= 0xC83DC7D8, CtrlStat= 0xB000, ResultP= 0xC5AEE8B0, ResultVal= 11, Cmd= 0x30, CmdSize= 0, Param= 0x0, Dlen=232, DataP= 0xC5AEE7D4, CtxtP= 0xC635A570, SWReset= 7)
ASA-4-402126 CRYPTO: The ASA created Crypto Archive File < disk0:/crypto_archive/crypto_eng0_arch_1.bin > as a Soft Reset was necessary. Please forward this archived information to Cisco.
Conditions:
ASA with Crypto Services enabled [IPSec, SSH]
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 8.2, 8.2(5) |
|
Known Fixed Releases: | 100.7(13.43), 100.7(14.36), 100.7(17.7), 100.7(18.4), 100.7(6.51), 100.8(0.40), 100.8(11.4), 100.8(15.17), 100.8(19.35), 100.8(2.30) |
|
|
| |
| |
Bug Id: | CSCuu91304 |
Title: | Immediate FIN from client after GET breaks scansafe connection |
|
Description: | Symptom:
Connections through the ASA to a scansafe tower may fail if the client sends a FIN packet immediately following a GET packet. This hangs the TCP connection and causes the transaction to fail.
Conditions:
This is seen if the CLIENT sends a TCP FIN packet before any data comes back from the TOWER.
Workaround:
None at this time
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtz98516 |
Title: | Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
Description: | Symptom:
An ASA firewall may crash when being polled by SNMP in rare circumstances.
Conditions:
This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To
trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID:
1.3.6.1.4.1.9.10.77.1.2.1
Workaround:
Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the
OID's being polled by your SNMP monitor station to not include the affected OIDs.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 100.7(22.1) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) |
|
|
| |
| |
Bug Id: | CSCur23709 |
Title: | ASA : evaluation of SSLv3 POODLE vulnerability |
|
Description: | Symptom:
The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3566
Conditions:
The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions.
To see the SSL configuration:
show run all ssl
Default configuration of the ASA:
ssl client-version any
ssl server-version any
The following non-default configuration values also enable SSLv3:
ssl client-version sslv3-only
ssl client-version sslv3
ssl server-version sslv3-only
ssl server-version sslv3
Some of the previously listed options are not available on older ASA software releases.
Workaround:
There are no workarounds.
Further Problem Description:
This bug is for SSL server-side and is fixed in the following (and later) posted ASA releases:
9.3.1.1
9.2.3
9.1.5.21
9.0.4.26
8.4.7.26
8.2.5.55
It will also be available in the April/2015 timeframe on the following ASA software releases:
8.3.2.43
8.5.1.23
8.6.1.16
8.7.1.15
For the client-side (Clientless Smart Tunnel Component), please check CSCur42776.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 8.2(1), 8.3(1), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 99.1 |
|
Known Fixed Releases: | 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(1.3), 100.13(11.18), 100.13(11.23) |
|
|
| |
| |
Bug Id: | CSCuj88114 |
Title: | WebVPN Java rewriter issue: Java Plugins fail after upgrade to Java 7u45 |
|
Description: | Symptom:
ASA WebVPN Java Plugins fail to load after upgrade to Java 7 Update 45 with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar'
Conditions:
Windows or Mac OSX machines using Java 7 Update 45. Also affects JRE build 1.6.0.51 and 65.
Workaround:
1) Disable the option 'Keep temporary files on my computer' on the Java Control Panel -> General -> Settings. This works for both Mac OSX and Windows.
2) Downgrade Java to version 7 Update 40 or below.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 8.4, 8.4(2), 8.4(5), 9.1, 9.1(2), 9.1(3) |
|
Known Fixed Releases: | 100.10(0.38), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.41), 100.8(45.8), 100.8(46.28) |
|
|
| |
| |
Bug Id: | CSCut49111 |
Title: | ASA traceback because of TD tcp-intercept feature |
|
Description: | Symptom:
Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled
Conditions:
When threat-detection statistics tcp-intercept is enabled
Workaround:
Disabling TD for tcp intercept statistics stops crash.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 9.3(1) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26), 100.15(0.10) |
|
|
| |
| |
Bug Id: | CSCus08101 |
Title: | ASA: evaluation of Poodle Bites in TLSv1 |
|
Description: |
Symptom:
Cisco ASA includes a version of TLS that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-8730
This vulnerability is hardware dependent.
ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability.
ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue.
The first fixed ASA software releases for this vulnerability are as follows
8.2 Train: 8.2.5.55
8.4 Train: 8.4.7.26
9.0 Train: 9.0.4.29
9.1 Train: 9.1.6
9.2 Train: 9.2.3.3
9.3 Train: 9.3.2.2
Conditions:
The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only.
Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc...
Workaround:
There is no workaround that mitigates this issue
More Info:
Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html
Cisco has published the following Security Notice and IntelliShield Alert:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730
http://tools.cisco.com/security/center/viewAlert.x?alertId=36740
The Sourcefire Snort SIDs for this vulnerability is: 32758
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
CVE ID CVE-2014-8730 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-JUN-2015 |
|
Known Affected Releases: | 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 9.0, 9.1, 9.2 |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(1.37), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) |
|
|
| |
| |
Bug Id: | CSCui60514 |
Title: | ASA 5585 SSP-IPS 9.x Gig interfaces do not come up after module reset |
|
Description: | Symptom:
ASA 5585 with IPS-SSP, after the module is reset and is is done booting, GigabitEthernet interfaces on the module are still showing as down/down in the ASA.
Conditions:
5585 with IPS SSP, running 9.x, only GigabitEthernet are affected.
Workaround:
-- Issue "no shutdown" under the interface
OR
-- Reload the the ASA.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.0, 9.0(0.2), 9.1, 9.1(2) |
|
Known Fixed Releases: | 100.10(0.12), 100.10(1.10), 100.10(2.1), 100.7(6.131), 100.8(27.91), 100.8(38.32), 100.8(40.21), 100.8(41.2), 100.8(45.1), 100.8(46.1) |
|
|
| |
| |
Bug Id: | CSCus06652 |
Title: | ASA5580-20 8.4.7.23: Traceback in Thread Name: ssh |
|
Description: | Symptom:
Both Active and Standy ASA units traceback in Thread Name: ssh when adding an extended ACL
Conditions:
This was found on an Active/Standby pair of ASA5580-20 running v8.4(7)23
Workaround:
Make sure that a class configured to match for an ACL should have at least single element in it.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23), 9.1(5.19) |
|
Known Fixed Releases: | 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.35), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.4), 100.13(24.3), 100.7(6.138) |
|
|
| |
| |
Bug Id: | CSCuu28909 |
Title: | ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel |
|
Description: | Symptom:
In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA.
Conditions:
+ASA cluster
+site to site VPN tunnel configured
+ICMP error packets destined to the VPN tunnel
Workaround:
+deny icmp erros using an access-list on the data interfaces
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.1(6.1), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) |
|
|
| |
| |
Bug Id: | CSCub94479 |
Title: | %ASA-3-210007: LU allocate xlate failed on Standby unit |
|
Description: | Symptom:
ASA, running 8.4.3, produces "%ASA-3-210007: LU allocate xlate failed" error message on Standby unit even if the memory has enough free space.
Conditions:
unknown
Workaround:
Fixes: The root-cause of this bug is due to the issue in NAT rule order processing, require fixes for CSCtt11890 and CSCub59136, which are available from 8.4.5+ onwards. Recommend customer upgrade to the same.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu31751 |
Title: | ASA OSPF database not reflect changes |
|
Description: | Symptom:
shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1
R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3
sh route ospf
O 10.20.20.0 255.255.255.0
[110/11] via 192.168.1.97, 00:32:33, backbone
ASA# sh ospf database 10.30.30.0
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.30.30.0 1.1.1.1 1939 0x80000001 0xa245
Summary Net Link States (Area 2)
Link ID ADV Router Age Seq# Checksum
10.30.30.0 1.1.1.1 1939 0x80000001 0xa245
R1#sh ip route 10.30.30.0
Routing entry for 10.30.30.0/24
Known via "ospf 10", distance 110, metric 12, type inter area
Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago
Routing Descriptor Blocks:
* 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0
Route metric is 12, traffic share count is 1
Conditions:
Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1
Workaround:
clear ospf x process
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 108.2(0.7) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) |
|
|
| |
| |
Bug Id: | CSCur64659 |
Title: | ASA Traceback in Thread Name: DATAPATH-6-2544 |
|
Description: | Symptom:
ASA Traceback in Thread Name: DATAPATH-6-2544
Conditions:
ASA 5585
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23), 9.1(5.19) |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.5), 100.13(11.19), 100.13(12.41), 100.13(16.18), 100.13(18.7) |
|
|
| |
| |
Bug Id: | CSCuu73716 |
Title: | Traceback in Thread CP Processing |
|
Description: | Symptom:
ASA crashes in thread name CP processing .
Conditions:
ASA5585-SSP-60 running version 932-smp-k8.bin
Workaround:
None at this time.
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur40249 |
Title: | L2L Test w/ DFP, SFR and debug SFR results in ASA becoming unresponsive |
|
Description: | Symptom:An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates.
'show process cpu-usage non-zero' shows most of the CPU usage is in the datapath as shown here:
uut19-5512# show processes cpu-usage non-zero
PC Thread 5Sec 1Min 5Min Process
0x00000000019649eb 0x00007fffee11d560 0.0% 0.2% 0.3% ssh
- - 95.4% 34.9% 38.5% DATAPATH-0-1451
Also, 'cpu hog granular-detection 1000 1' and 'show process cpu-hog' contain output similar to this:
Process: DATAPATH-0-1451, PROC_PC_TOTAL: 52, MAXHOG: 9284, LASTHOG: 2584
LASTHOG At: 23:41:21 UTC Apr 6 2015
PC: 0x0000000000000000 (suspend)
Process: DATAPATH-0-1451, NUMHOG: 51, MAXHOG: 9284, LASTHOG: 2584
LASTHOG At: 23:41:21 UTC Apr 6 2015
PC: 0x0000000000000000 (suspend)
Call stack: 0x00000000004381fa 0x000000000071cc3d 0x000000000171170d
0x000000000171aaac 0x000000371c808201
Interrupt based hog entry #1
Hog #1, traceback #1, at: 23:40:28 UTC Apr 6 2015, hog 9 ms
PC: 0x000000371c47a9b4
Call stack:
Hog #1, traceback #2, at: 23:40:28 UTC Apr 6 2015, hog 19 ms
PC: 0x000000371c47a9b0
Call stack:
Note there is no Call stack in the "Interrupt based hog entry", and the PC is in the 0x0000003700000000 range.
Conditions:Threat-detection is enabled or memory delay-free-poisoner are enabled.
This issue affects 9.3.2.x code versions only. 9.3.3 contains the fix for this issue.
Workaround:Disable threat detection (it is enabled be default). This can be done by issuing the following commands in global configuration:
no threat-detection basic-threat
no threat-detection statistics
Also make sure the delayed-free-poisoner is not enabled (it is not enabled by default and should be enabled only under TAC supervision):
no memory delayed-free-poisoner enable
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 100.10(6.10), 100.12(0.77) |
|
Known Fixed Releases: | 100.12(0.104), 100.13(0.12), 100.13(1.19), 100.13(16.25), 100.13(19.7), 100.13(20.3), 100.13(21.3), 100.13(23.1), 9.3(2.99), 9.3(3) |
|
|
| |
| |
Bug Id: | CSCuu78835 |
Title: | Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 |
|
Description: | Symptom:
On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL:
1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable.
2. When trying to add a comment, the body of the comment is missing, so cannot add anything.
Conditions:
Using Atlassian version 6.4.5 for Confluence
Workaround:
Use the older versions of Atlassian
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.2(2), 9.3(2), 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtu32847 |
Title: | ASA 8.4(2.1) high memory and traceback in aaa_shim_thread |
|
Description: | Symptom:
ASA 5540 running version 8.4(2.1) experienced high memory utilization, which eventually crashed the ASA in thread aaa_shim_thread. There was a loss of anyconnect , ASDM, SSH sessions that accompanied the high memory utilization.
Conditions:
None
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 100.8(0.100), 8.4(2.1), 8.4(3) |
|
Known Fixed Releases: | 100.7(13.70), 100.7(21.4), 100.7(6.74), 100.8(0.113), 100.8(11.17), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1), 8.4(4.2) |
|
|
| |
| |
Bug Id: | CSCuj54806 |
Title: | ICMP inspection closes TCP conns with "Flow closed by inspection" |
|
Description: | Symptom:
This DDTS is a Duplicate of CSCui77398
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(7), 9.0(3.2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCum80899 |
Title: | ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats |
|
Description: | Symptom:
Under rare circumstances, an ASA may generate a traceback and reload in the Unicorn Admin Handler thread.
Conditions:
This issue occurs when using ASDM to view TopN host statistics on the ASA.
Workaround:
There is no known workaround at this time.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(4.1) |
|
Known Fixed Releases: | 100.10(0.87), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(0.6), 100.11(5.1), 100.7(6.130), 100.8(40.68), 100.8(56.48), 100.8(64.14) |
|
|
| |
| |
Bug Id: | CSCuu10284 |
Title: | ASA Dataplane captures dont capture packets when using match/access-list |
|
Description: | Symptom:
ASA Dataplane captures dont show any packet captured even though the condition matches the flow
Conditions:
ASA dataplane captures applied with a match or access-list command
Workaround:
use the dataplane captures without the match/access-list command
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.20), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.10), 100.15(2.36) |
|
|
| |
| |
Bug Id: | CSCuu84697 |
Title: | ASA Traceback in Thread Name ssh/client |
|
Description: | Symptom:
ASA Traceback in Thread Name: ssh/client
Conditions:
N/A
Workaround:
No workaround
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 9.1(6), 9.1(6.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuq10239 |
Title: | Windows 8 with new JRE, IE is not gaining access to smart tunnel |
|
Description: | Symptom:
IE on windows 8 with java start is not gaining access to smart tunnel
Conditions:
user is starting smart tunnel with java, UAC is turned on
Workaround:
turn UAC off or use active-x to start smart tunnel
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.4(7) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCsl77134 |
Title: | Traceback in thread name Dispatch unit related to failover |
|
Description: | Symptom:
When configured for failover and under unusual circumstances, the ASA may experience a crash in "Dispatch Unit" thread.
Conditions:
Failover is enabled.
Workaround:
This crash appears to only affect the active ASA in a failover pair. When the crash occurs, the standby ASA is able to take over and continue passing traffic.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 26-JUN-2015 |
|
Known Affected Releases: | 8.0(2.19) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCua35666 |
Title: | ASA: traceback in Thread Name: IPsec message handler,Syslog 602305. |
|
Description: | Symptom:
ASA running 8.4.4 reload in threadname IPsec message handler.
Conditions:
This crash is related to IPSEC VPN and new 8.4.4 syslog 602305.
Workaround:
Disable syslog message 602305.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 8.4(0.4), 8.4(4) |
|
Known Fixed Releases: | 100.7(6.84), 100.8(34.1), 8.4(4.2), 8.4(4.99), 8.4(5) |
|
|
| |
| |
Bug Id: | CSCuv04732 |
Title: | 5505 QoS priority not work w/ shaping |
|
Description: | Symptom:
5505 QoS priority not work w/ shaping
Conditions:
5505 QoS configuration of shaping with priority queue
Workaround:
Use policing with priority
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 9.1(2), 9.1(3), 9.2(3.4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu89777 |
Title: | ASA: Traceback in Thread Name: IP Thread |
|
Description: | Symptom:
ASA device traceback with Thread Name:- IP Thread
Conditions:
Applying captures on the ASA device
Workaround:
Do not apply captures on the ASA device
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 9.2(3.4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuv05386 |
Title: | Clientless webvpn on ASA does not display asmx files |
|
Description: | Symptom:
Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text
Conditions:
-Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site.
-The user see's garbled or incomplete text returned from the ASA.
Workaround:
Smart Tunnel resolves the issue.
Using the stand alone AC client resolves the issue.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCud17993 |
Title: | ASA-Traceback in Dispatch unit due to dcerpc inspection |
|
Description: | Symptom:
ASA Traceback in Dispatch unit due to DCERPC inspection.
Conditions:
upgrading the firewall from 8.4.3.9 to 8.4.4.5
Workaround:
Downgrade to version 8.4.3.9.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 8.4(4.5), 8.4(4.9), 8.4(5) |
|
Known Fixed Releases: | 100.7(13.109), 100.7(6.105), 100.8(27.30), 100.8(38.4), 100.8(50.12), 100.9(0.20), 100.9(4.1), 100.9(9.1), 8.4(5.5), 8.4(5.99) |
|
|
| |
| |
Bug Id: | CSCuq09709 |
Title: | Using ASA 9.2.1, Anyconnect weblaunch fails with URL-list in DAP |
|
Description: | Symptom:
When attempting to connect to the ASA using web launch user receives the error:
"The VPN configuration received from the secure gateway is invalid."
Conditions:
When launching Anyconnect through the web portal, with a DAP policy assigned which does not contain a user-message
Workaround:
Use the desktop client to connect
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 27-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.11(0.41), 100.12(0.29), 100.12(10.17), 100.12(15.7), 100.12(21.1), 100.12(6.1), 100.12(9.9), 9.2(2.5), 9.3(1.99), 9.3(2) |
|
|
| |
| |
Bug Id: | CSCsy71401 |
Title: | Traceback when editing object-group |
|
Description: | Symptom:
The ASA will crash if changes are made to an object group. The crash thread will be whatever process was used for connecting to the ASA (ssh, telnet, ci console, etc).
The crash dump will indicate that CPU and Memory were at 99% utilization.
Conditions:
Object groups must be used by the ASA in the ACL.
Workaround:
None.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 28-JUN-2015 |
|
Known Affected Releases: | 7.2(4.17), 8.0(4) |
|
Known Fixed Releases: | 100.3(0.2), 100.4(0.2), 7.2(4.34), 8.0(4.33), 8.0(5), 8.1(2.24), 8.2(1.2), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCuh13899 |
Title: | ASA protocol inspection connection table fill up DOS Vulnerability |
|
Description: | Symptom:
Some connection may not removed even after reaching idle timeout.
Conditions:
Non inspected flows and flows inspected in CP will be affected.
Flows which are inspected in DP such as icmp, icmp-error, simple-dns (udp), simple-http, ip-thru, waas, srtp, ip-options, ipv6 are not affected.
Workaround:
1. Clear the connection using the command ''clear conn''
2. disable specific protocol inspection where possible and open higher port ranges in the ACL.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2013-3463 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3463
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 28-JUN-2015 |
|
Known Affected Releases: | 8.3(2), 8.4(5.7), 8.4(6), 9.0(2.3), 9.1(1.5), 9.1(2.1) |
|
Known Fixed Releases: | 100.10(0.6), 100.7(13.118), 100.7(6.121), 100.8(27.85), 100.8(38.28), 100.8(40.16), 100.8(41.2), 100.8(60.34), 100.9(10.4), 100.9(6.32) |
|
|
| |
| |
Bug Id: | CSCur77736 |
Title: | ASA : 256 Byte Block Depletion with CoA enabled |
|
Description: | Symptom:
ASA 256 Byte blocks gets depleted every few hours affecting failover , VPN, SSH and ASDM
Conditions:
CoA enabled on the ASA.
Workaround:
Disable CoA on the ASA
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 28-JUN-2015 |
|
Known Affected Releases: | 9.2(2.8) |
|
Known Fixed Releases: | 100.11(0.54), 100.12(0.104), 100.13(0.12), 100.13(1.15), 100.13(16.23), 100.13(19.6), 100.13(20.3), 100.13(21.3), 100.13(23.1), 9.2(2.105) |
|
|
| |
| |
Bug Id: | CSCuu88437 |
Title: | ASA5506-X:copy file operations fail with jumbo-frame-reservation config |
|
Description: | Symptom:
Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below:
"Error writing disk0:/ (Cannot allocate memory)"
It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1.
I used asdm-732.bin image for this operation:
"copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error.
Conditions:
Copying file operations to disk0 on a ASA5506-X.
Workaround:
Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 28-JUN-2015 |
|
Known Affected Releases: | 100.14(0.47) |
|
Known Fixed Releases: | 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.15(1.22), 100.15(2.53), 99.1(2.177) |
|
|
| |
| |
Bug Id: | CSCuu63656 |
Title: | ASA not generating PIM register packet for directly connected sources |
|
Description: | Symptom:
Topology
------------
Sender ---> ASA(DR) ----> RP -----> Receiver
Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR)
Sender is behind ASA
RP is in front of ASA
ASA not sending PIM Register packet to RP
Conditions:
running 9.2.1 or later
Workaround:
downgrade to code 9.1.5
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.2(1), 9.3(2), 9.4 |
|
Known Fixed Releases: | 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCuu45812 |
Title: | asa Traceback with Thread Name idfw_proc |
|
Description: | Symptom:
asa Traceback with Thread Name idfw_proc
Conditions:
Workaround:
no workaround available currently
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: | 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) |
|
|
| |
| |
Bug Id: | CSCus27650 |
Title: | TLS Proxy + Cut Through proxy not working correctly with TLS1.2 |
|
Description: | Symptom:
Cut Through Proxy and TLS Proxy may fail to function when using TLS1.2.
Conditions:
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.13(1.32), 9.3(2) |
|
Known Fixed Releases: | 100.12(0.130), 100.13(0.80), 100.14(0.43), 100.14(5.20), 100.14(7.40), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCur99653 |
Title: | Codenomicon HTTP-server suite may cause crash |
|
Description: | Symptom:
Codenomicon HTTP-server suite may cause crash
Conditions:
Codenomicon server testing
Workaround:
none
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.12(0.108), 100.13(1.10), 9.3(1.113) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu27334 |
Title: | ASA: Traceback with Thread Name - AAA |
|
Description: | Symptom:
ASA device Traceback with Thread Name:- AAA
Conditions:
ASA device running ASA 9.1(4) version
Workaround:
Upgrade to 9.1.6.4 or later.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.1(4) |
|
Known Fixed Releases: | 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) |
|
|
| |
| |
Bug Id: | CSCut71095 |
Title: | ASA WebVPN clientless cookie authentication bypass |
|
Description: | Symptom:
In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over
secure channels.
Conditions:
-- WebVPN
Workaround:
none
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.1, 9.4(1) |
|
Known Fixed Releases: | 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCuu56912 |
Title: | ASA change non-default port to 443 for https traffic redirected to CWS |
|
Description: | Symptom:
ASA change non-default port to 443 for https traffic redirected to CWS
When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates
...
Complete Connect Method (513)
CONNECT X.X.X.X:443 HTTP/1.0
HOST: X.X.X.X:443
...
For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display
CONNECT X.X.X.X:443 HTTP/1.0
HOST: X.X.X.X:443
Conditions:
ASA is configured to redirect non-default port for https traffic to CWS.
Workaround:
NONE
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.0, 9.1, 9.4 |
|
Known Fixed Releases: | 100.12(0.129), 100.13(0.79), 100.14(0.39), 100.14(5.19), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12), 100.15(5.15) |
|
|
| |
| |
Bug Id: | CSCuu36639 |
Title: | ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout |
|
Description: | Symptom:
Intermittently ESP packets are dropped on the ASA due to Crypto Accelerator issues.
Crypto Hardware accelerator on ASA crashes with the message
%ASA-4-402125: CRYPTO: The ASA Crypto hardware accelerator IPsec ring timed out
There is traffic loss over the tunnel when the crash happens and the below message is also seen.
%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Unknown Error, code= 0x7F) while executing the command Process IPSec Inbound Packet (0x30)
Conditions:
ASA 5506-X acting as IKEv1 or IKEv2 IPSec Termination point such as L2L VPN end-point.
Workaround:
NA
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.3(2.2), 9.3(3), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCtu39738 |
Title: | ASA 5585 reloads with traceback in Thread Name: NIC status poll |
|
Description: | <B>Symptom:</B>
ASA 5585 may go into a boot loop with traceback in Thread Name: NIC status poll
Before the box enters the traceback you will see several messages on the console that look like
this:
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_4_0_startup_cfg
.sav'
*** Output from config line 4, "ASA Version 8.2(4) "
.....Failed to change interface status: cannot get channel
*** Output from config line 442, "interface GigabitEtherne..."
Failed to change interface status: cannot get channel
*** Output from config line 443, " shutdown"
Failed to change interface status: cannot get channel
*** Output from config line 448, "interface GigabitEtherne..."
Failed to change interface status: cannot get channel
*** Output from config line 449, " shutdown"
.Failed to change interface status: cannot get channel
*** Output from config line 454, "interface GigabitEtherne..."
Failed to change interface status: cannot get channel
*** Output from config line 455, " shutdown"
Failed to change interface status: cannot get channel
<B>Conditions:</B>
ASA 5585 only. Running 8.4.2 with an IPS SSP installed in slot 1
<B>Workaround:</B>
Remove the IPS SSP from the chassis and the boot loop should end. The trigger for this behavior is related to using the switch on the PSU to power cycle the box. If you have an IPS blade in the chassis and you power cycle the 5585 via the switch on the PSU you may see this behavior.
Call TAC to get your IPS SSP replaced.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.4(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu67411 |
Title: | Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg |
|
Description: | Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg
Symptom:
Configure "timeout floating-conn 0:01:00"(any valid range 0:0:30-1193:0:0),it is configured in ASA and checking TELNET to ASA and HTTP connection of ASA is lost.
Conditions:
Issue on :
1.Saleen -5512,5525
2.Kenton--5506
3.vASA
Workaround:
Set the "timeout floating-conn 0:00:00"
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.14(0.27), 100.14(0.30), 100.14(6.38) |
|
Known Fixed Releases: | 100.14(0.42), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12), 100.15(5.15), 100.15(8.3) |
|
|
| |
| |
Bug Id: | CSCuj23318 |
Title: | ASA 9.1 enabling IKE on one interface reserves UDP 500 on ALL interfaces |
|
Description: | Symptom:
When enabling IKE on an interface the command is rejected with error message "ERROR: IkeReceiverInit, unable to bind to port"
Conditions:
-- ASA configured with static PAT statement forwarding UDP port 500 to internal host.
-- IKE is being enabled on a different interface than the one used in Static PAT with UDP 500.
Workaround:
-- remove the Static PAT command.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.0, 9.1(2.8) |
|
Known Fixed Releases: | 100.10(0.42), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.70), 100.8(40.46), 100.8(46.40), 100.8(51.9), 100.9(10.17) |
|
|
| |
| |
Bug Id: | CSCuu66218 |
Title: | ASA is not correctly handling errors on AES-GCM ICV |
|
Description: | Symptom:
A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected.
The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected.
Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association.
This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA.
Conditions:
An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256.
This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X.
Workaround:
There is no workaround for customers whose security policy requires the use of AES-GCM.
For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2015-4550 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.3(3), 9.4(1.1) |
|
Known Fixed Releases: | 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2), 99.1(2.170) |
|
|
| |
| |
Bug Id: | CSCze96017 |
Title: | Active ftp-data is blocked by Firepower on Chivas Beta on 5512 |
|
Description: | Symptom:
The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies.
Conditions:
Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT).
Workaround:
1. Create a policy to allow ftp-data traffic from Server to Client
or
2. Use passive FTP
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtg76404 |
Title: | Traceback in Thread Name: Checkheaps due to logging |
|
Description: | Symptom:
An ASA may crash citing Checkheaps as the crashing thread.
Conditions:
This has been seen in ASA version 8.2.2 and presumably other builds as well. The crash appears to be related top the presence of 'logging flash-bufferwrap'
Workaround:
At this point. Disabling 'logging flash-bufferwrap' may prevent the crash.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.2(2), 8.2(3), 8.3(2) |
|
Known Fixed Releases: | 100.7(13.24), 100.7(14.13), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.57), 100.8(0.19), 100.8(10.25), 100.8(12.26) |
|
|
| |
| |
Bug Id: | CSCuu95947 |
Title: | Traceback assert in Thread Name: tcp_thread |
|
Description: | Symptom:
ASA Traceback under tcp_thread
Conditions:
ASA running 8.2.5.48
Workaround:
None
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.2(5.48) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCug88962 |
Title: | Hitless upgrade fails with error "Number of interfaces...not consistent" |
|
Description: | Symptom:
When attempting to perform a hitless upgrade of a failover pair of ASAs from a version prior to versions 8.4(6) and 9.0(2) and 9.1(1)3 to a version at or after 8.4(6) and 9.0(2) and 9.1(1)3 might fail. When the standby boots up with the new version, failover synchronization might fail and the following error might be printed to the console:
"Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby."
Conditions:
To encounter the problem, all of the following conditions must be met:
1) The ASAs must be in a failover setup
2) A hitless upgrade must be attempted. This involves loading the new code version onto the disk of the standby ASA, then rebooting it so that it boots up running the new version, and syncs with the active ASA.
3) The active ASA running the old code must be running a version of code prior to 8.4(6), 9.0(2), or 9.1(1)3
4) The standby ASA must be rebooted and running a version of code 8.4(6) or 8.4(6)1, 9.0(2) or 9.1(2) or later
Workaround:
Since the synchronization of the ASAs fails due to this bug, a hitless upgrade might not work. The workaround is to configure both ASAs to boot up with the new version of code, and reload both ASAs (first the standby ASA, then 30 seconds later the Active ASA). Both units will boot up ok, and then since both units are running the same version of code they will synchronize correctly.
Further Problem Description:
And in the above situation i.e after the standby was reloaded and the error message ""Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby." shows up on the device console, if a failover would be performed to make the standby unit take the active role, then there could be issues with MAC address switchover between the ASA devices i.e the new active unit may not use the previous active device's MAC address or the new standby unit may not use the previous standby's MAC address.
This would result in traffic flows failing through the ASA failover pair.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.4(6.1) |
|
Known Fixed Releases: | 100.7(6.118), 100.8(27.83), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(60.15), 100.9(0.46), 100.9(10.1), 100.9(6.28), 100.9(7.24) |
|
|
| |
| |
Bug Id: | CSCuu39636 |
Title: | Cert Auth fails with 'max simultaneous-login restriction' error |
|
Description: | Symptom:
VPN Clients connections with Certificate Authentication fail with the following error:
[IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction.
Conditions:
VPN Cients with Certificate Authentication
ASA running 9.1.6 or later
Workaround:
Use PSK and X-Auth for authentication
Downgrade to a non-affected version
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.1(6), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) |
|
|
| |
| |
Bug Id: | CSCuu48197 |
Title: | ASA: Stuck uauth entry rejects AnyConnect user connections |
|
Description: | Symptom:
Intermittently, the User VPN sessions fail to establish due to a stuck uauth entry associated with the same Pool/to-be-Assigned IP address of the new User.
Syslog:
%ASA-5-722010: Group User IP SVC Message: 16/ERROR: Detected internal error in SSL connection..
%ASA-4-113019: Group = , Username = , IP = , Session disconnected. Session Type: SSL, Duration: 00:00m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
- While debugging, we see the following:
debug webvpn anyconenct:
webvpn_cstp_accept_address: 192.168.1.10/255.255.255.0
''snip''
vpn_put_uauth failed!
webvpn_cstp_send_error: 503 Service Unavailable
sh ip local pool :
shows that the address 192.168.1.10 is available.
debug pix uauth:
vpn_putuauth: ERR: uxlate collision for ip 192.168.1.10 user USER-B on interface OUTSIDE
show uauth:
remote access VPN user 'USER-A' at 192.168.1.10, authenticated <<< Stuck entry for "another user"
show vpn-sessiondb anyconnect filter name USER-A :
no entries
here, notice that the address that is being assigned to USER-B is 192.168.1.10, and this is available in the local pool I.e. This address was assigned to another user [USER-A] in the past. This user does not show up in the vpn-sessiondb indicating that he has already logged off.
Conditions:
ASA running on OS version [Ex: 9.2(1)] that has the fix for:
CSCuh08432 Anyconnect sessions do not connect due to uauth failure
This ASA is acting as AnyConnect SSLVPN Server.
Workaround:
None.
Either reload the ASA or failover to the standby ASA.
Or Start using a new IP address pool for the Connection entry
Further Problem Description:
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu69193 |
Title: | ASA crash in Thread Name: CP HA Processing. |
|
Description: | Symptom:
ASA failover pair crashing in Thread Name: CP HA Processing.
Conditions:
L2L VPN Tunnel is configured on the ASA
Workaround:
No workaround
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.2(2.8) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtt27599 |
Title: | Standby Firewall traceback citing nat_remove_policy_from_np+383 |
|
Description: | Symptom:
When a Standby ASA tries to sync its config from its Active mate, the ASA may generate a traceback in the fover_parse thread and reload.
Conditions:
All of the following conditions must be met:
1. The ASA must be configured in a failover pair
and
2. The ASA must be configured with a NAT rule that uses the 'any' keyword as one of its interfaces. For example:
object network hostA
host 192.168.1.10
nat (inside,any) static 10.0.0.10
Workaround:
Avoid using the 'any' keyword as an interface in the NAT command.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.8(19.22), 8.4(2.16) |
|
Known Fixed Releases: | 100.7(13.38), 100.7(14.28), 100.7(17.5), 100.7(18.3), 100.7(6.46), 100.7(8.34), 100.8(0.34), 100.8(15.9), 100.8(17.6), 100.8(19.24) |
|
|
| |
| |
Bug Id: | CSCup47195 |
Title: | ASA - Traceback in DATAPATH-0-1275 |
|
Description: | Symptom:
ASA can traceback in Thread Name: DATAPATH under heavy load when IPS / CX / SFR module is installed
Conditions:
ASA 5512 / 5515 / 5525 / 5545 / 5555
Workaround:
not known
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.11(0.20), 100.12(0.39), 100.8(38.133), 100.8(64.12), 100.8(64.21), 9.1(3), 9.2(1) |
|
Known Fixed Releases: | 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.12(6.8), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) |
|
|
| |
| |
Bug Id: | CSCtw75734 |
Title: | tmatch compile thread assertion in "stride_terminal_node.c" |
|
Description: | Symptom:
In a rare corner case, the ASA might traceback when there are ACL related functions being processed.
This is similar to CSCsy93944 but the traceback condition is due to a different root cause.
Conditions:
The traceback condition is related to the access-list structures stored on the ASA.
Workaround:
None known.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 100.8(46.4), 8.2(5), 8.4(5.2), 8.6(1.6) |
|
Known Fixed Releases: | 100.10(0.36), 100.10(1.21), 100.10(2.2), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.40), 100.8(45.8), 100.8(46.28) |
|
|
| |
| |
Bug Id: | CSCti05769 |
Title: | Migration of max_conn/em_limit to MPF is completely wrong in 8.3 |
|
Description: | Symptoms:
Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN
floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost
because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside.
Conditions:
Workaround:
Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu86195 |
Title: | conn-max counter is not decreased accordingly |
|
Description: | Symptom:
Problem description:
- after the maximum number of TCP connections for a class-map are exceeded the counter for the active connections("current conns") starts to decrease into negative values
- all the new connections that are matching our configured policy are dropped even if we are not exceeding the number of configured connections
%ASA-3-201011: Connection limit exceeded -36/30 for input packet from 10.100.48.4/54675 to 172.29.41.10/8443 on interface in
Similar scenarios:
- legitimate connections are dropped when the counter:
- "current conns" is decreased into negative values; Ex: -36/30
- "current conns" is not dropping to zero(after all the connections are closed) and is stuck to a random value; Ex: 26/30 --> just 4 new connectios are allowed
- "current conns" is going over the maximum value and is not dropping to zero(after all the connections are closed); Ex: 32/30
Conditions:
issue observed in ASA software version 9.2.2 and 9.2.24(tested versions) just for TCP traffic
Workaround:
N/A
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.2(2), 9.2(2.4) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCty35830 |
Title: | AnyConnect users can't connect due to duplicate session. |
|
Description: | Symptom:
AnyConnect connections are failing to an ASA cluster with syslogs reporting:
%ASA-4-113038: Group User IP Unable to create AnyConnect parent session.
Conditions:
This was observed on ASA platforms with a high rate of connection after some operating time.
Workaround:
None at this time other than reloading the ASA.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCug39080 |
Title: | HA sync configuration stuck -"Unable to sync configuration from Active" |
|
Description: | Symptom:
HA sync configuration stuck -"Unable to sync configuration from Active"
Conditions:
Reloading the standby or reconfiguring failover on the standby does not resolve the issue.
Workaround:
reload the active unit.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.0(1) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.54), 100.9(10.1), 100.9(6.29), 100.9(7.37) |
|
|
| |
| |
Bug Id: | CSCut88287 |
Title: | ASA Traceback in vpnfol_thread_msg |
|
Description: | Symptom:
ASA device Traceback in vpnfol_thread_msg
Conditions:
ASA device running in Active/Standby HA Pair.
Workaround:
NONE
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | 100.12(0.130), 100.13(0.79), 100.14(0.42), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCuq77655 |
Title: | Cisco ASA DNS Memory Exhaustion Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA Failover Command Injection Vulnerability
Cisco ASA DNS Memory Exhaustion Vulnerability
Cisco ASA VPN XML Parser Denial of Service Vulnerability
Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems.
Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic.
Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to.
The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2015-0676 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.4(7) |
|
Known Fixed Releases: | 100.11(0.48), 100.12(0.52), 100.12(22.1), 100.12(6.8), 100.13(0.3), 100.13(12.6), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) |
|
|
| |
| |
Bug Id: | CSCsm84110 |
Title: | ASA may traceback with malformed TCP packets |
|
Description: | Summary: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities:
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL).
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.1, 8.1(0.184) |
|
Known Fixed Releases: | 7.1(2.70), 7.2(3.22), 8.0(103.4), 8.0(3.10), 8.1(0.185), 8.1(1.1), 8.1(1.2) |
|
|
| |
| |
Bug Id: | CSCtg28821 |
Title: | ASA: AAA Session limit [2048] reached when xauth is disabled for vpn |
|
Description: | Symptom:
If there are more than 2048 ipsec remote access connections to a ASA55550 without user authentication, vpn and ssh/telnet connnections may fail.
The following messages may appear in the ASA logs:
Apr 14 2010 15:48:08: %ASA-3-113001: Unable to open AAA session. Session limit [2048] reached
Apr 14 2010 15:48:08: %ASA-7-713906: Group = Banricompras, IP =
200.132.64.2, Failed opening authentication session!
Workaround:
Enable xauth, and this will prompt user for authentication credentials
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(1) |
|
Known Fixed Releases: | 100.7(0.9), 7.2(5.16), 8.0(5.17), 8.1(2.45), 8.2(2.102), 8.2(2.13), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCsr40360 |
Title: | iPhone 2.0 SW requires that ASA/PIX 7.x+ address mask is 255.255.255.255 |
|
Description: | Symptom:
Third Party VPN connection may cause unintended VPN interruption for other connected users.
Conditions:
The following ASA/PIX versions are impacted by this:
Cisco Adaptive Security Appliance models 5505-5550 - All releases prior to 8.0.4
Cisco Adaptive Security Appliance model 5580 - All releases prior to 8.1.1.8
(Customers must contact the Cisco TAC for access to this version)
Cisco PIX Security Appliance - All 7.x and 8.x releases prior to 8.0.4
With IPsec enabled on the ASA/PIX not running the minimum versions listed above, it is possible to cause a VPN interruption if one of the following configuration steps are not taken.
Workaround:
For customers unable to upgrade to the minimum versions listed above, a workaround option is available for administrators who intend to allow access from the iPhone/iPod Touch 2.0 VPN Clients. This issue has been resolved with the iPhone/iPod Touch 2.1 release.
-----------------------------------------------------------
Allow iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):
We recommend creating a new VPN group specifically for iPhone/iPod touch users if there is a mask set for your existing address pool or if DHCP address assignment is in use. A special group will also allow you to set customized security policies, such as providing these mobile users access to specific resources.
For the new group created for the iPhone, ensure that an address pool is utilized and either no mask command is set or if a mask is set, that it is set to 255.255.255.255.
Example: asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254
OR
asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254 mask 255.255.255.255
You may also set up a permit rule to limit this access to this group to iPhones. In the group policy, enable the following rule:
client-access-rule 10 permit type iPhone* version *
For any groups that have an appropriate address pool mask assigned to them or are set up for DHCP address assignment, you should follow the instructions in the field notice to deny connections to these groups.
-----------------------------------------------------------
If corporate policy is to restrict VPN access from the iPhone and iPod Touch 2.x, please use the configuration settings below.
Deny iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):
In the group policy, enable the following rule:
client-access-rule 10 deny type iPhone* version *
client-access-rule 20 permit type * version *
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(3) |
|
Known Fixed Releases: | 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(3.33), 8.1(1.100), 8.1(101.5), 8.2(0.140) |
|
|
| |
| |
Bug Id: | CSCsv86258 |
Title: | Crafted ESP packet may reload ASA |
|
Description: | <B>Symptom:</B>
Box will crash due to an assert with a malformed IPSEC ESP packet is received.
Under rare circumstances, if an ASA 5580 firewall receives a malformed ESP packet from a valid IPSec peer
the device might reload.
<B>Conditions:</B>
All of the following conditions must be met to be succeptible to this bug:
1) The VPN terminating device must be a ASA 5580
2) The 5580 must receive a malformed ESP packet
<B>Workaround:</B>
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.1(2) |
|
Known Fixed Releases: | 8.1(2.7), 8.2(0.181), 8.2(1) |
|
|
| |
| |
Bug Id: | CSCsu12382 |
Title: | Some TLS packets may cause incorrect DMA mappings, leading to traceaback |
|
Description: | Symptom:
An ASA on rare occasions will crash after processing crafted TLS packets.
Conditions:
This affects all versions of 8.1 code without the fix integrated.
Workaround:
None.
Further Problem Description:
None.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.1(101.8) |
|
Known Fixed Releases: | 8.1(1.100), 8.1(1.9), 8.2(0.151) |
|
|
| |
| |
Bug Id: | CSCsr74439 |
Title: | PIX/ASA: Certain malformed NAT-T packets may cause IKE process to hang |
|
Description: | Symptom:
A Cisco PIX or Cisco ASA IKE process may stop processing IKE packets when certain malformed NAT-T packets are received.
Note: No IKE debugs are seen after the malformed packet is sent.
Conditions:
Cisco PIX/ASA configured to terminate IPSec remote access or site-to-site tunnels.
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.2(4), 8.0(3.20) |
|
Known Fixed Releases: | 7.0(8.1), 7.1(2.75), 7.2(4.9), 8.0(4.5), 8.1(1.100), 8.1(101.6), 8.2(0.145) |
|
|
| |
| |
Bug Id: | CSCso66472 |
Title: | Crypto memory leak causing Clientless SSL VPNs to hang |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(3), 8.0(3.10), 8.0(3.7) |
|
Known Fixed Releases: | 7.2(4.2), 8.0(103.16), 8.0(3.14), 8.1(1.4) |
|
|
| |
| |
Bug Id: | CSCso69942 |
Title: | Traceback in Remote Access Authentication Code |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.2(2.19) |
|
Known Fixed Releases: | 7.2(4.2), 8.0(103.23), 8.0(3.14), 8.1(1.4) |
|
|
| |
| |
Bug Id: | CSCup36829 |
Title: | Cisco ASA SSL VPN Portal Customization Integrity Vulnerability |
|
Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA High Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA VNMC Command Input Validation Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/7.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:C/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-3393 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be fou
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.1(2.7), 9.1(5.231) |
|
Known Fixed Releases: | 100.11(0.28), 100.11(5.40), 100.11(6.4), 100.12(0.14), 100.12(1.5), 100.12(12.2), 100.12(13.8), 100.12(15.2), 100.12(16.6), 100.12(17.10) |
|
|
| |
| |
Bug Id: | CSCug52259 |
Title: | ROMMON: eUSB device not recognized by BIOS on boot |
|
Description: | Symptom:
ASA or IPS goes into a 'boot loop' after resetting the device, where the ASA/IPS is unable to find a boot image with errors similar to the following:
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
Conditions:
This issue has been seen on 5585, SSP-10, and 4510/4520 devices.
The problem is independent of IPS version, so any IPS version can be affected. The issue can only be corrected with a BIOS update or RMA, which TAC can provide.
Workaround:
None.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 0 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu39615 |
Title: | eglibc 2.18 is missing upstream fix #15073 |
|
Description: | Symptom:
ASA could crash due to heap corruption
Conditions:
Heavy memory allocation
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.3(2), 9.3(2.2) |
|
Known Fixed Releases: | 100.12(0.127), 100.13(0.77), 100.13(21.16), 100.14(0.30), 100.14(5.19), 100.14(7.38), 100.15(0.13), 100.15(1.18), 100.15(2.54), 100.15(3.7) |
|
|
| |
| |
Bug Id: | CSCsr09163 |
Title: | webvpn - +webvpn+/index.html http response splitting problem |
|
Description: | Symptom:
The ASA is vulnerable to HTTP response splitting.
Detail on HTTP response splitting defects :
http://en.wikipedia.org/wiki/HTTP_response_splitting
http://www.owasp.org/index.php/HTTP_Response_Splitting
An attacker can insert arbitrary HTTP headers into the responses from the ASA by specifying specially formatted input to the tgroup input form field.
Cisco has published a vendor response at the following URL:
http://tools.cisco.com/security/center/viewAlert.x?alertId=20737
This vulnerability was discovered by Daniel King of SecureWorks, Inc. Cisco greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.
Conditions:
This is default behavior for the ASA.
Workaround:
There are no workarounds for this issue.
The following Cisco Applied Mitigation Bulletin titled: Understanding Cross-Site Scripting (XSS) Threat Vectors provide several best practices and information that can be used to mitigate these type of issues:
http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0 |
|
Known Fixed Releases: | 8.0(3.30), 8.1(1.100), 8.1(101.4), 8.2(0.140) |
|
|
| |
| |
Bug Id: | CSCsk60581 |
Title: | Device reload possible when SIP inspection is enabled |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.2, 8.0 |
|
Known Fixed Releases: | 7.2(3.14), 7.2(3.18), 8.0(3.3), 8.0(3.8), 8.1(0.137), 8.2(0.80), 8.2(0.94) |
|
|
| |
| |
Bug Id: | CSCsu90653 |
Title: | ASA: Disabling Isakmp User Auth Causes Webvpn Authentication to Fail |
|
Description: | <B>Symptom:</B>
if a tunnel-group with ldap authentication and authorization is configured for webvpn and ipsec, and the
ipsec-attributes have
isakmp ikev1-user-authentication none
configured, the ldap process receives a type 0 request. This bypasses authentication and allows any with
a valid username to have access to webvpn even if the password is incorrect.
<B>Conditions:</B>
if a tunnel-group with ldap authentication and authorization is configured for webvpn and ipsec, and the
ipsec-attributes have
isakmp ikev1-user-authentication none
<B>Workaround:</B>
none
<B>Further Problem Description:</B>
<!-- This section can include additional information to allow the -->
<!-- customer to understand the problem in more detail. -->
<!-- -->
<!-- This field might include: -->
<!-- A broader description of the conditions under which the problem -->
<!-- might occur. Description of why the problem occurred (e.g., -->
<!-- RFC noncompliance). -->
<!-- -->
<!-- Don't include customer configurations, customer names, passwords, -->
<!-- decoded stack traces, or any other information that could -->
<!-- compromise a site's security. -->
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 7.2(4.17), 8.0(4.8), 8.0(5), 8.1(2.2), 8.2(0.165), 8.2(1) |
|
|
| |
| |
Bug Id: | CSCuu73694 |
Title: | ASA Traceback in Thread Name: Dispatch Unit |
|
Description: | Symptom:
ASA unexpectedly crash with "Thread Name: Dispatch Unit".
Conditions:
unknown
Workaround:
There is no workaround at this time.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.4(7.23) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCsq45636 |
Title: | Potential Information Disclosure in Clientless SSL VPNs |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(2), 8.0(3.12) |
|
Known Fixed Releases: | 8.0(103.27), 8.0(3.16), 8.1(1.6), 8.2(0.127) |
|
|
| |
| |
Bug Id: | CSCte91042 |
Title: | SMTP Inspect Security Issue |
|
Description: | Symptom:
Cisco ASA has a potential issue with its SMTP inspection engine, where an unauthenticated attacker may
bypass certain policies of the SMTP inspection.
Conditions:
Cisco ASA with default configuration.
Workaround:
None
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS
scores as of the time of evaluation are 4.3/3.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2 |
|
Known Fixed Releases: | 100.4(0.47), 100.5(5.8), 100.7(2.1), 7.2(4.100), 7.2(5), 8.2(2.99), 8.2(4), 8.3(1.100), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCui76124 |
Title: | Unable to telnet to ASA due to telnet limit reached |
|
Description: | Symptom:
Unable to telnet to the ASA due to the limit of 5 simultaneous sessions reached.
This situation can be verified with the output of 'show resource usage', which will show the output like below:
Resource Current Peak Limit Denied Context
Telnet 5 5 5 0 System
Conditions:
Telnet is used to manage the ASA
Workaround:
Reload or failover the ASA to mitigate the problem.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.0(3), 9.1(1) |
|
Known Fixed Releases: | 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1) |
|
|
| |
| |
Bug Id: | CSCsq19369 |
Title: | URI Processing Error in Clientless SSL VPN connections |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(3.13), 8.3 |
|
Known Fixed Releases: | 8.0(103.24), 8.0(3.15), 8.1(1.5) |
|
|
| |
| |
Bug Id: | CSCsx59014 |
Title: | ASA allows VPN user although Zonelabs Integrity firewall rejects |
|
Description: | Symptom:
When Cisco ASA is configured to communicate with a zonelabs integrity Firewall server to validate VPN clients, it might be that the ASA is still permitting users to have network access despite not having the right policies and being rejected by the Firewall server.
Conditions:
unknown
Workaround:
no workaround currently available
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 7.2(4.29), 8.0(4.161), 8.0(4.27), 8.0(5), 8.1(2.165), 8.1(2.18), 8.2(1.10), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCsq97154 |
Title: | ASA WebVPN HTTP Instability |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
Erroneous SIP Processing Vulnerabilities
IPSec Client Authentication Processing Vulnerability
SSL VPN Memory Leak Vulnerability
URI Processing Error Vulnerability in SSL VPNs
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.3 |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCsm77958 |
Title: | ASA may crash while processing PPPoE and SSL VPN transactions |
|
Description: | Symptom:
When clientless SSL VPN client attempts to connect to ASA,
ASA crashes with threadname : IP Thread followed by the output below:
assertion "t->stack[0] == STKINIT" failed: file "thread.c", line 709
Condition:
- when clientless webvpn user attempts to establish SSL VPN.
Workaround:
None at this point
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(2), 8.0(3) |
|
Known Fixed Releases: | 7.0(7.12), 7.1(2.70), 7.2(3.21), 7.2(4), 8.0(3.10), 8.1(1.2), 8.2(0.100) |
|
|
| |
| |
Bug Id: | CSCsq74674 |
Title: | ASA may reload after receiving certain EIGRP packets |
|
Description: | Symptom:
ASA may reload after receiving certain EIGRP packets .
Conditions:
Cisco ASA configured for EIGRP routing.
Note: EIGRP support was initially introduced in Cisco ASA Version 8.0(2).
Workarounds:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(2), 8.0(3), 8.1(1.1), 8.1(1.6) |
|
Known Fixed Releases: | 8.0(103.34), 8.0(3.20), 8.1(1.100), 8.1(101.1), 8.2(0.130) |
|
|
| |
| |
Bug Id: | CSCsv21224 |
Title: | ASA process invalid OSPF MD5 sequence numbers |
|
Description: | Symptom:
Cisco ASA may process invalid OSPF MD5 sequence numbers.
This issue was found and reported to Cisco by Francois Ropert.
Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and
welcomes the opportunity to review and assist in product reports. We would like to thank Mr. Ropert for
working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure.
Conditions:
Cisco ASA running version 8.0.4 and earlier.
Workarounds:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 7.2(4.22), 8.0(4.18), 8.0(4.220), 8.0(5), 8.1(2.8), 8.2(0.189), 8.2(1) |
|
|
| |
| |
Bug Id: | CSCus47259 |
Title: | Cisco ASA XAUTH Bypass Vulnerability |
|
Description: | Symptoms:
Due to a vulnerability in the IKEv1 code is it possible to bypass XAUTH authentication by sending crafted IKE messages
Conditions:
This applies only to deployment configured with Remote VPN and IKEv1.
The knowledge of the PSK or a valid certificate is needed to perform the attack.
This vulnerabilities affects only the following trains:
- 7.x
- 8.0
- 8.1
- 8.2 prior to 8.2.2.13
This issue has been fixed as part of another bug: CSCtg28821
Workaround:
none
Further Problem Description:
A vulnerability in IKE version 1 code of Cisco ASA Software could allow
an authenticated, remote attacker to bypass x-auth authentication and
successfully login via IPsec remote VPN.
The vulnerability is due to improper implementation of the logic of the
x-auth code . An attacker could exploit this vulnerability by sending
crafted IKEv1 packets to the affected system. The attacker would need to
know the tunnel group pre-shared-key or have a valid certificate in
order to exploit this vulnerability. This vulnerability affects only
Cisco ASA Software configured for IKEv1 IPSec remote access and IKEv1
IPSec Lan-to-Lan. An exploit could allow the attacker to bypass the
authentication and gain access to the network via remote VPN.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C
CVE ID CVE-2015-0760 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(2) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.14), 100.14(7.14) |
|
|
| |
| |
Bug Id: | CSCuf07393 |
Title: | ASA assert traceback during xlate replication in a failover setup |
|
Description: | Symptom:
An ASA firewall running in STANDBY as part of an Active/Standby or Active/Active high availability
configuration may crash citing an assert in thread name DATAPATH-x-xxxx.
Conditions:
The crash is seen in rare circumstances on a standby firewall or a firewall in an Active/Active high
availability configuration where some contexts are STANDBY on that firewall.
Workaround:
None at this time. In order to reduce the impact of crashes in an Active/Active failover configuration
you might want to move both ACTIVE Failover Groups to one ASA
More Info:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for
another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.1(1), 9.1(2) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.83), 100.8(38.16), 100.8(40.6), 100.8(41.2), 100.8(60.12), 100.9(0.45), 100.9(10.1), 100.9(6.27), 100.9(7.23) |
|
|
| |
| |
Bug Id: | CSCsr32004 |
Title: | ASA may crash after processing certain malformeded EIGRPpackets |
|
Description: | Symptom:
ASA may reload after receiving certain EIGRP packets .
Conditions:
Cisco ASA configured for EIGRP routing.
Note: EIGRP support was initially introduced in Cisco ASA Version 8.0(2).
Workarounds:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0, 8.0(2), 8.0(3), 8.0(3.19), 8.0(3.31), 8.1 |
|
Known Fixed Releases: | 8.0(4.5), 8.0(5), 8.1(1.100), 8.1(101.8), 8.2(0.149) |
|
|
| |
| |
Bug Id: | CSCso58622 |
Title: | IPv6: IP services are reachable from the "far side of the box" |
|
Description: | Symptom:
Users can connect to, and interact with the FW via an interface that they are not logically connected to.
Conditions:
PIX or ASA device running 7.x or higher code. Using IPv6 routing and IPv6 enabled services (SSH, Telnet, HTTP, ICMP).
Workaround:
Restrict access to services by IPv6 subnet. (i.e. no '' ::/0 '' type config)
Further Problem Description:
Cisco FW products are designed to be ''through the box'' type appliances. IPv6 should behave the same way IPv4 does. You should only be
interacting with the box via the interface that you are logically connected to.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2009-4913 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(3) |
|
Known Fixed Releases: | 8.0(103.17), 8.0(103.18), 8.0(3.14), 8.1(1.4) |
|
|
| |
| |
Bug Id: | CSCsx75440 |
Title: | ACL - Implicit deny ip any any ACE may not work as expected |
|
Description: | Symptom:
Implicit deny any any may not work as expected. Traffic that is not permitted via the acl may be permitted even though the access-list may be applied on the higher security interface.
Conditions:
This was first observed in an ASA running 8.0.4(3)
Workaround:
1. Remove the access-group line applied on the interface and re-apply it.
example:
no access-group acl-inside in interface inside
access-group acl-inside in interface inside
or
2. add an explicit deny ip any any line in the bottom of the acl applied on that interface
Further Problem Description:
The following data collected may be helpful before contacting TAC
"sh asp table classify domain permit hits"
and
"sh asp table classify interface domain permit hits"
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4.3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCsy22484 |
Title: | Cisco ASA may traceback after processing certain TCP packets |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4), 8.2 |
|
Known Fixed Releases: | 7.0(8.6), 7.1(2.81), 7.2(4.30), 8.0(4.28), 8.1(2.162), 8.1(2.19), 8.2(0.228), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCsk31007 |
Title: | SIP: traceback in Thread Name: Dispatch Unit |
|
Description: | Symptom:
On PIX/ASA running version 7.2.3, using SIP inspection engine can cause traceback.
Conditions:
Enabled SIP inspection engine.
Workaround:
Disable SIP inspection engine.
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.2(2.33), 7.2(3) |
|
Known Fixed Releases: | 7.2(3.3), 7.2(4), 8.0(2.18), 8.1(0.71), 8.2(0.65) |
|
|
| |
| |
Bug Id: | CSCuu53928 |
Title: | ASA does not set forward address or p-bit in OSPF redistrubution in NSSA |
|
Description: | Symptom:
ASA can advertise OSPF routes to a peer with the p-bit disabled, and with a null forward address when in a Not so Stubby Area. This can cause the peer device to be unable to translate this LSA and forward it on to the rest of the topology.
OSPF Router with ID (10.0.0.50) (Process ID 1)
Type-7 AS External Link States (Area 100)
LS age: 23
Options: (No TOS-capability, No Type 7/5 translation, DC) <---
LS Type: AS External Link
Link State ID: 192.168.0.0 (External Network Number )
Advertising Router: 10.0.0.50
LS Seq Number: 80000001
Checksum: 0x791e
Length: 36
Network Mask:255.255.0.0
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0 <---
External Route Tag:
This condition occurs if the route that is advertised is directly connected, and that link comes up before the link that contains the OSPF neighborship.
Conditions:
- ASA in an OSPF Not So Stubby Area
- Redistributing Connected Routes
- Observed in single and multiple context
- Observed in failover mode or standalone mode
Workaround:
- Clear OSPF Process on ASA with command "clear ospf process"
- Bounce link of connected route that is being advertised incorrectly
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.3(1), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12) |
|
|
| |
| |
Bug Id: | CSCsx23387 |
Title: | Recoverable crash condition within aware http server |
|
Description: |
Symptom:
Crafted HTTP packets may drive CPU utilization to 100%.
Conditions:
WebVPN must be enabled.
Workaround:
None.
Further Problem Description:
None.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 100.3(0.2), 100.4(0.2), 7.2(4.100), 8.0(4.25), 8.0(5), 8.1(2.15), 8.2(0.212), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCsy91157 |
Title: | Watchdog when inspecting malformed SIP traffic |
|
Description: | Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4.29) |
|
Known Fixed Releases: | 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.10), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCsz90342 |
Title: | Malformed SIP packets may cause memory leak |
|
Description: | Symptom:
Malformed TCP packets destined to a host behind the ASA over port 5060 may cause a memory leak on the
affected device. The device recovers after these packets are blocked or the attack is stopped.
Conditions:
Cisco ASA configured with TCP proxy for SIP.
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(1) |
|
Known Fixed Releases: | 100.3(0.28), 100.4(0.27), 8.2(1.110), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.12), 8.3(1) |
|
|
| |
| |
Bug Id: | CSCuv04901 |
Title: | NAT section-1 divert rules are getting added at the end of section-2 |
|
Description: | Symptom:
NAT section-1 divert rules are getting added at the end of section-2
Conditions:
Removing and re-adding a Twice NAT rule
Workaround:
Remove all the rules and re-add them again.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCug79778 |
Title: | ASA standby traceback in fover_parse when upgrading to 9.0.2 |
|
Description: | Symptom:
ASA crashing in fover_parse when upgrading to 9.0.2
Conditions:
N/A
Workaround:
N/A
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.0(2) |
|
Known Fixed Releases: | 100.10(0.6), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.52), 100.9(10.1), 100.9(6.28), 100.9(7.31) |
|
|
| |
| |
Bug Id: | CSCtf81810 |
Title: | OpenSSL Record of death |
|
Description: | Symptom:
The device may be affected by an OpenSSL vulnerability.
This vulnerability is tracked as CVE-2010-0740
In TLS connections, certain incorrectly formatted records can cause an OpenSSL
client or server to crash due to a read attempt at NULL.
Conditions:
Device configured with any feature that uses SSL.
Workaround:
Not available
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0, 8.3(1) |
|
Known Fixed Releases: | 100.4(0.54), 8.0(5.17), 8.1(2.44), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.2), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCtd32106 |
Title: | mutated SIP Invite-Bye message causes ASA to watch dog and traceback |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(1), 8.3(0.12), 8.3(0.2) |
|
Known Fixed Releases: | 100.4(0.30), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1) |
|
|
| |
| |
Bug Id: | CSCuu97304 |
Title: | SSL connection failing to WebVPN portal |
|
Description: | Symptom:
access to webvpn portal broken
Conditions:
try to access the webvpn portal via a browser
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.12(0.130), 100.14(0.43) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtf40074 |
Title: | watchdog when running set of Codenomicon TLS test cases |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.4(0.43) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut86523 |
Title: | ASA: Silently Drops packets with SFR Module installed. |
|
Description: | Symptom:
Traffic through ASA with SFR module Redirection enabled is dropped
Conditions:
Destination MAC address of the Packet begins with the following.
00:23
00:20
00:0d
Workaround:
Change the destination MAC address of the Packet to begin with something other than 00:23, 00:20,00:0d
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.3(2.2) |
|
Known Fixed Releases: | 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9) |
|
|
| |
| |
Bug Id: | CSCte46507 |
Title: | ASA crash observed during isakmp testing with Codenomicon tool |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 100.4(0.46), 100.7(2.1), 7.2(4.100), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(4), 8.3(1.1), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCsx23611 |
Title: | VPN: TCP traffic allowed on any port with management-access enabled. |
|
Description: | Symptom:
The firewall "inside" interface is responding to connection attempts on any port
(1-65536) when the initial SYN is going over a VPN tunnel.
Conditions:
When a firewall has a VPN setup on it's configuration, and connection requests are being
sent to the interface IP that is not terminating the VPN, the firewall responses to the
connection request, even though the application port does not exist. The three way handshake is
immediately followed by a reset packet which kills the connections.
The easiest way to verify you are running into this condition, is to send traffic across the
VPN tunnel with the command (where y.y.y.y is the inside interface of the firewall):
telnet <ip> <random port>
Here's an example:
telnet y.y.y.y 12345
If you're successful, you'll see the following in IOS:
Trying 192.168.100.1, 12345 ... Open
302013 Built inbound TCP connection 49230 for outside:x.x.x.x/4885 (x.x.x.x/4885) to NP
Identity Ifc:y.y.y.y/12345 (y.y.y.y/12345)
302014 Teardown TCP connection 49230 for outside:x.x.x.x/4885 to NP Identity Ifc:y.y.y.y/12345
duration 0:00:00 bytes 0 TCP Reset-I
Workaround:
No known workaround.
Conditions:
A VPN tunnel must terminate on the ASA and the "management-access" command must be
enabled.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(2.7), 8.0(4.20) |
|
Known Fixed Releases: | 100.3(0.2), 8.0(4.161), 8.0(4.27), 8.0(5), 8.1(2.165), 8.1(2.17), 8.2(1.10), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCsz79757 |
Title: | Traceback - Thread Name: Dispatch Unit with skinny inspect enabled |
|
Description: | Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4), 8.2(1) |
|
Known Fixed Releases: | 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.2), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCtc47782 |
Title: | Malformed IKE traffic causes rekey to fail |
|
Description: | Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0, 8.0(4) |
|
Known Fixed Releases: | 100.3(0.19), 7.2(4.45), 8.0(5.1), 8.1(2.37), 8.2(1.105), 8.2(1.15), 8.2(4), 8.3(0.5) |
|
|
| |
| |
Bug Id: | CSCuu83280 |
Title: | Evaluation of OpenSSL June 2015 |
|
Description: |
Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
CVE-2015-1788 Malformed ECParameters causes infinite loop
Not affected in ASA versions before 9.4.1 where EC key support was added.
CVE-2015-1790 PKCS7 crash with missing EnvelopedContent
Not affected in any ASA versions. OpenSSL clients and servers are not affected.
Rest of the vulnerabilities affect ASA.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.2(1), 8.2(1), 8.2(5), 9.0(1), 9.2(1), 9.3(2) |
|
Known Fixed Releases: | 100.12(0.131), 100.13(0.81), 100.14(0.51), 100.14(0.54), 100.15(0.17), 99.1(2.183) |
|
|
| |
| |
Bug Id: | CSCsq91277 |
Title: | ACL Misbehavior in Cisco ASA |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(0.4), 8.0(103.25), 8.0(3.19), 8.0(4), 8.0(4.3) |
|
Known Fixed Releases: | 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(4.5), 8.0(5) |
|
|
| |
| |
Bug Id: | CSCtd32627 |
Title: | mutated SSLv3(recordclientalert type) causes ASA to traceback |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.3(0.2) |
|
Known Fixed Releases: | 100.7(2.1), 7.2(4.100), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(0.12), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCtf69525 |
Title: | ASA Crashes with crafted TLS packet |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuc60950 |
Title: | Traceback in snpi_divert with timeout floating-conn configured |
|
Description: | Symptom:
Both ASA's running 8.2.5 and above are crashing on Dispatch Unit
Conditions:
ASAs running 8.2.5 and above
Workaround:
None at this time
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(5.33) |
|
Known Fixed Releases: | 100.7(13.109), 100.7(6.105), 100.8(27.30), 100.8(34.1), 100.8(38.4), 100.8(50.12), 100.9(0.19), 100.9(4.1), 100.9(9.1), 8.2(5.39) |
|
|
| |
| |
Bug Id: | CSCsy80705 |
Title: | ASA WebVPN HTTP server issue-XSS |
|
Description: | Summary:
There is a vulnerability in the Cisco ASA due to insufficient restrictions on Rot13-encoded URL parameters utilized by the SSL VPN feature of the Cisco ASA when clients browse web pages by means of the VPN web portal. An attacker who could convince a user to visit a malicious page while logged into the secure portal could take advantage of the vulnerability to execute arbitrary script or HTML code within the security context of the affected site.
Public Intellishield Alert:
http://tools.cisco.com/security/center/viewAlert.x?alertId=18442
Workarounds:
No workarounds in the Cisco ASA exists. However, additional mitigation information for XSS attacks can be found at the following Applied Mitigation Bulletin (AMB): http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 8.0(4.161), 8.0(4.215), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCuq76847 |
Title: | ASA:Page fault traceback ACL FQDN Object-group |
|
Description: | Symptom:
An ASA generated a traceback while updating an FQDN object group.
Conditions:
An ASA must reference FQDN ACLs
Workaround:
no known workaround at this time
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.12(10.30), 9.1(2.3), 9.2(1), 9.2(2.4) |
|
Known Fixed Releases: | 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.12(6.7), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) |
|
|
| |
| |
Bug Id: | CSCsy82260 |
Title: | ASA fails to redirect traffic to WCCP cache server |
|
Description: | At certain occasions after a failure the ASA fails to redirect traffic on TCP ports 80 and
443 to the WCCP cache servers. This problem occurs at any time during the day. We have
observed that the problem always happens after a failure in the network that causes the
ASA to momentarily lose communicate with the WCCP servers. This can be a failure initiated on
the WCCP servers themselves or any connection devices between the ASA and the WCCP
servers. We have two (2) WCCP cache servers, if any one of these servers is brought down
for maintenance, we experience the problem as well. Traffic will not be redirected to the
remaining online server. The 1st thing we see on the ASA is log messages indicating
communication with web-cache server has been lost, as shown below:
Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/90 lost
Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/91 lost
Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/92 lost
The IP addresses for our web-cache servers are 172.20.143.11 and 172.20.143.12. When the
connection failure caused by what ever reason (outside of the ASA itself) is restore, no
traffic is redirected by the ASA. The show WCCP commands show everything is normal, it is
able to talk with the web-cache servers. The symptoms that were observed in
troubleshooting were that "show wccp 90 detail" on the ASA displayed redirected packet
counters that were not incrementing. All other WCCP diagnostics appeared normal
(Here I Am & I See You heartbeat packets were incrementing) on both the ASAs and the Blue
Coat proxies, and "show wccp 90" on the ASA indicated 1 WCCP router (the ASA) and 2 WCCP
caches (the Blue Coat proxies), as expected. User traffic will be reaching the internet
directly without redirection. We did not notice this problem until after upgrading the ASA
code to 8.1.2(11) code on 02/02/2009. The previous code were running prior to that was
8.1.2(7). The problem could have been there on the previous code but we just did not
notice it until we were running 8.1.2(11). Please note we do not see this problem at all
when the ASA itself fails or is reloaded. It always occurs when there is any other failure
which causes web-cache communication to be lost
Work around
The steps outlined below show how we resolve this issue when it happens.
1. Disable WCCP on Blue Coat proxy 1 and proxy 2.
2. Remove the WCCP commands on the ASA:
no wccp interface inside 90 redirect in
no wccp 90 redirect-list 101 password Bluecoat
no wccp 91 redirect-list 133 password Bluecoat
no wccp 92 redirect-list 134 password Bluecoat
no wccp 93 redirect-list 135 password Bluecoat
no wccp 94 redirect-list 136 password Bluecoat
no wccp 95 redirect-list 137 password Bluecoat
no wccp 96 redirect-list 138 password Bluecoat
no wccp 97 redirect-list 139 password Bluecoat
3. Reconfigure WCCP commands on the ASA:
wccp 90 redirect-list 101 password Bluecoat
wccp 91 redirect-list 133 password Bluecoat
wccp 92 redirect-list 134 password Bluecoat
wccp 93 redirect-list 135 password Bluecoat
wccp 94 redirect-list 136 password Bluecoat
wccp 95 redirect-list 137 password Bluecoat
wccp 96 redirect-list 138 password Bluecoat
wccp 97 redirect-list 139 password Bluecoat
wccp interface inside 90 redirect in
4. Enable WCCP on Blue Coat proxy 1 and proxy 2.
5. Observe that Here I Am & I See You heartbeat packets were incrementing on both the
ASAs and the Blue Coat proxies.
6. Observe that redirected packet counters were incrementing on the ASA.
7. Confirm from our PCs that web traffic was being redirected from the ASA to the Blue
Coat proxies for authentication and filtering.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.1(2.16), 8.1(2.19), 8.2(1) |
|
Known Fixed Releases: | 7.2(4.35), 8.0(4.34), 8.0(4.36), 8.1(2.25), 8.1(2.27), 8.2(1.10), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCtf37506 |
Title: | TLS test tls10-hs-multiple with mutated packet causes ASA to traceback |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.4(0.43), 8.2(2) |
|
Known Fixed Releases: | 100.5(5.15), 100.7(0.15), 100.7(6.1), 8.2(2.104), 8.2(2.17), 8.3(1.100), 8.3(1.6), 8.4(0.99), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCtf56740 |
Title: | Yahoo IM Inspection code deficiency |
|
Description: | Symptom:
The Yahoo instant messaging inspection code has a deficiency that may lead to a denial of service condition.
Conditions:
Cisco ASA configured for Yahoo instant messaging inspection.
Note: The attack surface for this issue is very low.
Workaround:
Disable Yahoo IM inspection.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2 |
|
Known Fixed Releases: | 100.4(0.54), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.3), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCte15240 |
Title: | Port openssl DTLS fragment memory leak |
|
Description: | Symptom:
Cisco ASA may experience a memory leak when receiving a specific sequence of DTLS messages.
Conditions:
Authentication is needed before this can take place.
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.4(0.32), 8.0(5.7), 8.1(2.40), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1) |
|
|
| |
| |
Bug Id: | CSCsx37414 |
Title: | DA: Acct-disable-override:User can login with bad secondary credentials |
|
Description: | Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2 |
|
Known Fixed Releases: | 100.3(0.2), 100.4(0.2), 8.2(0.211), 8.2(1), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCtb37219 |
Title: | Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static |
|
Description: | Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 7.0, 7.1, 7.2, 8.0(4.32) |
|
Known Fixed Releases: | 8.0(4.100), 8.0(4.44), 8.1(2.35), 8.2(1.10), 8.2(1.100), 8.2(1.102), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCuv05813 |
Title: | ASA does not honor custom-defined TCP MSS |
|
Description: | Symptom:
Admin changes the ASA TCP MSS via the command <>". However, the ASA still continues to negotiate TCP use the default MSS of 1460
Conditions:
-Configure a non-default MSS, such as "sysopt connection tcpmss 1000"
-Send a TCP SYN to the ASA
-The ASA will reply with the default MSS of 1460, not the customer value of 1000
-This problem has been seen on ASA 9.1.5.21, and 9.1.6.6
Workaround:
None.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.1(6.6) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCta56639 |
Title: | ASA5580: Traceback in Thread Name: DATAPATH-2-604 due to SIP |
|
Description: | Symptom:
Cisco ASA 5580 may experience a crash in rare circumstances with software version 8.1.2(23). This is experienced after receiving a series of SIP messages.
Note: The crash is no longer experienced after the customer moved to 8.1.2(29).
Conditions:
Cisco ASA 5580 running software version 8.1.2(23) and configured for SIP inspection.
Workaround:
The crash is no longer experienced on software release 8.1.2(29) or later.
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.1(2.23) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtg47237 |
Title: | ASA traceback under Nessus scanning |
|
Description: | <B>Symptom:</B>
Crash under scan
<B>Conditions:</B>
ASA undergone a scanning done by Nessus network scanning program.
<B>Workaround:</B>
None at the moment
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(1.10) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCtb64913 |
Title: | WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put |
|
Description: | Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4.29), 8.0(4.32) |
|
Known Fixed Releases: | 8.0(4.100), 8.0(4.44), 8.1(2.35), 8.2(1.10), 8.2(1.100), 8.2(1.102), 8.2(4), 8.3(0.0) |
|
|
| |
| |
Bug Id: | CSCub08224 |
Title: | ASA 210005 and 210007 LU allocate xlate/conn failed with simple 1-1 NAT |
|
Description: | Symptom:
Connections and xlates may not be replicated to Standby unit with:
%ASA-3-210005: LU allocate connection failed
%ASA-3-210007: LU allocate xlate failed
Conditions:
This was observed on ASA5585 8.4(3.9) with the simplest NAT setup:
object network subscribers
subnet 10.128.0.0 255.248.0.0
object network pool_prod_64K
range 192.168.0.1 192.168.255.254
object-group network public_ip
network-object object pool_prod_64K
object network subscribers
nat (inside,outside) dynamic public_ip
Workaround:
None.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.4(3.9) |
|
Known Fixed Releases: | 100.7(13.109), 100.7(6.105), 100.8(27.26), 100.8(34.1), 100.8(38.4), 100.8(50.7), 100.9(0.13), 100.9(4.1), 8.4(5.4), 8.4(5.99) |
|
|
| |
| |
Bug Id: | CSCsz06748 |
Title: | ASA traceback in inspect Skinny |
|
Description: | Symptoms:
Cisco ASA may experience a reload when receiving malformed Skinny packets. The perceived malformed packet may actually be a valid SCCPv17 message.
Condition:
The issue was happened in client-mode Ezvpn situation.The client is IOS device and the server is ASA. As soon as an SCCPv17 phone try to Registering on CM. This issue is only experienced when inspect skinny is enabled.
Workaround:
1. Disable Skinny inspection
or
2. downgrade phone to a phone load version that supports an SCCP version earlier than SCCPv17, basically any phone load 8.3 or lower. Note this is only a temporary workaround.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4), 8.0(4.27), 8.0(4.29) |
|
Known Fixed Releases: | 100.3(0.2), 8.0(4.161), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCtf56704 |
Title: | MSN Instant Messaging Inspection Issue |
|
Description: | Symptom:
The MSN instant messaging inspection code has a deficiency that may lead to a denial of service condition.
Conditions:
Cisco ASA configured for MSN instant messaging inspection.
Note: The attack surface for this issue is very low.
Workaround:
Disable MSN IM inspection.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2 |
|
Known Fixed Releases: | 100.7(0.1), 8.0(5.17), 8.1(2.45), 8.2(2.13), 8.2(2.99), 8.2(4), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCtf55259 |
Title: | AAA : Traceback on authenticating a https user |
|
Description: | Summary
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml.
Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.4(0.43), 8.0(5.12) |
|
Known Fixed Releases: | 100.7(2.1), 8.0(5.13), 8.1(2.42), 8.2(2.8), 8.2(2.99), 8.2(4), 8.3(1.1), 8.3(1.100), 8.4(1) |
|
|
| |
| |
Bug Id: | CSCup37416 |
Title: | Stale VPN Context entries cause ASA to stop encrypting traffic |
|
Description: | Symptom:
ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic.
Conditions:
n/a
Workaround:
This issue may be prevented by disabling data-based rekeying. If the problem still occurs without data-based rekeying, failover to the backup ASA or reboot the ASA
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 1 Catastrophic |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.1(2.8), 9.1(3), 9.1(5.12), 9.1(6), 9.2(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCus49034 |
Title: | Tunnel default gateway no longer works in 9.3.2 |
|
Description: | Symptom:Connectivity via tunnel default gateway no longer works.
Conditions:ASA running 9.3.2.
Workaround:A static route from the IP addresses assigned to clients to the tunnel default gateway device must be added.
More Info:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 100.14(1.1), 9.3(2) |
|
Known Fixed Releases: | 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3), 100.14(2.3) |
|
|
| |
| |
Bug Id: | CSCuc16455 |
Title: | ASA packet transmission failure due to depletion of 1550 byte block |
|
Description: | Symptom:
Cisco Adaptive Security Appliance runs out 1550 byte block and it do not free it.
In general, block depletion of 1550 bytes can result in the ASA being unable to generate packets. This will cause traffic disruptions and failover problems.
Conditions:
Configure Lan-to-Lan IPSec VPN and traffic path through it.
Workaround:
There is no known workaround at this point.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.4(4.5), 8.4(4.9), 9.0(1), 9.1(1) |
|
Known Fixed Releases: | 100.7(13.103), 100.7(6.104), 100.8(0.241), 100.8(11.41), 100.8(27.20), 100.8(33.26), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) |
|
|
| |
| |
Bug Id: | CSCsy80694 |
Title: | ASA's DOM wrapper issue- Clientless XSS |
|
Description: | Summary:
There is a vulnerability in the Cisco ASA due to insufficient restrictions on access to the JavaScript-based Document Object Model (DOM) that the SSL VPN feature of Cisco ASA uses when clients browse web pages using the VPN web portal. If an unauthenticated, remote attacker can convince a user to visit a malicious page while the user is logged in to the secure portal, the attacker could use this vulnerability to execute arbitrary script or HTML code in the security context of the affected site.
Workarounds:
No workarounds in the Cisco ASA exists. However, additional mitigation information for XSS attacks can be found at the following Applied Mitigation Bulletin (AMB): http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.0(4) |
|
Known Fixed Releases: | 8.0(4.161), 8.0(4.215), 8.0(4.33), 8.0(5), 8.1(2.165), 8.1(2.24), 8.2(1.2), 8.2(4) |
|
|
| |
| |
Bug Id: | CSCuu38315 |
Title: | ASA Cluster member traceback in DATAPATH |
|
Description: | Symptom:
ASA 5585-20 cluster member running 9.4.1 traceback in DATAPATH
Conditions:
ASA 5585-20 running 9.4.1 in cluster mode.
Workaround:
No known workarounds.
Further Problem Description:
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuo45321 |
Title: | ASA allows IKEv1 clients to bypass address assignment, causing conflict |
|
Description: | Symptom:
ASA allows some non-cisco ikev1 clients to use an assigned IP without going through address assignment. This means that the used IP is not marked as in-use in the address pool, which means that it may be assigned to another client that does go through address assignment. In this case, the conflict is resolved by kicking out the oldest IKEv1 session using that IP.
Additionally, the ASA doesn't check that the client actually opens a tunnel matching it's assigned address. This can lead to the same conflict mentioned above.
Conditions:
Mixture of cisco and non-cisco ikev1 clients in use
Non-Cisco IKEv1 client uses assigned address without going through address assignment, or ignores address assignment result.
Workaround:
Stop using non-cisco ikev1 clients that exhibit this behavior.
This can be enforced on the ASA using the "client-access-rule" feature inside a group-policy. For example, the following config snippit:
client-access-rule 1 permit type * version 5*
client-access-rule 2 deny type * version *
will only allow Cisco clients with a version number higher than 5.0.0 to connect to the tunnel-group with this group-policy.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.2(5.46) |
|
Known Fixed Releases: | 100.11(0.46), 100.12(0.46), 100.12(10.47), 100.12(6.7), 100.13(0.2), 100.13(11.1), 100.13(12.1), 100.13(13.1), 100.13(14.1), 100.13(15.1) |
|
|
| |
| |
Bug Id: | CSCui38495 |
Title: | ASA Assert in Checkheaps chunk create internal |
|
Description: | Symptom:
After upgrading to 8.4(5) the ASA has seen several reboots
Conditions:
Cisco Adaptive Security Appliance Software Version 8.4(5)
Device Manager Version 6.4(1)
Workaround:
N/A
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-JUN-2015 |
|
Known Affected Releases: | 8.4(5) |
|
Known Fixed Releases: | 100.10(0.12), 100.10(1.10), 100.10(2.1), 100.7(6.122), 100.8(27.91), 100.8(38.32), 100.8(40.21), 100.8(41.2), 100.8(45.1), 100.8(46.1) |
|
|
| |
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论