Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Aug-2015 16:53 GMT

Feedback Sign Up Unsubscribe         End-of-Sale and End-of-Life Announcements for ASA 5500-X Series Next-Generation Firewalls Title: End-of-Sale and End-of-Life Announcement for the Cisco Adaptive Security Appliance (ASA) Software Releases 9.0 and 9.3 Description: Cisco announces the end-of-sale and end-of life dates for the Cisco Adaptive Security Appliance (ASA) Software Releases 9.0 and 9.3. The last day to order the affected product(s) is January 8, 2016. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract. Click here for the French Version of this Bulletin. Date: 13-JUL-2015 Title: End-of-Sale and End-of-Life Announcement for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager Description: Cisco announces the end-of-sale and end-of life dates for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager. The last day to order the affected product(s) is August 17, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract. Date: 28-JUL-2015 Find additional information in End-of-Sale and End-of-Life Products Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Alert Type: New File File Name: asa924-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Application Centric Infrastructure (ACI) Security Device Package Release Version: 1.2.2.1 Alert Type: New File File Name: asa-device-pkg-1.2.2.1.zip File Description: Cisco ASA Device Package 1.2(2.1) for Cisco APIC 1.1(1o) File Release Date: 28-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4.SMP Alert Type: New File File Name: asa924-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 16-JUL-2015 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Next-Generation Firewalls Bug Id: CSCtq06062 Title: SunRPC inspection arithmetic overflow in parse_transport_address Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.58), 100.8(0.19), 100.8(10.25), 100.8(12.26), 100.8(15.5) Bug Id: CSCtq57697 Title: ILS inspection traceback on malformed ILS traffic Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(17.5), 100.7(18.1), 100.8(20.1), 100.8(21.1), 7.0(8.13), 7.2(5.4), 8.0(5.25), 8.1(2.50), 8.2(5.6), 8.3(2.23) Bug Id: CSCtq58884 Title: AC 3.0x - LDAP Secondary Auth successfully connects with blank password Description: Symptom: Users successfully authenticate if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. Conditions: User connects to a profile with Double Authentication. Primary credentials are entered successfully and secondary password is left blank. LDAP is used for Secondary Authentication Workaround: Do not use LDAP for Secondary Authentication PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-2054 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.40), 100.8(0.10), 100.8(0.31), 100.8(10.10), 100.8(12.8) Bug Id: CSCts89962 Title: SSH memory leak in ssh2_authenticate() Description: Symptoms: Malformed SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C CVE ID CVE-2011-3314 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Bug Id: CSCtr21376 Title: DCERPC Inspection Denial Of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.24), 100.7(14.12), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(9.56), 100.8(0.19), 100.8(10.24), 100.8(12.26), 100.8(15.5) Bug Id: CSCuc94818 Title: Management session processes may hang due to environment monitoring Description: Symptom: CLI sessions may hang on running "show environment" command. Home page of ASDM may display "lost connection to firewall". Conditions: First seen on multi-core ASA platforms running 8.4(4)9. Workaround: Reload the ASA. Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.9) Known Fixed Releases: Bug Id: CSCto92403 Title: SunRPC inspection improper direction check Description: Symptoms: The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. SunRPC inspection may be bypassed when certain sequences of SunRPC packets are sent. Conditions: Device configured for SunRPC inspection. To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from show sunrpc-server active command: hostname# show sunrpc-server active LOCAL FOREIGN SERVICE TIMEOUT ----------------------------------------------- 1 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 2 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 3 209.165.200.5/0 192.168.100.2/647 100005 0:30:00 4 209.165.200.5/0 192.168.100.2/650 100005 0:30:00 Workaround: No workarounds are available other than disabling SunRPC inspection if not needed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2571 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.26), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.20), 100.8(0.32), 100.8(10.27), 100.8(12.26), 100.8(15.5), 100.8(19.3) Bug Id: CSCtn80920 Title: LDAP Authorization doesn't block AccountExpired VPN RA user session Description: <B>Symptom:Active Directory/LDAP has user with account expired. In the case where LDAP authentication is used for a VPN RA session , the session is blocked/prevented to establish with reason=Account expired. When LDAP authorization is being used,however, such as would be the common case when using certificates authentication and LDAP authorization, the session is not blocked and allowed to be establish. </B> <B>Conditions:Active Directory/LDAP has user with account expired. In the case where LDAP authentication is used for a VPN Remote access session , the session is not allowed to establish with reason=Account expired.</B> <B>Workaround:the Active Directory/LDAP admin needs to disable the account. In this case , LDAP authorization will block/prevent VPN RA session establishment.</B> Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.7(13.3), 100.7(14.1), 100.7(15.3), 100.7(6.38), 100.7(8.34), 100.7(9.24), 100.8(0.3), 100.8(10.3), 100.8(12.2), 100.8(2.1) Bug Id: CSCtx65353 Title: ASA: 8.4 Page fault traceback while displaying "sh run threat-detection" Description: Symptom: ASA may traceback in Thread Name ssh when ''sh run threat-detection'' command is run. Conditions: This was observed in 8.4(2) release. The trigger is not known yet. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.57), 100.7(18.10), 100.7(19.8), 100.8(0.61), 100.8(11.10), 100.8(14.8), 100.8(24.31), 100.8(30.6), 100.8(32.3), 100.9(0.1) Bug Id: CSCtw84068 Title: DHCP Memory Allocation Denial of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: 100.7(13.54), 100.7(13.63), 100.7(14.49), 100.7(18.15), 100.7(18.6), 100.7(20.4), 100.7(6.61), 100.7(6.69), 100.8(0.57), 100.8(0.92) Bug Id: CSCtr21359 Title: DCERPC Inspection Buffer Overflow Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.24), 100.7(13.88), 100.7(14.12), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(6.86), 100.7(9.56), 100.8(0.185), 100.8(0.19) Bug Id: CSCtx98456 Title: Time-based license takes over permanent license Description: Symptoms: When you activate a time-based license, then features from both permanent and time-based licenses combine to form the running license. It is possible for a user to increase the validity period of a time-based license by reapplying the same license on the Cisco ASA. Conditions: Cisco ASA with time based licenses. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4 Known Fixed Releases: Bug Id: CSCue59676 Title: ASA shared port-channel subinterfaces and multicontext traffic failure Description: Symptom: An ASA configured in multi context mode, with port-channels divided into subinterfaces, may experience an issue where traffic to certain contexts will fail if the port-channel has more than one active interface member. Conditions: To confirm you are hitting this bug, check the output of 'show controller ' for each physical member of the port channel. Affected ASAs will show only the first member in Promiscuous mode and the rest in Disabled. Out of the 'show controller' depends on the platform of ASA. Some of the platforms show the output below. show controller GigabitEthernet 0/0 | i Promiscuous Mode Unicast Promiscuous Mode: Enabled (5) <---- show controller GigabitEthernet 0/1 | i Promiscuous Mode Unicast Promiscuous Mode: Disabled (0) <---- And some of the platforms show the output below. show controller GigabitEthernet 0/0 | i RX Control RX Control: 0x00007fff18536100 = 0x0440800a show controller GigabitEthernet 0/1 | i RX Control RX Control: 0x00007fff18536100 = 0x04408002 First bit of a(1010) means Promiscuous, and 2(0010) means Not Promiscuous. Traffic failure observed when number of MAC addresses allocated to each interface exceeded the count of RX address array. RX address array can be seen via "show controller" output. Workaround: Reduce the number of contexts or subinterfaces so as count of mac addresses allocated to interfaces not exceed the count of RX address array. Deleting the context experience the problem and reconfiguring it sometimes resolves the issue for that context, but the problem may then move to another context. Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.6), 8.4(5) Known Fixed Releases: 100.7(13.111), 100.7(6.110), 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.4(5.7) Bug Id: CSCtx36026 Title: VPN session failure due to auth handle depletion Description: Symptoms: In an IPsec remote access environment, the ASA headend device may fail to properly clean up auth handles during IKE negotiation when it receives a mode config request while it is expecting xauth reply. This can subsequently cause new VPN sessions to fail to establish due to session limit exceeded. Conditions: This problem occurs when the VPN peer device incorrectly sends mode config request instead of xauth reply. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2.9) Known Fixed Releases: 100.7(13.52), 100.7(14.47), 100.7(17.13), 100.7(18.5), 100.7(6.59), 100.8(0.53), 100.8(11.6), 100.8(14.4), 100.8(15.22), 100.8(19.64) Bug Id: CSCub75522 Title: ASA TFW sends broadcast arp traffic to all interfaces in the context Description: Symptom: An Adaptive Security Appliance ASA allows certain traffic to traverse through all the interfaces in a context. Conditions: Multiple context ASA ASA in Transparent Mode First found in ASA code 8.4.3(11) but may affect previous versions. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/2.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3.11) Known Fixed Releases: 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) Bug Id: CSCtr47517 Title: Protocol-Independent Multicast Denial of Service Vulnerability Description: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: this bug (CSCtr47517) corresponds to Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.24), 100.7(14.13), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.57), 100.8(0.19), 100.8(0.31), 100.8(10.25) Bug Id: CSCtr95843 Title: TACACS+ Authentication Bypass Vulnerability Description: Symptoms: This bug addresses an enhancement on the TACACS implementation of the Cisco ASA to avoid a potential bypass of TACACS authentication. Conditions: No confirmation of exploitability or attack for this issue. Workaround: Not applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.31), 100.7(14.22), 100.7(18.2), 100.7(6.44), 100.8(0.25), 100.8(10.36), 100.8(12.32), 100.8(15.6), 100.8(19.14), 100.8(2.14) Bug Id: CSCtr21346 Title: DCERPC Inspection Denial Of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.24), 100.7(14.12), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(9.56), 100.8(0.19), 100.8(10.24), 100.8(12.26), 100.8(15.5) Bug Id: CSCtq10441 Title: UDP inspection engines denial of service vulnerability Description: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) may be affected by some of the vulnerabilities above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.1(2), 8.2(3), 8.2(4) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(8.34), 100.7(9.42), 100.8(0.10), 100.8(0.31), 100.8(10.10) Bug Id: CSCtx42746 Title: cut through proxy authentication vulnerability Description: Symptom: When a user tries to connect to a http resource behind the firewall, the firewall intercepts the connection and prompts him to enter his credentials on a http page. The the URL of this page contains a session ID. Conditions: Requires http cut through proxy authentication using the http listener: aaa authentication match aaa authentication listener http port http redirect Seen on all versions. Workaround: Do not use the http listener authentication method. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-0335 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 7.2(5), 8.2(5), 8.4(2) Known Fixed Releases: 100.7(13.57), 100.7(18.9), 100.7(19.8), 100.7(6.62), 100.8(0.61), 100.8(11.9), 100.8(14.7), 100.8(24.31), 100.8(30.5), 100.8(32.3) Bug Id: CSCuu73694 Title: ASA Traceback in Thread Name: Dispatch Unit Description: Symptom: ASA unexpectedly crash with "Thread Name: Dispatch Unit". Conditions: unknown Workaround: There is no workaround at this time. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCti06454 Title: ASA Session ID Passed in URL as GET Request (webvpn_state) Description: Symptom: Security tool reports that the session ID, "webvpn_state", is stored in the HTML of the application and passed in the URL as variable "v=" during GET requests (as seen in the request below). A session ID is designed for the web server and application to identify a user for a single authenticated session. This is a false positive and not a vulnerability in Cisco ASA. Workaround: Not applicable Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCtz88975 Title: IPv6 ACLs can be bypassed with crafted packets Description: Symptoms: IPv6 packets can be crafted to bypass layer 4 IPv6 ACLs. The packets must contain one or more unknown extension headers. Conditions: Default configuration. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.247) Known Fixed Releases: Bug Id: CSCuj83344 Title: ASA cifs share enumeration DOS vulnerability Description: Symptom: A vulnerability in WebVPN CIFS access function of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to trigger a reload of the affected device. Conditions: ASA running version 9.0(3) with CIFS enabled to enumerate to root share locations . Workaround: Specify the share directory in the bookmark to reduce the enumeration of multiple shares ie:cifs:// /share Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2013-6691 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6691 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.0(3) Known Fixed Releases: 100.10(0.54), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.83), 100.8(40.53), 100.8(46.59), 100.8(51.15), 100.8(56.1) Bug Id: CSCtc59462 Title: Traceback in thread name: ssh Description: Symptom: A Cisco ASA may crash with a traceback in the SSH process. Conditions: ASA with 2 SSH sessions that are active to the ASA console. One of the SSH sessions reaches the idle timeout, while some config changes are made on the other session. Workaround: None Further Problem Description: The impact to the failover pairs is minimal and the pair will switch over to be available for traffic. The backport of this fix to the 8.2 train was deemed too risky for that train. However, we have not have any reports of this crash from customers running 8.2 at the moment of publication. On the other hand, it is recommended to customers running version 8.2 to migrate to 8.4 to fix this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5717 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.0(4.100), 8.2(2), 8.3(2.25) Known Fixed Releases: 100.7(0.49), 100.7(5.15), 100.7(6.6), 100.7(8.1), 100.7(9.1), 8.4(0.99), 8.4(1), 8.5(0.99), 8.5(1), 8.6(0.0) Bug Id: CSCsz21934 Title: ASA AAA should treat RA username as case-insensitive Description: Symptom: Session management in ASA does case-sensitive string comparisons. If the AAA server treats usernames as case-insensitive (eg. RADIUS/ACS), then users can log on multiple times with the same username and different capitalization, regardless of the vpn-simultaneous-logins setting. Conditions: ASA using external AAA server that treats username as case-insensitive. Workaround: Use a AAA server that differentiates between same usernames with different capitalizations. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2554 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.8(0.52), 100.8(0.55), 100.8(11.6), 100.8(11.7), 100.8(14.4), 100.8(15.21), 100.8(15.22), 100.8(19.63), 100.8(24.23), 100.8(24.26) Bug Id: CSCtl67486 Title: ASA MSN inspection causes Watchdog Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.3(2.6) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.24), 100.7(8.16), 100.7(9.5), 7.2(5.3), 8.0(5.25), 8.1(2.50) Bug Id: CSCum12183 Title: ASA Ver 8.4(6)6 traceback with Thread Name: DATAPATH-2-1145 Description: Symptom: ASA Firewall running Version 8.4(6)6 traceback in DATAPATH-2-1145. Conditions: ASA is running version 8.4(6)6 and VPN environments in Failover configuration. Workaround: None Further Problem Description: None Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(6.6) Known Fixed Releases: Bug Id: CSCts39634 Title: Syslog Message 305006 Denial of Service Vulnerability Description: Symptom: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: Cisco ASA UDP Inspection Engine Denial of Service Vulnerability Cisco ASA Threat Detection Denial of Service Vulnerability Cisco ASA Syslog Message 305006 Denial of Service Vulnerability Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: this bug (CSCts39634) corresponds to ''Cisco ASA Syslog Message 305006 Denial of Service Vulnerability'' in the above Cisco Security Advisory. Original Release Notes for this bug follow, but refer to the above Cisco Security Advisory for additional information. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Cisco has released free software updates that address this vulnerability. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2), 8.4(2.190) Known Fixed Releases: 100.7(13.31), 100.7(14.20), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.11) Bug Id: CSCtn29288 Title: TCP Split Handshake Investigation Description: Summary: This bug is to investigate and track the TCP Split Handshake attack discovered and reported by NSS Labs. Cisco PSIRT is aware of the report and has been working with NSS for several months and in that time have been unable unable to reproduce and confirm any new security vulnerabilities in Cisco products. PSIRT will disclose any security vulnerabilities discovered in compliance with Cisco's security vulnerability policy: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment. Cisco has been working with NSS Labs on the TCP split handshake spoof since early this year. In this time we have been unable to confirm any new security vulnerabilities in Cisco products, and have demonstrated the Cisco ASA protects against this attack. The Cisco PSIRT continues to work with NSS Labs, and will follow our well-established disclosure process should any new information come to light. Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: Bug Id: CSCtv19854 Title: Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user Description: Symptom: Incorrect MPF connection counts can cause %ASA-3-201011 Connection limit exceeded messages and lead to DoS condition for users. It was noticed that when TCP connections timeout, the ''current conns'' MPF counter is not decremented, if those TCP connections were created when TCP Intercept was active on ASA. The ''current conns'' counter accumulates and this eventually leads to inevitable DoS condition for users, provided that ''set connection conn-max'' or ''set connection per-client-max'' is configured. For example: policy-map outside-policy class outside-class-test set connection conn-max 30000 embryonic-conn-max 50 per-client-max 100 per-client-embryonic-max 10 set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 0:15:00 reset dcd 0:05:00 2 And show conn count 9020 in use, 24050 most used %ASA-3-201011: Connection limit exceeded 30000/30000 for input packet from 172.x.x.x/50342 to 10.1.8.91/4000 on interface outside Conditions: This defect was found in an 8.4 ASA interim release. Other versions are also affected. Workaround: None. With ''set connection conn-max'' all traffic that goes into the MPF class is affected. With ''set connection per-client-max'' only specific senders are affected. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-0378 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2), 8.4(2.8) Known Fixed Releases: 100.7(13.47), 100.7(13.65), 100.7(14.42), 100.7(17.12), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.55), 100.7(6.62), 100.8(0.46) Bug Id: CSCts58501 Title: SSH Incorrect length check in ssh_application_processing() Description: Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Authentication is needed in order to exploit this vulnerability. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2011-3311 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Bug Id: CSCtn62697 Title: ACL bypassed when NAT/PAT is configured on external interface Description: Symptoms: Customer reports that ACLs are bypassed when NAT/PAT is configured on external interface. The TAC filed this bug to track this issue. After further troubleshooting with the development team. It has been found that this was a misconfiguration. Conditions: Cisco ASA with default configuration. Not a bug - false positive. Workaround: Not applicable. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: Bug Id: CSCtx38105 Title: DTLS session may flap due to malformed packets Description: Symptom: Upon receiving malformed packets the ASA may drop the DTLS session for a user connected via Anyconnect. This does not affect the overall TLS channel that keep stays up. Conditions: User use Anyconnect and DTLS to connect to the ASA Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-0336 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.93), 100.7(6.88), 100.8(0.201), 100.8(11.31), 100.8(27.19), 100.8(34.1), 100.8(35.3), 100.8(36.1), 100.9(0.1), 100.9(3.2) Bug Id: CSCuc63592 Title: HTTP inspection matches incorrect line when using header host regex Description: Symptom: HTTP inspection policies that are configured based on a host line in the HTTP header, may not operate as expected if there are multiple header lines that contain the 'Host:' substring. Conditions: This has been seen on all current builds of ASA code. Please refer to the bug details for fixed version info. Workaround: Ensure there are no similar header fields in the HTTP traffic. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C CVE ID CVE-2012-5413 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5), 8.4(4.5) Known Fixed Releases: 100.7(13.105), 100.7(6.104), 100.8(0.243), 100.8(11.43), 100.8(27.20), 100.8(33.28), 100.8(34.1), 100.8(38.3), 100.8(39.1), 100.9(0.6) Bug Id: CSCtr79885 Title: ASA with VoIP memory leak 1% per day on binsize 56 Description: Symptom: Free memory decreases 1% per day Conditions: ASA 8.2 handling VoIP Binsize 56 taking the memory Workaround: Proactively reboot the ASA when used memory arrives to 80-85% PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5033 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.126), 100.8(11.20), 100.8(27.7), 100.8(33.3), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCug83080 Title: Cross-site scripting vulnerability Description: Symptom: It's possible to embed a script as an HTTP parameter. The script will be present in a response and executed by the user's web browser. Conditions: SSL VPN is enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2013-3414 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.7(6.119), 100.8(27.84), 100.8(38.21), 100.8(40.10), 100.8(41.2), 100.8(60.26), 100.9(0.53), 100.9(10.1), 100.9(6.28), 100.9(7.33) Bug Id: CSCud20104 Title: ASA Traceback, appears related to reporting threat-detection metrics Description: Symptom: -- ASA traceback/crash, appears related to reporting threat-detection metrics to the ASDM Conditions: -- ASA5580-40 failover pair in active-standby mode -- 8.4.3.3 Workaround: -- unknown -- could try with disabling ''asdm history enable'' or ''threat-detection stat tcp- intercept'' PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3.3) Known Fixed Releases: Bug Id: CSCue31622 Title: Secondary Flows Lookup Denial of Service Vulnerability Description: Symptoms: The ASA may crash or show high CPU Conditions: This is due to an inefficient lookup within the connection table when the ASA is dealing with secondary flows. This is usually happen for flows that have been inspected and need to open a secondary connection. The crash or high CPU is usually experienced on the standby device in high-availability setup, however under rare circumstances could be experience on the active device. Workaround: None Further Problem Description: A vulnerability in the code that executes lookup of secondary flows within the connections table of the Cisco ASA could allow an unauthenticated, remote attacker to cause high CPU and potentially lead to the reload of the affected system. The vulnerability is due to a race condition when a non optimal lookup of the hash of a secondary flow within the connection table is performed on the affected system. An attacker could exploit this vulnerability by creating several connections that will result in multiple secondary flows passing through and being inspected by the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5415 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-5415 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3), 8.4(4.5), 8.4(5) Known Fixed Releases: 100.7(13.111), 100.7(6.113), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.11), 100.9(7.19), 100.9(8.1), 8.4(5.99) Bug Id: CSCtn69856 Title: Memory Block Leak Denial of Service Vulnerability Description: Symptom: A vulnerability exists within the IPSec error handling code of Cisco ASA where a remote authenticated attacker may be able to trigger a memory block leak by sending crafter fragmented packets. Conditions: ASA configured with IPsec and IPsec tunnel active Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5047 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4), 8.4(1) Known Fixed Releases: 100.7(13.89), 100.7(6.86), 100.8(0.192), 100.8(11.30), 100.8(27.19), 100.8(33.13), 100.8(34.1), 100.8(35.2), 100.8(36.1), 100.9(0.1) Bug Id: CSCum00360 Title: ASA - DHCP Discover Sent out during boot process Description: Symptom: On the ASA 5500-X platform the second highest port will send out a DHCP Discover request during the pre-boot process from IPMI. If a DHCP server responds, the ASA will obtain the offered IP, but it will not be visible in the running configuration. However, users able to connect to this IP address can potentially shutdown the device or cause it to reload. An attacker needs to be layer-2 adjacent to the device in order to hijack the DHCP request. Conditions: Cisco ASA 5500-X during the pre-boot process from IPMI. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID TBD has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.6(1.5) Known Fixed Releases: 100.10(0.96), 100.10(12.8), 100.10(17.1), 100.10(2.19), 100.10(7.12), 100.11(0.7), 100.11(3.4), 100.11(5.4), 100.11(6.1), 100.8(40.69) Bug Id: CSCub61578 Title: ASA: Assert traceback in PIX Garbage Collector with GTP inspection Description: Symptom: Under rare circumstances, the ASA may generate a traceback in the PIX Garbage Collector thread and reload. The traceback will contain the following message: assertion ''0'' failed: file ''malloc.c'', line 5804 Conditions: The ASA must be configured for GTP inspection and be actively passing GTP traffic. Workaround: Disable GTP inspection. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3945 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5.31), 8.4(4.4) Known Fixed Releases: 100.7(13.109), 100.7(6.105), 100.8(27.26), 100.8(34.1), 100.8(38.4), 100.8(50.8), 100.9(0.15), 100.9(4.1), 8.2(5.36), 8.4(5.4) Bug Id: CSCud69782 Title: ASA high cpu vulnerability with cut-through proxy Description: Symptom: High CPU utilization is observed on ASA, when forward many HTTPS sessions between two hosts. Conditions: The issue only appears when source IP is a part of cut-through proxy ACL. Workaround: Exclude source IP address from cut-through proxy ACL PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-6393 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.5) Known Fixed Releases: Bug Id: CSCtu39200 Title: ASA traceback in emweb/https while bringing up many webvpn sessions Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may crash in emweb/https while bringing up many webvpn clients. Conditions: Many client sessions were being initiated at the same time. Workaround: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5994 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(1), 8.3(1), 8.4(2.5), 8.4(2.9) Known Fixed Releases: 100.7(13.44), 100.7(14.38), 100.7(17.8), 100.7(18.4), 100.7(6.52), 100.8(0.42), 100.8(0.54), 100.8(0.55), 100.8(11.4), 100.8(11.6) Bug Id: CSCuc83323 Title: XSS in SSLVPN Description: Symptoms: The ASA does not properly perform input validation on some WebVPN pages.This may allow an unauthenticated attacker to perform a cross site scripting attacks using these pages. Conditions: None. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE-2011-5752 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.6(1) Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(27.20), 100.8(33.29), 100.8(34.1), 100.8(38.1), 100.8(39.2), 100.9(0.6) Bug Id: CSCua16597 Title: Webvpn: RDP ActiveX plugin causes high cpu with IE Description: Symptom: RDP from the webvpn portal causes IE to consume 90-100% cpu utilization on the client computer. Conditions: This is observed after a software upgrade on the ASA to 8.4(3)9, which uses a newer version of cscopf.ocx (3.1.0.3) Workaround: Switch to using the Java based rdp plugin with IE instead of the ActiveX, or use a Java based browser (FF or Chrome) Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5.29), 8.4(3.9) Known Fixed Releases: 100.7(13.85), 100.7(23.1), 100.7(6.84), 100.8(0.173), 100.8(11.27), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.8(36.1) Bug Id: CSCue88386 Title: Cisco ASA-CX TCP Traffic Denial of Service Vulnerability Description: Symptoms: A vulnerability in TCP traffic processing on Cisco ASA-CX could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to invalid parsing of TCP packet data forwarded to Cisco ASA-CX by the Cisco ASA. An attacker could exploit this vulnerability by sending specific TCP traffic to be processed by the ASA-CX. Conditions: Under very specific conditions that require ASA-CX to process traffic forwarded by Cisco ASA, certain TCP packets may cause a reload of the affected module. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2013-1203 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1203 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.19), 100.8(40.7), 100.8(41.2), 100.8(60.16), 100.9(0.48), 100.9(10.2), 100.9(6.24), 100.9(7.26) Bug Id: CSCta02170 Title: ASA5550 or ASA with 4GE-SSM may crash due to block corruption Description: Symptom: ASA reloads due to block corruption. Conditions: ASA5550 or ASA with 4GE I/O module running 8.2.1 code and using interfaces in slot 0 and slot 1. Workaround: Do not use interfaces in slot 1 since this triggers the problem. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5726 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.10), 100.3(0.13), 100.4(0.18), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) Bug Id: CSCth34278 Title: Clientless WebVPN Memory Leak Causes Blank Page after Authentication Description: Symptom: ASA memory used increments slowly over weeks leading up to the problem - at time of problem typical memory usage is 50MB more then after reload. Conditions: Webvpn must be enabled and in use. The memory leak does not affect AnyConnect VPN sessions. Workaround: None. Reloading the ASA may clear up the memory allocation PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-2474 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2.12), 8.2(3), 8.3 Known Fixed Releases: 100.7(13.17), 100.7(14.4), 100.7(16.1), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(9.48), 100.8(0.14), 100.8(15.5), 100.8(19.1) Bug Id: CSCts85969 Title: ASA reloads with nested traceback in thread name CP Midpath Processing Description: <B>Symptom:</B> ASA may reload with a nested traceback in thread name CP Midpath Processing. <B>Conditions:</B> ASA running 8.x code with webvpn enabled. <B>Workaround:</B> Disable Webvpn Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: Bug Id: CSCug91577 Title: ASA 9.1.1.7 crash Thread Name: Unicorn Proxy Thread Description: Symptom: A vulnerability in the WebVPN functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to cause an affected device to crash. The vulnerability is due to a fault in the Proxy Bypass Content Rewriter implementation. An attacker could exploit this vulnerability by performing an HTTP request that triggers content rewriting. Depending on the configuration, a successful exploit could allow the attacker to cause the appliance to crash or trigger an error recovery event. When the ASA crashes it will be on Thread Name: Unicorn Proxy Thread Conditions: Using webvpn with content rewrite configuration Workaround: If WebVPN event recovery is enabled, the ASA do not crash but logs a webvpn recovery event instead. Workaround configuration: webvpn no error-recovery disable Further Problem Description: This vulnerability does not affect 8.x software versions. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2013-5557 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(1.7) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.18), 100.8(40.8), 100.8(41.2), 100.8(60.18), 100.9(0.48), 100.9(10.1), 100.9(6.28), 100.9(7.26) Bug Id: CSCua27134 Title: Traceback in Thread Name: Dispatch Unit Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaipv6 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-3058 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3), 8.4(3.9), 8.4(4) Known Fixed Releases: 100.7(13.84), 100.7(21.9), 100.7(23.1), 100.7(6.83), 100.8(0.170), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1) Bug Id: CSCtz97298 Title: ASA may traceback in thread netfs_thread_init Description: Symptom: ASA may crash in thread name netfs_thread_init Conditions: This can happen only via webvpn while user execute some SMB operations. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-3061 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5.26) Known Fixed Releases: Bug Id: CSCtz40094 Title: ASA 8.2.5.27 secondary traceback after the upgrade - Thread Name: snmp Description: Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'snmp' Conditions: ASA5580 running images 8.2.5.27 or 8.4.3.12 and configured with SNMP Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4625 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 100.8(0.120), 8.2(5.27), 8.4(3.12) Known Fixed Releases: 100.7(13.76), 100.7(6.79), 100.8(0.136), 100.8(11.21), 100.8(27.7), 100.8(33.5), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCuc71272 Title: SIP sessions cause CPU hogs and high CPU on standby ASA Description: SYMPTOM: CPU on standby ASA spikes to 100% CONDITIONS: Large number of SIP sessions through ASA to multiple destination IP addresses WORKAROUND: Use an inspection policy to limit the number of conns for SIP traffic PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-5415 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCut42790 Title: ASA 9.3(2)+ high CPU utilization due to _fini function Description: Symptom: High CPU utilization on ASA. Sometimes utilization keeps growing over time up to 100%. Conditions: ASA running software 9.3(2) or later with failover enabled. Workaround: The following workaround has been observed to get the cpu down. ASA(config)# no threat-detection basic-threat ASA(config)# no threat-detection statistics Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCtn90643 Title: Traceback while replicating xlates on standby Description: Symptom: Standy ASA has problem replicating nat pool xlates and then tracebacks. Conditions: Cisco ASA 5585 running release 8.4.1. Large number of nat translations and heavy load of TCP and UDP data connections on active unit. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5420 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.1), 100.7(13.3), 100.7(14.1), 100.7(15.1), 100.7(15.3), 100.7(6.33), 100.7(6.38), 100.7(8.26), 100.7(8.34), 100.7(9.18) Bug Id: CSCud16590 Title: ASA may traceback in thread emweb/https Description: Summary Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2013-1150 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 7.2(5.9), 8.0(5.29) Bug Id: CSCtz79983 Title: Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition Description: Symptom: ASA generates Below syslog ASA-3-201011: Connection limit exceeded 4714/7500 for input packet from x.x.x.x/49777 to xxxx/443 on interface outside= Policy-map is configured to limit max connections policy-map outside-policy class outside-class set connection conn-max 7500 embryonic-conn-max 500 service-policy outside-policy interface outside 3300 in use, 10248 most used Conditions: Policy-map configured to limit max connection, set connection conn-max 7500 embryonic-conn-max 500 Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3.1) Known Fixed Releases: 100.7(13.83), 100.7(13.94), 100.7(21.8), 100.7(6.82), 100.7(6.90), 100.8(0.163), 100.8(0.210), 100.8(11.25), 100.8(11.33), 100.8(27.19) Bug Id: CSCug33233 Title: Cisco ASA Management Connections Denial of Service Description: Symptoms: ASA becomes unresponsive to management connection. This includes management over SSH, Telnet and HTTP(S) Conditions: This is seen when management traffic is allowed on more then one interface (e.g. inside and outside) and on one of this interface, management connection are allowed via VPN tunnel. Workaround: none Further Problem Description: A vulnerability in in the code of the function that is creating management flows of the Cisco ASA Software could allow an unauthenticated, remote attacker to to cause the affected system to become unresponsive to management session requests over SSH, Telnet and HTTP(S). The vulnerability is due to a memory leak when the management flow is created. An attacker could exploit this vulnerability by creating several management session requests. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-6707 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6707 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.0(2), 9.1(1) Known Fixed Releases: 100.10(0.9), 100.10(1.10), 100.8(27.89), 100.8(38.30), 100.8(40.20), 100.8(41.2), 100.8(60.37), 100.9(10.4), 100.9(6.35), 9.0(3.100) Bug Id: CSCue34342 Title: Cisco ASA IPv6 NAT Denial of Service Vulnerability Description: Symptoms: ASA crash in thread name DATAPATH-0-1162 Conditions: NAT66 or NAT64 is configured Workaround: none Further Problem Description: A vulnerability in function performing IP Version 6 Network Address Translation (NAT) of the Cisco ASA Software could allow an unauthenticated, remote attacker to a reload of an affected system. The vulnerability is due to improper implementation of the logic that performs the NAT when the Cisco ASA is configured for NAT64 or NAT66. This vulnerability can be triggered only under specific configuration. An attacker could exploit this vulnerability by sending packets through the affected system that would hit one of the NAT rule. An exploit could allow the attacker to cause the reload of an affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5560 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5560 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.10(0.9), 100.10(1.1), 100.7(13.116), 100.7(6.122), 100.8(27.63), 100.8(27.89), 100.8(38.29), 100.8(40.18), 100.8(41.2), 100.8(50.29) Bug Id: CSCum46027 Title: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3382 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(9.6), 100.7(6.130), 100.8(38.126), 100.8(40.64), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 7.2(5.13) Bug Id: CSCuh27912 Title: ASA does not obfuscate aaa-server key when timeout is configured. Description: Symptom: The ASA isn't obfuscating passwords when timeout configured before aaa-server key command. Conditions: timeout configured in aaa-server host command. Workaround: none. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.51), 100.9(10.1), 100.9(6.28) Bug Id: CSCty18976 Title: ASA sends user passwords in AV as part of config command authorization. Description: Symptom: User passwords appear in ACS logs. Conditions: A Cisco ASA when configured with AAA TACACS Config Command Authorization, will transit the user password as entered in any Config CLI command that requires both the username and password in the command authorization AVs as part of the command authorization request. Example of CLI commands: username password The is sent as part of the data for config command authorization. Workaround: Disable configuration command authorization. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(0) Known Fixed Releases: 100.7(13.101), 100.7(13.102), 100.7(6.100), 100.7(6.101), 100.7(6.102), 100.8(0.240), 100.8(11.39), 100.8(11.40), 100.8(27.20), 100.8(33.24) Bug Id: CSCua76991 Title: 9K block exhaustion after 1 M PPS for any CP based inspect packet Description: Symptoms: 9K block exhaustion after sending 1M PPS SIP messages to port 5060 Conditions: 1 M PPS SIP UDP traffic. Workaround: None Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.5(1.220) Known Fixed Releases: 8.5(1.221) Bug Id: CSCsw31799 Title: ASA traceback in thread Checkheaps due to tacplus_snd stack overflow Description: <B>Symptom:</B> The ASA may reload when communicating with TACACS server due to stack threads <B>Conditions:</B> The ASA must be configured to communicate with and external AAA server for authentication via TACACS : <B>Workaround:</B> none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.0(4), 8.0(4.16), 8.0(4.17), 8.0(4.8), 8.4 Known Fixed Releases: 7.0(8.5), 7.1(2.81), 7.2(4.22), 8.0(4.18), 8.0(5), 8.1(2.8), 8.2(0.190) Bug Id: CSCuc11186 Title: ARP: Proxy IP traffic is hijacked. Description: Symptoms: In certain conditions, ASA doesn't check the source of the ARP request or GARP packets for addresses it performs NAT translation for. Proxy-arp cache may thus get polluted and cause traffic hijacking for addresses ASA does NAT for. Conditions: Configured NAT on the ASA for which it performs proxy-arp. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.8/4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5010 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Bug Id: CSCua12667 Title: fail-close option fails to drop TCP conns when CX service is stopped Description: Symptoms: When an ASA CXSC fails or is stopped. TCP traffic may continue to pass through the ASA under certain circumstances, even though fail-close is configured. Conditions: This has been experienced with TCP traffic (i.e., HTTP, FTP, SSH, etc.). All other traffic is denied successfully. Workaround: The only workaround is for an administrator to configure an ACL on the ASA and drop the packet or take any other action to recover the ASA CXSC. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4) Known Fixed Releases: 100.7(13.82), 100.7(21.8), 100.7(6.82), 100.8(0.159), 100.8(11.25), 100.8(27.19), 100.8(33.9), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCti24526 Title: Flood of random IPv6 router advertisements causes high CPU and DoS Description: SYMPTOMS: A flood of random IPv6 router advertisements easily causes 100% CPU utilization which ultimately results in 100% packet loss of packets routed through the ASA and other system instabilities. CONDITIONS: ASA is configured with ''ipv6 address autoconf''. WORKAROUNDS: Not using IPv6 auto-configuration may be used as a workaround. FURTHER INFORMATION: The ASA checks for the hop limit field in incoming Neighbour Discovery messages and packets received with a hop limit not equal to 255 are discarded. This means that the flood of ND messages has to come from a host that is directly connected to the ASA. PSIRT EVALUATION: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2010-4670 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 7.2, 8.0(4.33), 8.2(2.17) Known Fixed Releases: 100.5(5.38), 100.7(0.50), 100.7(5.16), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.48), 8.2(3.102), 8.2(3.4), 8.2(4) Bug Id: CSCtx98905 Title: ASA traceback with Thread Name: dhcp_daemon Description: Symptom: ASA is crashing multiple times a day. The same crash was seen on both the primary and secondary asa. The crash is on thread: dhcp_daemon. Conditions: ASA is doing dhcp relay with setroute option. Workaround: 1) Disable setroute 2) Configure route option on DHCP server (ASA will overwrite via setroute) 3) disabling dhcp relay and use internal dhcp server PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5732 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5), 8.5(1.7) Known Fixed Releases: 100.7(13.79), 100.7(21.7), 100.7(6.80), 100.8(0.148), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCtk55047 Title: ASA Crashes in ctm_verify_signature operation Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may experience a crash when an AnyConnect connection is being established. Conditions: Large CRL being downloaded during connection establishment. Workaround: None known. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5996 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(3.9), 8.4(0.104) Known Fixed Releases: 100.5(5.58), 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.18), 100.7(8.4), 8.2(4.1), 8.2(5), 8.3(2.13), 8.4(0.113) Bug Id: CSCtg43848 Title: ASA traceback with SIP traffic Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may crash with SIP traffic. Conditions: Many SIP calls are passing through the ASA. Workaround: None known. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:U/RC:C CVE ID CVE-2012-5997 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2.100), 8.2(2.11) Known Fixed Releases: 100.7(13.105), 100.7(6.104), 100.8(0.243), 100.8(11.43), 100.8(27.20), 100.8(33.28), 100.8(34.1), 100.8(38.3), 100.8(39.1), 100.9(0.6) Bug Id: CSCub11353 Title: ASA: Standby unit may traceback in Thread Name: qos_metric_daemon Description: Symptom: ASA may crash in Thread Name: qos_metric_daemon. Conditions: This was first identified on an ASA failover pair running 8.2.4(8). The standby unit crashes. Workaround: Disable PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4.8) Known Fixed Releases: Bug Id: CSCta46747 Title: Traceback while executing show run after modifying the access-list Description: Symptom: After modifying the access-list using ASDM or CLI, if customer is trying to view the access-list in another ASDM or CLI session, the ASA may crash. Conditions: ASA5500 being managed via ASDM or CLI session such as SSH, telnet, or serial console. Workaround: Use a single ASDM or CLI session to edit and view ACL changes. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.8/3.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.0(4.28) Known Fixed Releases: 8.2(5.31) Bug Id: CSCtq69173 Title: configuration causes ASA upgrade to go into traceback/boot loop Description: Symptom: System crashes in the malloc package when the 'http' configuration is applied. Conditions: ASA 5585-40 or 5585-60 with a IPS-SSP Workaround: Do not use the 'http' configuration Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5.14), 8.4(1.105) Known Fixed Releases: 100.7(13.16), 100.7(14.2), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.44), 100.8(0.11), 100.8(0.14), 100.8(10.11), 100.8(12.11) Bug Id: CSCul49796 Title: ASA Tranparent A/A - Replicated MAC addresses not deleted after timeout Description: Symptom: Mac-addresses remain in standby context's mac-address table after being deleted on the active. This can potentially lead to exhaustion of the bridging table on one of the firewalls. Conditions: ASA in multimode transparent mode Workaround: Clear the mac-address table manually on the standby context PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1), 8.4(1.106), 8.4(7), 9.1(2), 9.1(3.2) Known Fixed Releases: 100.10(0.50), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.126), 100.8(38.77), 100.8(40.50), 100.8(46.53), 100.8(51.13), 100.8(56.1) Bug Id: CSCtx86924 Title: ASA: Traceback in purgatory in release of DSH (datastructure handle) Description: Symptom: Under rare circumstances, the ASA may generate a traceback in the DATAPATH thread and reload. Conditions: This has been seen on an ASA 5580 running 8.2(5). Other versions may also be affected. Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.4/3.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5993 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5), 8.2(5.11) Known Fixed Releases: 100.7(13.77), 100.7(6.79), 100.8(0.139), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCtx69059 Title: Traceback in Unicorn Proxy Thread under heavy WebVPN load Description: Symptom: ASA reloads under heavy WebVPN load without crash after reporting Signal 11 caught in Unicorn Proxy Thread to logging. Conditions: ASA was under heavy WebVPN load. High connect/disconnect rate. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2012-5980 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(3.1) Known Fixed Releases: 100.7(13.57), 100.7(18.10), 100.7(19.8), 100.8(0.61), 100.8(11.10), 100.8(14.8), 100.8(24.31), 100.8(30.6), 100.8(32.3), 100.9(0.1) Bug Id: CSCtw95487 Title: ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields. Description: Symptom: Slow memory leak on ASA Conditions: ASA configured as EZVPN server with certificate authentication. Clients trying to connect with expired or invalid certificates Workaround: Prevent EZVPN clients from connecting with invalid or expired certs PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5733 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(3), 8.4(2.18) Known Fixed Releases: 100.7(13.51), 100.7(14.47), 100.7(17.12), 100.7(18.4), 100.7(6.59), 100.8(0.51), 100.8(0.55), 100.8(11.5), 100.8(11.7), 100.8(14.3) Bug Id: CSCuc42812 Title: Cisco ASA 1000V Firewall H.323 Inspection DoS Vulnerability Description: A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130116-asa1000v Note: Only Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall is affected by the vulnerability described in this advisory. Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module or Cisco Catalyst 6500 Series Firewall Services Module (FWSM) are not affected by this vulnerability. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.7(1), 9.0(0.126) Known Fixed Releases: 100.7(13.103), 100.7(6.104), 100.8(0.240), 100.8(11.40), 100.8(27.20), 100.8(33.25), 100.8(34.1), 100.8(37.17), 100.8(38.1), 100.8(39.1) Bug Id: CSCty06793 Title: ASA traceback when "show crashinfo" command issued Description: Symptom: Under rare circumstances, issuing ''sh crashinfo'' command on an ASA to view the crash file may lead to the ASA crashing again. Conditions: The condition for the crash is unknown Workaround: None known PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCuc45011 Title: ASA may traceback while fetching personalized user information Description: Symptoms: Cisco ASA contains a vulnerability that could allow an unauthenticated attacker to cause a crash of an affected device while fetching and storing personalized user information between clientless SSL sessions on the external FTP server. Conditions: Cisco ASA Clientless SSL VPN implementation, configured with user-storage command that fetches and stores personalized user information between clientless SSL sessions on the external FTP server, is vulnerable to a denial of service (DoS) attack. Workaround: Disable user-storage from the configuration of Cisco ASA. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVE ID CVE-2012-5046 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.5) Known Fixed Releases: 100.7(13.104), 100.7(6.104), 100.8(0.242), 100.8(11.42), 100.8(27.20), 100.8(33.26), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCty33946 Title: ASA5580 traceback after upgrade to 8.4.3.2 Description: Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'datapath' Conditions: ASA5580 running image 8.4.3.2 and configured for WebVPN Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-4624 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(2), 8.4(3), 8.4(3.12), 8.4(3.2), 8.4(3.8) Known Fixed Releases: 100.7(13.84), 100.7(21.9), 100.7(6.83), 100.8(0.169), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.9(0.1) Bug Id: CSCub27414 Title: ASA transparent mode drops traffic under high amount of icmp traffic Description: Symptoms: Cisco ASA running in transparent mode, contains a vulnerability that could allow an unauthenticated remote attacker to cause a partial Denial of Service (DoS). Under a heavy flow of ICMPv4 or ICMPv6 packets towards unknown L2 destinations, CPU utilization of an ASA in transparent mode may go high and cause other production traffic to drop. Conditions: Certain ICMPv4 and ICMPv6 traffic may cause a partial Denial of Service on the Cisco ASA. A large number of Syslog messages ID 313005 will be produced during this time. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5423 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: Bug Id: CSCtd02193 Title: Heap memory head magic verification failed on asdm access Description: Symptom: Traceback on asdm access Conditions: multi routed mode Workaround: none Further Problem Description: Memory corruption with Reason: Heap memory head magic verification failed and the box crashes on entering the url for accessing asdm. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5741 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2.12), 8.3(0.3) Known Fixed Releases: 100.5(5.1), 100.5(5.30), 100.7(0.34), 8.2(2.147), 8.2(2.20), 8.3(0.7), 8.3(1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCts30839 Title: ASA5510, 8.4(2) - page fault traceback accessing a bookmarked DFS share Description: Symptom: A Cisco Adaptive Security Appliance (ASA) may have a page fault crash when accessing DFS shares through WebVPN. Conditions: The Windows network that the ASA is connected to has DFS enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5995 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 100.8(0.22), 100.8(10.31), 100.8(12.29), 8.4(1), 8.4(2.0), 8.6(0.106) Known Fixed Releases: 100.7(13.32), 100.7(14.23), 100.7(18.2), 100.7(6.44), 100.8(0.26), 100.8(10.38), 100.8(12.33), 100.8(15.7), 100.8(19.15), 100.8(2.15) Bug Id: CSCua87170 Title: Interface oversubscription on active causes standby to disable failover Description: Symptom: Interface oversubscription on active causes standby to disable failover Conditions: A huge amount of traffic may exhaust interface blocks, which in turn may cause firewall to drop failover messages and go to disabled HA state Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-3914 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(1), 8.4(3), 8.4(4.2) Known Fixed Releases: 100.7(13.101), 100.7(6.99), 100.8(0.239), 100.8(11.39), 100.8(27.20), 100.8(33.24), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.4) Bug Id: CSCuc95774 Title: access-group commands removed on upgrade to 9.0(1) Description: Symptom: "access-group" commands missing frmo the configuration on upgrading to 9.0(1). Conditions: First seen in ASAs setup for Active/Standby failover running 8.4(4)9 prior to upgrade. ASA in standalone mode (without failover) upgrade as expected. IPv4 and IPv6 access-groups applied to one or more interfaces in the same direction. Workaround: Apply the access-group to interfaces post upgrade to 9.0(1). PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.0(1), 9.0(2), 9.1(1.170) Known Fixed Releases: 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 9.0(2.100), 9.0(2.5), 9.0(3), 9.1(1.3) Bug Id: CSCuc40587 Title: ASA: May traceback in thread name Dispatch Unit Description: <B>Symptom:</B> ASA may crash in Thread Name Dispatch Unit. <B>Conditions:</B> This was first identified on an ASA5510 failover pair running 8.2.5. <B>Workaround:</B> None Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Bug Id: CSCuc83118 Title: CSC: URL Filtering confused by encoded characters in URL Description: Symptom: URL Filtering exceptions on the Trend Micro CSC Module do not work if the URL being accessed by the browser has some encoded characters in the URI. Conditions: This has been seen with a URL similar to the following: http://www.cisco.com/somepage.html?someargument=1&otherargument=?blah The ? seems to break the URL Filtering exception checking. Workaround: Disable the category being hit in the URL Filtering configuration of the CSC module PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-5430 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 6.6(1125.0) Known Fixed Releases: Bug Id: CSCui45606 Title: ASA traceback upon resetting conn due to filter and inspect overlap Description: Symptom: A vulnerability in the inspection and filter features of the Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the affected system to reload. Conditions: Unsupported configuration with overlapping filters and inspects, asa configured to send resets for this dropped traffic. The vulnerability is due to an internal traffic loop condition that can be triggered when a received packet is matched both for filtering and inspection due to a configuration with overlapping traffic matching criteria, such configuration is not supported. An attacker could exploit this vulnerability by sending a packet that would be matched by the incorrect configuration, when resetting the connection, the ASA gets into a loop and the stack overflows. An exploit could allow the attacker to trigger a crash of the affected system resulting in a Denial Of Service condition. Workaround: Remove the misconfiguration or use ''no service reset{outbound|inbound|outside}'' as needed to prevent the RST from being generated. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5567 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5567 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.122), 100.8(38.34), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.3) Bug Id: CSCua85555 Title: Cisco ASA SSL VPN Authentication Bypass Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-2128 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.117), 100.7(6.123), 100.8(38.43), 100.8(40.27), 100.8(45.4), 100.8(46.5) Bug Id: CSCuu46569 Title: ASA CA certificate import fails with different types of Name Constraints Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) Bug Id: CSCub85692 Title: ASA traceback in IKE Daemon while handling IKEv1 message Description: Summary Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-1149 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5), 8.2(5.31) Known Fixed Releases: 100.7(13.101), 100.7(6.99), 100.8(0.239), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(37.14), 100.8(38.1), 100.8(39.1) Bug Id: CSCue63881 Title: ASA SSHv2 Denial of Service Vulnerability Description: Symptoms: ASA cannot be accessed via SSH. Conditions: This may happen both in routed or transparent mode for both multicontext or single mode ASA. This can be triggered by IPv4 and IPv6 packets. Only traffic directed to the ASA can trigger this vulnerability. Workaround: Using HTTPS management interface or console can be used as temporary workaround. Further Problem Description: A vulnerability in the implementation of the Secure SHell (SSH) function could allow an unauthenticated, remote attacker to deny SSH management access to legitimate users. The vulnerability is due to improper implementation of the logic to terminate SSH sessions. An attacker could exploit this vulnerability by starting an SSH session to the affected system. This vulnerability is affecting both SSHv1 and v2. An exploit could allow the attacker to deny SSH management access to legitimate user. The attacker will be able to deny the access for 60 seconds, after which, the affected system will release the resource and users will be able to use the SSH service again. However, repeated exploitation may lead to a denial of service condition. This bug is fixing the issue for SSHv2 only connection. SSHv1 will be fixed in a separate bug: CSCuf51892. Issue on SSHv1 can be workaround by forcing the ASA to accept only SSHv2 connection by the config mode command: ssh version 2 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-1193 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1193 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.7(13.111), 100.7(6.111), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.2(5.45) Bug Id: CSCtz04566 Title: SSL VPN Authentication Denial of Service Vulnerability Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4.99), 8.2(5), 8.3(1.100) Known Fixed Releases: 8.2(5.30), 8.3(2.34) Bug Id: CSCud29045 Title: ASASM forwards subnet directed bcast back onto that subnet Description: Symptom: An ASASM may forward a subnet directed broadcast back out the interface on which it received it. When the ASASM is in multi-context mode, the broadcast packet may be sent back to the ASASM and loop indefinitely unless some mitigation (such as TTL decrement) is applied. A likely associated symptom is high CPU utilization on the MSFC, specifically in the IP Input process. Conditions: ASASM in multi-context mode, with same-security permit intra-interface configured on the context Workaround: Filter the subnet directed broadcast using an access-list Remove same-security permit intra-interface Implement TTL decrementing in the context PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.5(1.15) Known Fixed Releases: 100.8(27.30), 100.8(34.2), 100.8(38.4), 100.8(50.14), 100.9(0.20), 100.9(4.1), 100.9(9.1), 8.5(1.16), 9.0(1.106), 9.0(1.3) Bug Id: CSCui27773 Title: Intermittently users not allowed to login due to hostscan data limit Description: Symptom: Intermittently users are not allowed to login due to Host Scan data limit. The following error may be displayed on the ASA: ASA-3-716601 Rejected 35KB Hostscan data from < IP> . System-wide limit on the amount of Hostscan data stored on ASA reached the limit of 100000KB Conditions:<;/B> The ASA must be configured to perform Host Scan. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.9), 100.10(1.10), 100.7(6.122), 100.8(27.89), 100.8(38.29), 100.8(40.19), 100.8(41.2), 100.8(60.36), 100.9(10.4), 100.9(6.33) Bug Id: CSCuc74589 Title: RADIUS implementation should conform to RFC Description: Symptoms: This bug addresses an enhancement to the RADIUS implementation to better conform to RFC 2865. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:C CVE ID CVE-2012-5724 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(27.20), 100.8(33.29), 100.8(34.1), 100.8(38.1), 100.8(39.2), 100.9(0.6) Bug Id: CSCul11741 Title: Removing ports from service object-group does not remove from the ACL Description: <B>Symptom:</B> IF an ACL line contains both a "object-group network" in the destination AND an "object-group service" THEN removing ports from the service object group does not actually remove the ports from the ACL. The traffic from a new host that initiates a connection to a server in the destination group will be allowed by the ASA. <B>Conditions:</B> This happened when "object-group-search access-conrol" enabled globally on the ASA <B>Workaround:</B> remove the access-list and re-add it PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.40), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.68), 100.8(40.45), 100.8(46.37), 100.8(51.7), 100.9(10.16) Bug Id: CSCum88762 Title: VPN Filter missing from standby session Description: Symptoms: When dynamic VPN filters are shared with L2TP/IPsec sessions, the dynamic VPN filter may not be present in standby unit. This is because we don't support failover for IPsec/L2TP. As a result, after the dynamic ACL is replicated, the L2TP handling removes the ACL from the standby. Conditions: ASA configured to terminate L2TP/IPsec sessions Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.1/1.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.10(0.76), 100.10(2.8), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(2.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59) Bug Id: CSCtn40707 Title: assert traceback for ifc cfg removal with same-security intra-interface Description: Symptom: Tracebacks seen on standby ASA in thread name: fover_parse when write standby was issued Conditions: Active/Standby failover. This crash will be hit if there are any flows with egress and ingress interface based on same interface (i.e. same-security intra-interface configured) and clear config interface was issued on that ifc either directly or through config replication... Write standby was issued on active firewall when standby crashed. Workaround: none at this time PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 100.8(0.60), 100.8(2.22), 8.2(5.5), 8.3(1.6), 8.4(2) Known Fixed Releases: 100.7(13.59), 100.7(18.11), 100.7(19.9), 100.7(20.2), 100.7(6.64), 100.8(0.68), 100.8(11.11), 100.8(14.10), 100.8(24.36), 100.8(32.5) Bug Id: CSCug81326 Title: ASA - crash in fover_health_monitoring_thread Description: Symptom: ASA may crash in fover_health_monitoring_thread Conditions: Crash could not be reproduced and may be due to HW failure Workaround: unknown PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5.33), 8.2(5.41) Known Fixed Releases: Bug Id: CSCsv27829 Title: ASA 5580 stops forwarding traffic while checking CRL Description: Symptom: The ASA stop forwarding all traffic to and through the box (clear text and encrypted) if a CRL check has to be done when an IPSec or L2TP connection is established. The outage last 1-3 seconds. Conditions: IPSec or L2TP connection established using rsa-sig authentication Workaround: Disable crl checking PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.1(2), 8.2, 8.2(0.188), 8.2(0.229) Known Fixed Releases: 7.0(8.6), 7.1(2.81), 7.2(205.1), 8.2(1) Bug Id: CSCuf52468 Title: ASA Digital Certificate Authentication Bypass Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5509 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 9.0(1), 9.1(1) Known Fixed Releases: 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.38), 100.9(4.5), 100.9(6.16), 100.9(7.20), 9.0(2.100), 9.0(2.5), 9.0(3) Bug Id: CSCua58408 Title: ASA accepts route to network address which can lead to a traceback Description: Symptom: ASA accepts route pointing to network address, this can lead to a crash Conditions: ASA running 8.2 or 8.4 Incorrect route added, interface configured in the 192.168.100.128/25 network and route points to 192.168.100.128 as the next hop Workaround: Correct the route. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4), 8.4(4) Known Fixed Releases: Bug Id: CSCut27332 Title: ASA traceback in aaa_shim_thread Description: Symptom: ASA traceback in aaa_shim_thread Conditions: ASA running 9.3.2 High load with AnyConnect 3.0 or newer Heavy DAP or dynamic ACL usage with large aggregate ACLs Failover configuration Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.3(2), 9.3(3), 9.4(1) Known Fixed Releases: 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6), 100.14(3.5) Bug Id: CSCtb83547 Title: Error message on console: :_open_telnet: open(pager) SSH ssh_exec: Description: Symptom: ASA seems to crash after executing ''show asdm session command'' An error message is seen on the console at regular intervals :_open_telnet: open(pager) SSH ssh_exec: open(pager) Conditions: ASA 8.2.1 code Running ASDM Workaround: Unknown PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5740 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: Bug Id: CSCty62368 Title: Traceback with Netflow configuration Description: Symptom: Active unit tracebacks in "Thread Name: Dispatch Unit". Conditions: Customer using VPN, Netflow on Failover units. Workaround: NA. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 100.3(0), 8.2(4), 8.3(2.13), 8.4(2), 8.4(3), 9.1(2) Known Fixed Releases: 100.7(13.79), 100.7(6.80), 100.8(0.146), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCub38407 Title: Add text section to coredump Description: Symptoms: CiscoFireSIGHT contains a stored XSS vulnerability Conditions: none Workaround: Additional mitigation at: http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 01-JUL-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59), 100.8(56.17) Bug Id: CSCtg74172 Title: Can get around dynamic-filter by using caps in domain name Description: Symptoms: Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names. Conditions: Configuring whilte and black lists for BTF Workaround: Not known PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2.12) Known Fixed Releases: Bug Id: CSCus53692 Title: ASA traceback in Thread Name: fover_parse Description: Symptom: ASA may generate a traceback during failover synchronization in thread name fover_parse. Conditions: This issue has been seen on ASA 5500x running 9.1(3), other versions may also be affected. WCCP ACL configured with either users, user group, or a fully qualified domain name object which is not supported. Workaround: Remove ACL with users, user group, or a fully qualified domain name object from WCCP configuration. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3) Bug Id: CSCua86807 Title: large number of simultaneous ike request causes block depletion Description: Symptom: A large number of EzVPN clients reconnecting simultaneously, may cause a Cisco ASA to suffer of 1500 byte block exhaustion. This in turn may cause some of the traffic passing through the box and some management traffic to be dropped until the memory blocks are recovered Conditions: ASA configured for remote IPSec connection Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5421 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2 Known Fixed Releases: 8.2(5.32) Bug Id: CSCua58478 Title: Traceback in Thread Name: CERT API Description: Symptom: Under certain condition, the Cisco ASA may crash while unregistering OCSP DB status provider. This is happening inconsistently. The crash happens in thread CERT_API Conditions: ASA configured for VPN with certificate authentication and CRL check Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5428 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.97), 100.7(6.94), 8.2(5.32), 8.4(4.6), 8.4(4.99), 8.4(5), 8.7(1.2) Bug Id: CSCtn48877 Title: Traceback in fover_FSM_thread with IPv6 failover on SSM-4GE-INC Description: Symptom: ASA crashes by Watchdog failure or Assert failure in fover_FSM_thread. Conditions: IPv6 failover enabled, and IPv6 configurations applied on interfaces of SSM-4GE-INC. The crash is observed when performing the following operations: - adding/modifying "ipv6 address" configurations under the interface - execute "failover active" on the Standby unit - unplug a LAN cable from the Active unit to trigger failover Workaround: move the IPv6 configurations to onboard interfaces, avoid using SSM-4GE-INC with IPv6 failover. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2), 8.2(4), 8.2(4.5), 8.2(5.6) Known Fixed Releases: 100.7(13.19), 100.7(13.65), 100.7(14.5), 100.7(17.5), 100.7(18.1), 100.7(18.9), 100.7(19.8), 100.7(6.43), 100.7(6.62), 100.7(9.50) Bug Id: CSCto32012 Title: Routing: page fault traceback in Thread Name: EIGRP-IPv4: PDM Description: Symptom: Traceback in routing: page fault crash in Thread Name: EIGRP-IPv4: PDM, eip meth_ch_ioctl Conditions: Standby firewall and config sync during reload Workaround: When performing an hitless upgrade, before rebooting the standby unit, on the standby unit (secondary): 1. Remove the EIGRP process (by "no router eigrp" command). 2. Do a write mem on the secondary (standby) 3. Reload the standby 4. Upon loading the new image in the standby unit, the config sync from the active will take place (without traceback); since the config is synced, EIGRP will get enabled on the standby unit as well after the sync. 5. Make the secondary unit (with the new image) the active 6. Remove the EIGRP process from the primary (the new standby) 7. Do a write mem 8. Reload the standby 9. Upon loading the new image in the standby unit (primary), the config sync from the active (secondary) will take place. 10. Make the primary active again. Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4), 8.4(2) Known Fixed Releases: 100.7(13.77), 100.7(6.79), 100.8(0.139), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.8(36.1), 100.9(0.1), 100.9(2.1) Bug Id: CSCts72188 Title: ASA: SSH process may exist after being orphaned from SSH session Description: Symptom: The SSH process may still be running even after the SSH session that spawned the SSH process has closed out on an ASA firewall. CPU spike may be seen due to these stuck ssh processes. Conditions: This was identified on an ASA failover pair running 8.2.4(1) Workaround: Failover to the other unit. If this is not a failover pair then reload is the only other option. Further Problem Description: Gather the output of the following and open a TAC case. sh proc | i ssh ASA# sh proc | i ssh Mwe 08c2e084 7214a764 7249a300 1 721489b0 7132/8192 listen/ssh Mwe 08be148b 7181278c 09f8050c 5 718108f8 7312/8192 ssh/timer Mrd 08899185 7262787c 09f81014 595408460 72620728 26900/32768 ssh Mrd 08899185 726308cc 09f81014 572091828 72629778 26900/32768 ssh Mrd 08899185 72750e94 09f81014 538272393 72749d40 26908/32768 ssh Mrd 08899185 727769cc 09f81014 549586257 7276f878 26900/32768 ssh Mrd 08899185 726e86fc 09f81014 526485007 726e15a8 26900/32768 ssh PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2012-5411 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(4.1) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.128), 100.8(11.20), 100.8(27.7), 100.8(33.4), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.29) Bug Id: CSCuj54806 Title: ICMP inspection closes TCP conns with "Flow closed by inspection" Description: Symptom: This DDTS is a Duplicate of CSCui77398 Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.4(7), 9.0(3.2) Known Fixed Releases: Bug Id: CSCtf66116 Title: ASA: May crash in Thread Name: Dispatch Unit Description: Symptom: ASA may crash in Thread name Dispatch Unit Conditions: This was first identified on an ASA running 8.2.2 Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C CVE ID CVE-2012-5743 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 01-JUL-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Bug Id: CSCuu66218 Title: ASA is not correctly handling errors on AES-GCM ICV Description: Symptom: A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association. This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA. Conditions: An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256. This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X. Workaround: There is no workaround for customers whose security policy requires the use of AES-GCM. For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2015-4550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 02-JUL-2015 Known Affected Releases: 9.3(3), 9.4(1.1) Known Fixed Releases: 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2), 9.4(1.201) Bug Id: CSCtw75734 Title: tmatch compile thread assertion in "stride_terminal_node.c" Description: Symptom: In a rare corner case, the ASA might traceback when there are ACL related functions being processed. This is similar to CSCsy93944 but the traceback condition is due to a different root cause. Conditions: The traceback condition is related to the access-list structures stored on the ASA. Workaround: None known. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 02-JUL-2015 Known Affected Releases: 100.8(46.4), 8.2(5), 8.4(5.2), 8.6(1.6) Known Fixed Releases: 100.10(0.36), 100.10(1.21), 100.10(2.2), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.40), 100.8(45.8), 100.8(46.28) Bug Id: CSCus23416 Title: ASA traceback in DATAPATH-1-2414 after software upgrade Description: Symptom: ASA crash in DATAPATH-1-2414 after software upgrade Conditions: huge ACL size Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 02-JUL-2015 Known Affected Releases: 9.0(4.13) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3) Bug Id: CSCuv04732 Title: 5505 QoS priority not work w/ shaping Description: Symptom: 5505 QoS priority not work w/ shaping Conditions: 5505 QoS configuration of shaping with priority queue Workaround: Use policing with priority Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 02-JUL-2015 Known Affected Releases: 9.1(2), 9.1(3), 9.2(3.4) Known Fixed Releases: Bug Id: CSCug26338 Title: ASA 9.1.1.4 crashing while decrypting packets Description: Symptom: Crash of ASA 55xx using 9.1.1.4 software code while decrypting packets Conditions: crypto ipsec tunnel used Workaround: Disable crypto Status: Other Severity: 2 Severe Last Modified: 02-JUL-2015 Known Affected Releases: 9.1(1.4) Known Fixed Releases: Bug Id: CSCus70693 Title: ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: Description: After upgrade to 9.3.2 SSL VPNs stop working. Symptom: SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect: "Could not connect to server. Please verify Internet connectivity and server address." In the DART: Type : Error Source : acvpnui Description : Function: ConnectMgr::run File: .\ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED This errors are seen: "%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)." These errors are seen while debugs enabled: RC4-SHA / RC4-MD5 error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838 AES256-SHA / AES128-SHA / DES-CBC3-SHA error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639 Tests: + AnyConnect 3.1.05160 uses TLS 1.0 - fails + AnyConnect 4.0.00057 uses TLS 1.2 - fails + with IE TLS 1.0 - fails + with IE TLS 1.1/1.2 - fails + with Mozilla Firefox TLS 1.0 - fails but + Mozilla Firefox TLS 1.1/1.2 - work ok + Chrome also uses TLS 1.2 - works ok. Conditions: ASA running 9.3.2 (the issue is not seen on the 9.3.1) Certificate with: - RSA keys size: 2048 bits - Signature Algorithm: sha256RSA - Signature Hash Algorithm: sha256 It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet. Workaround: + Downgrade + try to regenerate the certificate + for WebVPN use Firefox/Chrome and TLS 1.2 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 04-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13), 100.14(6.9) Bug Id: CSCuu67159 Title: ASA: crash in DATAPATH-2-1157 Description: Symptom: ASA crashed while configuring routing in context Conditions: ASA in multicontext mode Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCuc75090 Title: Crypto IPSec SA's are created by dynamic crypto map for static peers Description: Symptom: When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and setup by the dynamic crypto map instance. Conditions: This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services. The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end. Workaround: N/A PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 06-JUL-2015 Known Affected Releases: 8.2(5), 8.4(4.9) Known Fixed Releases: 100.7(13.110), 100.7(6.106), 100.8(27.30), 100.8(38.4), 100.8(50.15), 100.9(0.20), 100.9(4.1), 100.9(7.1), 100.9(9.1), 8.2(5.39) Bug Id: CSCur68848 Title: Linux Kernel KVM Virtual APIC Accesses Local Privilege Escalation Vuln Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-6368 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-6368 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCuu69193 Title: ASA crash in Thread Name: CP HA Processing. Description: Symptom: ASA failover pair crashing in Thread Name: CP HA Processing. Conditions: L2L VPN Tunnel is configured on the ASA Workaround: No workaround Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: Bug Id: CSCur68846 Title: Linux Kernel wanxl.c Information Disclosure Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-1445 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 1.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-1445 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCum55917 Title: ASA Traceback in Thread Name: fover_fail_check Description: Symptom: ASA may run into a 1550 block depletion and trigger a assert traceback in thread name: fover_fail_check Conditions: ASA running release 9.0.3 (specific conditions are under investigation) or release 9.1.4 with DHCP relay enabled. Workaround: In the case where DHCP relay is configured, disabling DHCP relay may keep the issue from occurring. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: Bug Id: CSCur68847 Title: Linux Kernel farsync.c Information Disclosure Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-1444 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-1444 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCur68857 Title: Linux Kernel ioctx_alloc Local Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-7348 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:TF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-7348 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Open Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCtx59946 Title: ASA-SM may traceback in Thread Dispatch Unit Description: Symptom: An ASASM may experience operational failure and write a crashinfo to flash. Thread Name: DATAPATH-XX-XXXX Abort: Unknown Conditions: This has been seen on ASA Service Module code version 8.5(1) and seems to be tied to modules running in a failover pair. There is a race condition that occurs between certains functions that monitor the backplane communication and management of the ASASM over SSH. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 06-JUL-2015 Known Affected Releases: 8.5(1) Known Fixed Releases: 8.5(1.8) Bug Id: CSCuj44998 Title: ASA drops inbound traffic from AnyConnect Clients Description: Symptom: Inbound traffic from the AC client to the ASA's protected networks is dropped while the outbound traffic to the AC client works fine. Conditions: ASA has a site to site VPN configured with any one of the following conditions: >> The remote network (in the encryption domain) overlaps with the anyconnect pool assigned to the AC clients. >> The crypto ACL has a deny rule for the anyconnect pool assigned to the AC clients >> Any crypto ACL has an explicit 'deny ip any any' as an access-list entry. Workaround: For the first two conditions, configure a local pool for AnyConnect Clients not overlapping with the remote network defined in the crypto ACL. For the third condition, remove the explicit "deny ip any any" access-list entry from the crypto ACL. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 07-JUL-2015 Known Affected Releases: 8.4(5.5), 9.0(2.1), 9.0(3.4), 9.1(2.103), 9.1(3), 9.1(3.250) Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.55), 100.8(40.32), 100.8(45.7), 100.8(46.28), 100.8(52.2) Bug Id: CSCuv04901 Title: NAT section-1 divert rules are getting added at the end of section-2 Description: Symptom: NAT section-1 divert rules are getting added at the end of section-2 Conditions: Removing and re-adding a Twice NAT rule Workaround: Remove all the rules and re-add them again. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 07-JUL-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCus49034 Title: Tunnel default gateway no longer works in 9.3.2 Description: Symptom:Connectivity via tunnel default gateway no longer works. Conditions:ASA running 9.3.2. Workaround:A static route from the IP addresses assigned to clients to the tunnel default gateway device must be added. More Info: Status: Fixed Severity: 2 Severe Last Modified: 07-JUL-2015 Known Affected Releases: 100.14(1.1), 9.3(2) Known Fixed Releases: 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3), 100.14(2.3) Bug Id: CSCsr49417 Title: ASA5505: recovery from power interruption is impaired Description: Symptom: ASA5505 fails to power up after a brief power interruption. Condition: The ASA5505 running any version of 7.x or 8.x software may not power up following a brief power interruption. There is no LED activity during this time and the unit is completely unresponsive. Workaround: Unplug the device and wait at least 5 seconds before powering back on. Further Information: The problem is in the power supply brick with part number 341-0183-01. Fixed power supplies have part number 341-0183-02 and started shipping 11/9/2009 with ASAs with serial numbers beginning with JMX1346. There were some 341-0183-01 supplies that were fixed and shipped out. They have a deviation sticker on the supply with the text D105098. Status: Terminated Severity: 1 Catastrophic Last Modified: 07-JUL-2015 Known Affected Releases: 7.2(3) Known Fixed Releases: Bug Id: CSCtj67726 Title: ASA5550 traceback on Thread Checkheaps | Abort: Assert failure Description: Symptom: ASA5550 crashed at Thread Checkheaps | Abort: Assert Failure. Conditions: NA Workaround: NA Status: Terminated Severity: 2 Severe Last Modified: 08-JUL-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: Bug Id: CSCtg25510 Title: ASA tracebacks in Thread Name: IPsec message handler Description: Symptom: Active ASA tracebacks in Thread Name: IPsec message handler Conditions: ASA is terminatinc IPSec tunnels. Workaround: NA Status: Fixed Severity: 1 Catastrophic Last Modified: 08-JUL-2015 Known Affected Releases: 8.2(2.101), 8.2(2.9) Known Fixed Releases: 100.7(0.14), 8.0(5.18), 8.1(2.45), 8.2(2.102), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCuu53928 Title: ASA does not set forward address or p-bit in OSPF redistrubution in NSSA Description: Symptom: ASA can advertise OSPF routes to a peer with the p-bit disabled, and with a null forward address when in a Not so Stubby Area. This can cause the peer device to be unable to translate this LSA and forward it on to the rest of the topology. OSPF Router with ID (10.0.0.50) (Process ID 1) Type-7 AS External Link States (Area 100) LS age: 23 Options: (No TOS-capability, No Type 7/5 translation, DC) <--- LS Type: AS External Link Link State ID: 192.168.0.0 (External Network Number ) Advertising Router: 10.0.0.50 LS Seq Number: 80000001 Checksum: 0x791e Length: 36 Network Mask:255.255.0.0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 <--- External Route Tag: This condition occurs if the route that is advertised is directly connected, and that link comes up before the link that contains the OSPF neighborship. Conditions: - ASA in an OSPF Not So Stubby Area - Redistributing Connected Routes - Observed in single and multiple context - Observed in failover mode or standalone mode Workaround: - Clear OSPF Process on ASA with command "clear ospf process" - Bounce link of connected route that is being advertised incorrectly Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 08-JUL-2015 Known Affected Releases: 9.3(1), 9.4(1) Known Fixed Releases: 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Bug Id: CSCuu67411 Title: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Description: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Symptom: Configure "timeout floating-conn 0:01:00"(any valid range 0:0:30-1193:0:0),it is configured in ASA and checking TELNET to ASA and HTTP connection of ASA is lost. Conditions: Issue on : 1.Saleen -5512,5525 2.Kenton--5506 3.vASA Workaround: Set the "timeout floating-conn 0:00:00" Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 08-JUL-2015 Known Affected Releases: 100.14(0.27), 100.14(0.30), 100.14(6.38) Known Fixed Releases: 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12), 100.15(5.15) Bug Id: CSCuu91304 Title: Immediate FIN from client after GET breaks scansafe connection Description: Symptom: Connections through the ASA to a scansafe tower may fail if the client sends a FIN packet immediately following a GET packet. This hangs the TCP connection and causes the transaction to fail. Conditions: This is seen if the CLIENT sends a TCP FIN packet before any data comes back from the TOWER. Workaround: None at this time Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 08-JUL-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCus73993 Title: ASA memory corruption - traceback in Thread Name: CERT API Description: Symptom: ASA Traceback in Thread Name: CERT API due to memory corruption. Conditions: ASA running affected software. Workaround: Unknown Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCud50997 Title: ASA IKEv2 fails to accept incoming IKEV2 connections Description: Symptom: When using Anyconnect client, IKEv2 connections will no longer connect to the ASA headend. Conditions: Using anyconnect client connecting to ASA headend using IKEv2. syslog: IKEv2-PROTO-1: Failed to allocate memory Workaround: Reload ASA. Status: Fixed Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.4(3), 8.4(4.9) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(38.13), 100.8(40.4), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(7.21), 15.2(2.0.28)PI3 Bug Id: CSCsx99960 Title: ASA5580-20 traceback in CP Processing Description: Symptom: Secondary ASA 5580 running in active/active failover mode having group 2 as active crashed in CP Processing thread --> Conditions: ASA running 8.1.1.12 with normal work load. Workaround: None--> Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.1, 8.1(1.12), 8.1(2) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.1(2.175), 8.1(2.20), 8.2(1.4), 8.2(2.99), 8.2(4) Bug Id: CSCtj07197 Title: ASA traceback on rtsp inspection on DATAPATH-5-567 Description: Symptom: The ASA will crash on the thread named DATAPATH-5-567. Conditions: This crash is possibly related to rtsp inspection. Workaround: Disabling rtsp inspection may resolve the issue. Status: Terminated Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: Bug Id: CSCug37155 Title: ASA 5585 traceback in Thread Name : DATAPATH-7-1851 Description: Symptom: The primary ASA unit crashed . The trigger is unknown. Conditions: None Workaround: None at this point of time. Status: Terminated Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCtj48788 Title: Page fault traceback on standby in QOS metrics during idb_get_ifc_stats Description: Symptom: ASA5580-40 running 8.2(3) may crash due to a page fault in idb_get_ifc_stats. Conditions: The crash may happen when an ASDM connection is established to ASA5580-40. Workaround: none. Status: Fixed Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.19), 100.7(8.4), 8.2(4.2), 8.2(5), 8.3(2.13), 8.4(1.1), 8.4(1.99) Bug Id: CSCuv19917 Title: Traceback assert in calendar_queue.h Description: Symptom: Traceback assert in calendar_queue.h Conditions: Cisco ASA running release 9.1.6.181 in a 4 node cluster. Workaround: None. Further Problem Description: Status: Open Severity: 1 Catastrophic Last Modified: 09-JUL-2015 Known Affected Releases: 9.1(6.181) Known Fixed Releases: Bug Id: CSCui61335 Title: Traceback in Thread: DATAPATH-3-1281 Page fault: Address not mapped Description: Symptom: ASA crashes when syncing with cluster master: Thread Name: DATAPATH-0-1267 Page fault: Address not mapped Conditions: ASA configured in cluster. Slave synching with cluster master Workaround: Other than disabling the cluster member,l none at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.16), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.37), 100.8(40.24), 100.8(41.2), 100.8(45.2), 100.8(46.3), 100.8(49.1) Bug Id: CSCty35830 Title: AnyConnect users can't connect due to duplicate session. Description: Symptom: AnyConnect connections are failing to an ASA cluster with syslogs reporting: %ASA-4-113038: Group User IP Unable to create AnyConnect parent session. Conditions: This was observed on ASA platforms with a high rate of connection after some operating time. Workaround: None at this time other than reloading the ASA. Status: Other Severity: 2 Severe Last Modified: 09-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCtr39013 Title: ASA - panic traceback when issuing show route interface_name Description: Symptom: Under very rare conditions, the ASA may crash due to doing show route interface_name IP_address netmask command. Conditions: ASA running 8.2.5 or 8.4.2 code. Workaround: Do not use the more specific route command. You are able to view the route table by doing show route. Further Problem Description The following forms of "show route" commands may result in a crash show route show route outside show route inside 192.168.0.0 255.255.0.0 Other forms of show route though not tested may result in a crash as well. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 8.0(3), 8.2, 8.2(4.11), 8.2(5), 8.3(2.13), 8.4(2) Known Fixed Releases: 100.7(13.21), 100.7(14.10), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.53), 100.8(0.17), 100.8(10.20), 100.8(12.23) Bug Id: CSCut75983 Title: ASA Traceback in PPP Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Status: Fixed Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) Bug Id: CSCuu16772 Title: IPv6 ICMP PTB messages not changing TCP SEQ across ASA FW Description: Symptom: Customer sees the the ICMP PTB message go over the FW, but the SEQ number does not get updated. Conditions: ICMP PTB messages being sent across the ASA, but the TCP SEQ matching the SEQ number when the ASA has enabled SNR.But cannot disable SNR as that would be a security issue. TCP sessions over the FW have the TCP Sequence number randomized by default (SNR). This is to prevent external malicious intent by calculating the next SEQ number and sending packets over the FW. As such the Inside and Outside TCP Sequence numbers are altered by the ASA, and re-written as packets flow in/out. Workaround: Disable sequence number randomization (SNR). Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 8.4(7.240) Known Fixed Releases: Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) Bug Id: CSCuv16106 Title: ASA Traceback Checkheaps in Thread Name: IKEv2 Daemon Description: Symptom: ASA Traceback in Thread Name: IKEv2 Daemon Conditions: ASA running IKEv2 IPsec VPN Workaround: No workaround Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Bug Id: CSCuf07393 Title: ASA assert traceback during xlate replication in a failover setup Description: Symptom: An ASA firewall running in STANDBY as part of an Active/Standby or Active/Active high availability configuration may crash citing an assert in thread name DATAPATH-x-xxxx. Conditions: The crash is seen in rare circumstances on a standby firewall or a firewall in an Active/Active high availability configuration where some contexts are STANDBY on that firewall. Workaround: None at this time. In order to reduce the impact of crashes in an Active/Active failover configuration you might want to move both ACTIVE Failover Groups to one ASA More Info: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 10-JUL-2015 Known Affected Releases: 9.1(1), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.16), 100.8(40.6), 100.8(41.2), 100.8(60.12), 100.9(0.45), 100.9(10.1), 100.9(6.27), 100.9(7.23) Bug Id: CSCul04735 Title: Bootloader/ROMMON fails to load image files from Flash Description: Symptom: ++ ASA unable to boot software from flash after reload ++ stuck in "Loading /asa846-k8.bin..." ++ MD5/SHA-1comes back correctly Conditions: Workaround: Workaround 1 ++ delete image and re-upload Workaround 2 ++ copy disk0:/image.bin disk0:/image-alt.bin Further Problem Description: does not match "CSCud62661 STI Flash write failure corrupts large files", because 1) bug does not address any issues, it just merely slows down write speed, when an error is detected, 2) bug identifies 8.4.6 as a version in which bug fix is addressed does not match " CSCsx50429 After reboot flash is no longer recognized", because 1) bug identifies STI Flash 7.4.x a having a problem 2) bug identifies 8.4.6 & 8.4.5 as a version in which bug fix is addressed ++ unreproducable by TAC {please refer to tac-repro} ++ unreproducable by CU Status: Other Severity: 2 Severe Last Modified: 11-JUL-2015 Known Affected Releases: 8.4(5), 8.4(6) Known Fixed Releases: Bug Id: CSCut45659 Title: ASA: Intermittent failure in assigning IP address to AnyConnect client Description: Symptom: After upgrade to 9.1.5 or later releases, the ASA may fail to assign an IP address to the AnyConnect client intermittently. This will result in a VPN connection failure and the user will be displayed the following message 'AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again' Conditions: 1. ASA running 9.1.5 or later release 2. IP address assigned either via local pool or external DHCP server Workaround: Reboot of the ASA appears to resolve the issue Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 11-JUL-2015 Known Affected Releases: 9.1(5), 9.1(5.21) Known Fixed Releases: Bug Id: CSCtz16780 Title: observing taceback @ og_check_subgrp+158 Description: Symptom: An ASA which includes access list entries that reference the same object group as both the source and the destination may trace back when the configuration is modified. Conditions: The ASA contains at least one access list entry that references the same object group as both the source and the destination Workaround: Configure a duplicate object group and reference that in the ACL entry, replacing one of the existing object group references. Status: Fixed Severity: 2 Severe Last Modified: 12-JUL-2015 Known Affected Releases: 100.7(21.3), 8.4(4), 8.4(4.1) Known Fixed Releases: 100.7(13.85), 100.7(21.6), 100.7(23.1), 100.7(6.84), 100.8(35.1), 8.4(4.2), 8.4(4.99), 8.4(5) Bug Id: CSCuq59667 Title: ASA tracebacks in Thread Name: ssh due to watchdog Description: Symptom: ASA 9.1.5 and 9.2.1 crashed in thread named "ssh" during SSH rekey. Conditions: The exact condition is not known. The ASA's watchdog processing crashes the device in the middle of SSH rekey because the rekey takes too long. Workaround: There's no workaround at the moment. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 12-JUL-2015 Known Affected Releases: 9.1(5), 9.2(1) Known Fixed Releases: 100.11(0.48), 100.12(0.57), 100.13(0.4), 100.13(11.6), 100.13(12.10), 100.13(13.1), 100.13(14.3), 100.13(15.4), 100.13(16.1), 100.13(17.1) Bug Id: CSCub94479 Title: %ASA-3-210007: LU allocate xlate failed on Standby unit Description: Symptom: ASA, running 8.4.3, produces "%ASA-3-210007: LU allocate xlate failed" error message on Standby unit even if the memory has enough free space. Conditions: unknown Workaround: Fixes: The root-cause of this bug is due to the issue in NAT rule order processing, require fixes for CSCtt11890 and CSCub59136, which are available from 8.4.5+ onwards. Recommend customer upgrade to the same. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 13-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCuu74125 Title: ASA traceback in thread name: DATAPATH Description: Symptom: ASA reloads due to a traceback in thread name: DATAPATH Conditions: unknown Workaround: none Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 13-JUL-2015 Known Affected Releases: 9.3(2.160) Known Fixed Releases: Bug Id: CSCuu38315 Title: ASA Cluster member traceback in DATAPATH Description: Symptom: ASA 5585-20 cluster member running 9.4.1 traceback in DATAPATH Conditions: ASA 5585-20 running 9.4.1 in cluster mode. Workaround: No known workarounds. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 13-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCsq91277 Title: ACL Misbehavior in Cisco ASA Description: Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Status: Fixed Severity: 2 Severe Last Modified: 13-JUL-2015 Known Affected Releases: 8.0(0.4), 8.0(103.25), 8.0(3.19), 8.0(4), 8.0(4.3) Known Fixed Releases: 7.0(8.1), 7.1(2.74), 7.2(4.9), 8.0(4.5), 8.0(5) Bug Id: CSCut28217 Title: Active ASA in failover setup reboots on its own Description: Symptom: Active ASA in failover setup reboots on its own. Conditions: Active ASA in failover setup reboots on its own. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 13-JUL-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Bug Id: CSCuv13581 Title: Traceback in Thread Name: ssh ; 5585 ; 9.1.6.1 Description: Symptom: crash - 5585 running 9.1.6.1 last log before crash is the following syslog message: 2015-06-05T15:20:20.138636+02:00 sth2-fw01.sth.basefarm.net <164>Jun 05 2015 15:20:20: %ASA-4-711004: Task ran for 266 msec, Process = fover_FSM_thread, PC = 12038a8, Call stack = 2015-06-05T15:20:20.138636+02:00 sth2-fw01.sth.basefarm.net <164>Jun 05 2015 15:20:20: %ASA-4-711004: Task ran for 266 msec, Process = fover_FSM_thread, PC = 12038a8, Call stack = 0x00000000012038a8 0x00000000009031a9 0x000000000092252e 0x0000000000924d77 0x00000000009254fd 0x00000000009364af 0x0000000000931e49 0x00000000009327c5 0x0000000000428d45 Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 9.1(6.1) Known Fixed Releases: Bug Id: CSCta55072 Title: ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure Description: Symptom: ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure Conditions: Running 8.2.1version. The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash. If there is no limit for inside hosts with the license, the crash won't be triggered. Workaround: No workaround PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.3), 100.4(0.7), 100.4(0.9), 8.1(2.31), 8.1(2.32), 8.2(1.10), 8.2(4), 8.3(0.0) Bug Id: CSCua35666 Title: ASA: traceback in Thread Name: IPsec message handler,Syslog 602305. Description: Symptom: ASA running 8.4.4 reload in threadname IPsec message handler. Conditions: This crash is related to IPSEC VPN and new 8.4.4 syslog 602305. Workaround: Disable syslog message 602305. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.4(0.4), 8.4(4) Known Fixed Releases: 100.7(6.84), 100.8(34.1), 8.4(4.2), 8.4(4.99), 8.4(5) Bug Id: CSCum00556 Title: Cisco ASA HPM Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3385 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.4, 9.1(4) Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.7(6.129), 100.8(38.111), 100.8(40.59), 100.8(56.17) Bug Id: CSCua36443 Title: ASA may reload with traceback in IPsec message handler Description: Symptom: ASA may generate a traceback and reload in the IPsec message handler Conditions: The issue has been seen on ASA 8.4(4), other versions may also be affected Workaround: No known workaround at this time Status: Other Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.4(0.4) Known Fixed Releases: Bug Id: CSCsz86120 Title: Traceback when threat detection is disabled and using jumbo frames Description: Symptom: Device crash after disable/enable threat detection, with traffic passing through the box. Conditions: 1. Jumbo frame reservation is configured 2. Flow export event is configured to a particular host under the Global Policy map 3. HT unit is under stress 4. While traffic is running, the ''no threat-detection statistics'' command is issued 5. Immediately after #4, individual TD stats components are enabled in the order - ''threat-detection statistics port'', ''threat-detection statistics protocol'' and ''threat-detection statistics access-list'' Workaround: Use the clear config threat-detection to disable it Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.3), 100.4(0.3), 8.1(2.29), 8.2(1.2), 8.2(2.99), 8.2(4), 8.3(0.0) Bug Id: CSCsr25122 Title: Page fault in IP thread under high traffic load Description: Symptom: Tracebacks with Thread name : IP Thread Conditions: Usually when the device is under heavy load with both through and to-the-box traffic. Note: The problem is present only on ASA 8.0 and later releases. Workaround: none at this time Further Problem Description: Tracebacks on active failover PIX with Thread name : IP Thread Also could occur on standalone PIX. Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.0(3), 8.0(3.12), 8.0(4), 8.1(1) Known Fixed Releases: 7.0(8.1), 7.1(2.76), 7.2(4.9), 8.1(1.10), 8.1(1.100), 8.1(1.200), 8.1(101.6) Bug Id: CSCsk85428 Title: Traceback in scheduler Description: Symptom: Traceback in scheduler. This traceback could happen in any thread. Conditions: Cisco ASA/PIX running some versions of 7.0, 7.1, and 7.2. This condition is a very rare timing condition . It is not induced or affected by any configuration on the box or any external stimulus. It could happen in any release after the following releases: 007.000(006.037) 007.001(002.058) 007.002(002.027) Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 7.0, 7.1, 7.2(3), 7.2(3.8) Known Fixed Releases: 7.0(7.8), 7.1(2.67), 7.2(3.9), 7.2(4), 8.0(2.39), 8.2(0.75) Bug Id: CSCuh48577 Title: Slow memory leak on ASA due to SNMP Description: Symptom: Memory keeps on increasing very slowly on the ASA. Conditions: This issue is reported on ASA5550, running version 8.2(5)33 with SNMP running on the ASA Workaround: Reload the ASA Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.2(5.33) Known Fixed Releases: 100.10(0.6), 100.7(6.121), 100.8(27.85), 100.8(38.28), 100.8(40.16), 100.8(41.2), 100.8(60.34), 100.9(10.4), 100.9(6.32), 100.9(7.41) Bug Id: CSCun11074 Title: Cisco ASA SunRPC Inspection Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3387 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.2(5), 8.4(1) Known Fixed Releases: 100.10(9.6), 100.7(6.134), 100.8(38.121), 100.8(40.62), 100.8(56.27), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 7.2(5.14) Bug Id: CSCub16427 Title: Standby ASA traceback while replicating flow from Active Description: Symptom: ASA may reload with a traceback in threadname DATAPATH-19-2279 Conditions: ASA running 8.4.x or 8.5.x. Other versions may also be impacted. - ASAs in a failover pair, and failover already established between them - At one point Standby started working for clear config all, this could be due to "write standby" on Active - This causes standby to crash Workaround: NONE Status: Fixed Severity: 2 Severe Last Modified: 14-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1) Known Fixed Releases: 100.7(13.106), 100.7(6.104), 100.8(0.236), 100.8(0.244), 100.8(11.37), 100.8(11.48), 100.8(27.19), 100.8(27.20), 100.8(33.22), 100.8(33.29) Bug Id: CSCsv98614 Title: Crash in ASA when CIPC phones registers from DMZ Description: Symptom: When CIPC phones attempts to register, ASA box crashes. Conditions: This doesnt happen on real phones and it happens only on CIPC phones Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.16), 8.2(0.181) Known Fixed Releases: 8.0(4.19), 8.0(4.23), 8.0(5), 8.1(2.13), 8.1(2.9), 8.2(0.193), 8.2(0.208), 8.2(4) Bug Id: CSCsx23797 Title: SSL decrypt error using NULL-SHA1 Description: Symptom: When using UCM in mixed mode cluster with a phone configured as Authenticated (means UCM will expect TLS using NULL-SHA1 from the phone), the ASA does the TLS handshake with the UCM proposing NULL-SHA1 but it fails due to a decrypt error: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: tlsv1 alert decrypt error %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.22), 8.2(0.181) Known Fixed Releases: 100.3(0.2), 8.0(4.27), 8.0(5), 8.1(2.17), 8.1(2.18), 8.2(0.217), 8.2(0.218), 8.2(4) Bug Id: CSCsu48860 Title: traceback eip 0x08c4cab2 log_to_servers+1426 at /slib/include/channel.h Description: Symptom: Traceback after type CLI "no logg host inside " while the ASA is inder stress. Conditions: Under stress traffic test and load to 96% CPU Workaround: None Further Problem Description: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4), 8.1(1.102) Known Fixed Releases: 8.0(4.33), 8.0(5), 8.1(1.107), 8.1(2.24), 8.2(0.156), 8.2(0.160), 8.2(1.10), 8.2(4) Bug Id: CSCte64113 Title: DOC: Clarify anyconnect essentials license does not have clientless Description: This is a documentation bug only. Currently, there is some confusion that anyconnect essentials license does not provide clientless. Also, customers dont know that you cannot have anyconnect essentials and premium sslvpn license at the same time. The current documentation (FAQ, licensing docs, cmd/cfg guides) should be updated to further clarify that clientless is not supported with anyconnect essentials and also that premium and anyconnect essentials are mutually exclusive. Only one can be active at a time Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2 Known Fixed Releases: Bug Id: CSCti22389 Title: Traceback at snp_nat_portlist_remove_empty upon clear configure all Description: Symptom: ASA may traceback with UDP traffic to and from ASA Conditions: Doing "clear configure all" or "clear configure interface" when UDP connections are open. Workaround: not known Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(0.43), 100.7(6.3), 8.3(2.9) Known Fixed Releases: 100.5(5.52), 100.7(0.59), 100.7(5.23), 100.7(6.8), 100.7(8.1), 100.7(9.1), 8.2(5.3), 8.3(2.10), 8.4(0.99), 8.4(1) Bug Id: CSCta06806 Title: traceback: netfs_request+289 at netfs/netfs_api.c:89 Description: Symptom: Under high utlization. A traceback may occur when using the CIFS file download functionality. Conditions: High concurrent user count all doing a download at the same time. Workaround: None at this time. Further Problem Description: Decode: Thread Name: emweb/https (Old pc 0x0862a821 ebp 0x6f87b4d8) Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4), 8.0(4.35) Known Fixed Releases: 100.3(0.3), 100.4(0.12), 8.0(4.43), 8.0(5), 8.1(2.34), 8.2(1.10), 8.2(4), 8.3(0.0) Bug Id: CSCsv91797 Title: Nested Traceback: addressable memory check problem Description: Symptom: if the ASA device is reloading with a crashinfo due to a software issue, some values in the dump might prevent the crashinfo to show fully. Condition: This issue does not occur during the normal operation, but complicates the analysis of the existing other issues. Workaround: none. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(2) Known Fixed Releases: 8.0(4.21), 8.0(5), 8.1(2.11), 8.2(0.194), 8.2(1) Bug Id: CSCtb06656 Title: Traceback under heavy load while making config changes Description: Symptom: Enable and disable threat-detection config under high stress tests will cause traceback. Conditions: Cisco ASA running release 8.1.1. Under high stress traffic, enable and disable threat-detection until the traceback occurs. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.18), 8.1(1) Known Fixed Releases: 100.3(0.3), 100.4(0.10), 8.1(2.32), 8.2(1.10), 8.2(2.99), 8.2(4), 8.3(0.0) Bug Id: CSCth05467 Title: WebVPN: Any email can't be sent in OWA 2010 with S/MIME installed Description: Symptom: After you install S/MIME library, any message can't be sent from any account from this machine through ASA system Conditions: Detail description given in defect summary section Workaround: 1. Use Firefox for premium mode 2. Deinstall S/MIME from "Add or Remove Programs" section of Windows Control Panel Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(3), 8.2 Known Fixed Releases: 100.5(5.41), 100.7(0.57), 100.7(5.21), 100.7(6.6), 100.7(8.1), 100.7(9.1), 8.2(3.105), 8.2(4), 8.3(2.14), 8.4(0.99) Bug Id: CSCtd36473 Title: IPsec: Outbound context may be deleted prematurely Description: Symptom: Outbound encryption traffic in an IPsec tunnel may fail, even if inbound decryption traffic is working. Conditions: This issue has been observed on an IPsec connection after multiple rekeys, but the trigger condition is not clear. The presence of this issue can be established by checking the output of "show asp drop" and verifying that the Expired VPN context counter is increasing for each outbound packet sent. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.2(2) Known Fixed Releases: 100.5(5.9), 100.7(2.1), 8.0(5.13), 8.1(2.42), 8.2(2.8), 8.2(4), 8.3(1.1), 8.3(1.100), 8.4(1) Bug Id: CSCtq44306 Title: ASA-SM: Failover Cold Standby "Unable to sync configuration from Active" Description: Symptom: ASA-SM unit goes to Cold Standby state and will not sync configuration from Active Conditions: After toggling power enable/no power enable several times Workaround: none. Reload card until it works or reload chassis. note To resolve this problem, both primary and secondary ASA should have the same fixed version. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2.8), 8.5(1) Known Fixed Releases: 100.7(13.18), 100.7(14.5), 100.7(16.1), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(8.34), 100.7(9.50), 100.8(0.15), 100.8(10.16) Bug Id: CSCtg15740 Title: Failover "LAN FAILED" w/ webvpn clientless dh plus AC steady state Description: Symptom: Standby Firewall may crash without recording a crash file. Conditions: This was first identified on an ASA5580 failover pair running 8.2.2(130) Workaround: None Further Problem Description: The problem is due to HA (High Availability) packet being delayed. Interface monitoring may aggravate the issue. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.4(0.54) Known Fixed Releases: 100.7(0.30), 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(5.4), 100.7(6.2), 100.7(6.30), 100.7(9.13), 100.8(0.14), 100.8(0.2) Bug Id: CSCtq78280 Title: invalid command dhcp client xxx on ASA 8.4 Description: Symptom: When trying to configure the 'dhcp client'' commands on an ASA interface, the parser may reject them as invalid: ciscoasa(config-if)# dhcp client ? ERROR: % Unrecognized command Conditions: The ASA must be running software version 8.4(1) or higher. Workaround: There is no known workaround at this time. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.34), 100.7(13.37), 100.7(14.23), 100.7(14.26), 100.7(17.5), 100.7(18.2), 100.7(18.3), 100.7(6.44), 100.7(8.34), 100.8(0.26) Bug Id: CSCtr04553 Title: Traceback while cleaning up portlist w/ clear conf all or write standby Description: Symptom: Scenario 1: ASA traceback with ''clear config all'' Scenario 2: Standby ASA occasionally crashes when ''write standby'' is issued on the active unit. Conditions: Scenario 1: - memory delayed-free-poisoner is enabled - call-home is configured to send messages to email addresses Scenario 2: - Active/Standby Failover - Smart Call Home is not configured. - DFP is not enabled on the standby unit. Workaround: no workaround PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.5/1.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(2.22), 8.2(5.5), 8.4(3), 8.4(4.8), 8.6(1.2) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.24), 100.9(0.24), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.2(5.39) Bug Id: CSCsy27547 Title: Using phone-proxy got assertion "ip.ip_version == IP_VERSION_4" Description: Symptom: Assertion Conditions: ASA configured for phone-proxy. Calls being attempted while media termination rtp ports are exhausted. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.27) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.0(4.30), 8.0(5), 8.1(2.21), 8.2(1.10), 8.2(2.99), 8.2(4) Bug Id: CSCtd93250 Title: Traceback : assert+12 at ../finesse/snap_api.h:141 Description: Symptom: Disabling Dynamic Filtering will cause a software assertion. sjc-vpn-asa-1/pri/act(config)# no dynamic-filter use-database sjc-vpn-asa-1/pri/act(config)# core0: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. assertion "entry->magic == BIN_TREE_MAGIC" failed: file "bin_tree_priv.h", line 66 Conditions: Workaround: None at this time Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1), 8.2(1.111) Known Fixed Releases: Bug Id: CSCti84683 Title: ACL hash incorrect for protocol object Description: Symptom: The ASA is not correctly calculating the MD5 hash for an access-list that is using a network object for the protocol. It does not match the hash that ASDM calculates. This prevents ASDM from finding an access-list based on the hash in the hitcount output or syslog output. Conditions: Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(2), 8.4(0.9) Known Fixed Releases: 100.5(5.52), 100.7(0.66), 100.7(6.12), 100.7(8.1), 8.3(2.11), 8.4(0.99), 8.4(1), 8.5(0.99), 8.5(1) Bug Id: CSCtl86372 Title: IKE fails to initialize when minimal data is sent to pub int. Description: Symptoms: Sending a low data rate of traffic to the public interface, may cause the IKE daemon to stop responding. This may prevent new IKEv1 and IKEv2 tunnels from being established. Conditions: None. Workaround: None. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AAV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2011-0363 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2, 8.4(0.129) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.24), 100.7(8.16), 100.7(9.6), 8.2(4.3), 8.2(5), 8.4(1.2) Bug Id: CSCsx07862 Title: Traffic shaping with priority queueing causes packet delay and drops Description: Symptom: In a rare corner case, if the traffic shaping QoS feature is configured on the ASA appliance, the ASA might introduce severe latency into the traffic flow, or drop packets in the flow. Conditions: The traffic shaping feature must be configured on the firewall. More information about the traffic shaping feature can be found here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/qos.html#wp1065249 Workaround: Remove the service-policy from the interface to disable the traffic shaping feature. This will restore connectivity immediately. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 7.2(4.35), 8.0(4.34), 8.0(5), 8.1(2.25), 8.2(1.2), 8.2(4) Bug Id: CSCth35961 Title: WebVPN: Preview mode for emails works improperly for DWA 8.5.1 Description: Symptom: You can't preview any existing letter in DWA 8.5.1 Conditions: Detail description given in defect summary section Workaround: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(7.0), 8.2(1.12), 8.3(0.29) Known Fixed Releases: 100.5(5.57), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 8.2(4.1), 8.2(4.3), 8.2(5), 8.3(2.13) Bug Id: CSCth26875 Title: DOC: ASA 8.3 config guide - Multiple incorrect sections and statements Description: Symptom: 8.3 ASA config guide has multiple doc bugs referencing sections from older 8.0 configs. Conditions: This is a doc bug. Workaround: none at this time. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3 Known Fixed Releases: Bug Id: CSCsv39815 Title: DAP: Bookmark URL list is not being concatenated Description: Symptom: When mutiple DAP are matched, only the bookmarks configured on one of them are displayed on the portal page, Conditions: The bookmark name which is not displayed is a subset of the one which is. For instance, if you have a bookmark list called booklist and another one called booklist2, only the second one will be shown on the portal. Workaround: Change the bookmarks name so that they are not subsets of each others, Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.8) Known Fixed Releases: 8.0(4.21), 8.0(5), 8.1(2.11), 8.2(0.196), 8.2(1) Bug Id: CSCti70936 Title: PKI session exhaustion Description: Symptom: PKI resources exhausted under load Conditions: Large number of PKI sessions are being established concurrently Workaround: NA Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7, 8.2 Known Fixed Releases: 100.5(5.40), 100.7(0.51), 100.7(5.16), 100.7(6.6), 100.7(8.1), 8.2(3.104), 8.2(3.5), 8.2(4), 8.3(2.5), 8.4(0.99) Bug Id: CSCsw90717 Title: ASA phone Proxy reboots unexpectedly Description: Symptom: ASA configured as Phone Proxy rebooted unexpectedly Conditions: This was one time event and root cause is under investigation. Workaround: No work-around is needed. After reboot, the ASA automatically recovered and started functioning as Phone Proxy with no further loss of service Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.0(4.24), 8.0(5), 8.1(2.14), 8.2(0.208), 8.2(2.99), 8.2(4) Bug Id: CSCth26429 Title: WebVPN: "Add new..." button doesn't work properly for SharePoint 2010 Description: Symptom: Any content items can't be added through default 'Add new ...' controls to SharePoint 2010 portal through ASA Conditions: 1. Internet Explorer 8 or Firefox 3.6.3. 2. SharePoint 2010 server. Workaround: disable compression on the sharepoint server Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(7.0), 100.8(3.4) Known Fixed Releases: Bug Id: CSCtj52109 Title: Failed to display CSC Security events in Content Security Monitoring. Description: Symptom: Once CSC Events generated CSC will not display the events. However we can see the events generated in Trend Logs. Conditions: N/A Workaround: Once CSC Events generated CSC will not display the events. However we can see the events generated in Trend Logs. There are two places you should see these events in ASDM. 1. The "Latest CSC events" window under "content Security" Tab. 2. In Monitoring - > Trend Micro Content Security -> Live Security Events Window. Test Environment : CSC Version : 6.3.1172.4 ASA Version : 8.2.3 , 8.3.2 , 100.7(5)23 (Tested with All 3 Versions) ASDM : 6.3.4 , 6.4.0.114 (Tested Both Versions) Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(3), 8.3(2) Known Fixed Releases: 6.6(1125.0) Bug Id: CSCsy76537 Title: Issue with RTP Pinhole timeout Description: Symptom: In Telepresence B2B testing through Cube, ASA and SBC, seeing an issue with following scenarios- 1. B2B Point to Point Call after call is setup signaling and media wise, one endpoint is put on Hold and an immediate Resume results in no media flowing. 2.B2B Point to Point Call between two endpoints A1 in Ent A and B1 in Ent B. after call is setup signaling and media wise, an Audio-addin joins the Conf call setup at B1, after hitting Conference, no video is seen. Conditions: The problem is when second invite was got, the ASA thinks that it has pinholes but before RTP could go through, the pinholes timed out. In scenario 1 after a Hold if we wait for anything between 15sec to 3 minutes, the pinholes opened from first Invite were all removed before the second invite was sent and new set of pinholes were opened and RTP could go through. Scenario 2 Need to wait for 15sec -3 minutes after the Audio addin call is answered at B1 before it can be conferenced into the existing Conference call between A1 -B1. Workaround: Putting an access-list in place that permits media on specific ports from inside to outside, lets the media to flow. But this beats the purpose of ASA's ability to open RTP pinholes pn the basis of SIp inspection. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4), 8.0(4.23) Known Fixed Releases: 100.3(0.3), 7.2(4.41), 8.0(4.41), 8.0(5), 8.1(2.32), 8.2(1.5), 8.2(4), 8.3(0.0) Bug Id: CSCtj90315 Title: Traceback in transparent mode due to tcp reset Description: Symptom: Under rare circumstances, the ASA may crash when receiving a TCP Reset. Conditions: ASA must be running in transparent mode. Workaround: Configure TCP State Bypass Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(3.112), 8.3(2), 8.4(1) Known Fixed Releases: 100.5(5.58), 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.18), 100.7(8.4), 8.2(4.2), 8.2(5), 8.3(2.13), 8.4(1.1) Bug Id: CSCtj76771 Title: Traceback on Thread name :fover_parse on ASA 5585-SSP10 Description: Symptom: On ASA5585 platforms, ASA may traceback in active/standby HA multimode Conditions:Port Channel interfaces in multi mode Workaround:None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(0.66), 100.7(0.69), 8.4(0.102), 8.4(0.105) Known Fixed Releases: 100.7(0.71), 100.7(11.2), 100.7(6.16), 100.7(8.3), 8.2(4.110), 8.2(5), 8.4(0.107), 8.4(1), 8.4(1.99), 8.4(2) Bug Id: CSCtn61148 Title: ASA stops handling ikev2 sessions after some time Description: Symptom: After some time of normal operation, ASA stops accepting IKEv2 sessions from Anyconnect clients. The client produces the following error: "Not able to connect to gateway." The client logs include error messages such as: "Negotiation aborted due to ERROR: Maximum number of retransmissions reached" "IKE SA request failure: during rekey?:N - (20) 'Unable to contact peer'" "IPSECPROTOCOL_ERROR_PEER_UNREACHABLE:A response was not received for the IKE init message. This is most likely due to the peer being unreachable" Conditions: This applies only to ASA software version 8.4(1), 8.4(1)1, 8.4(1)2, 8.4(1)3, 8.4(1)4 when IKEv2 is used. Workaround: Reboot the ASA Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1), 8.4(1.50) Known Fixed Releases: 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.30), 100.7(8.23), 100.7(9.13), 100.8(0.14), 100.8(0.2), 100.8(10.1), 100.8(12.1) Bug Id: CSCtc88603 Title: 5505 may traceback when using restore configuration thru ASDM Description: Symptom: 5505 may traceback when using restore configuration thru ASDM Conditions: Steps to reproduce the traceback: On ASDM go to Tools> Restore Configuration: In Restore Configurations dialog box, Selected Zip File (the zip file is attached to the bug), click Next, Checked all the check boxes "Running configuration", All Security Images, SSL VPN Configurations, Clicked on Restore. When ASDM was sending the commands, the CPU usage went to 99% and after sometime it crashed. Workaround: None Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1), 8.3(0.1) Known Fixed Releases: Bug Id: CSCtc89733 Title: Monitored interface stays in Waiting status forever in TFW Description: Symptom: "sh failover" output may stay in Waiting status forever in TFW for monitored interfaces. Conditions: This was first identified in a single mode, transparent ASA running 8.2.2. Workaround: Configure ethertype ACLs to deny BPDUs from being passed through the transparent firewalls. access-list 1 ethertype deny bpdu access-group 1 in interface inside access-group 1 in interface outside Also turning off spanning-tree or turning off BPDUs via portfast on the switch ports will give the same affect. Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1.104) Known Fixed Releases: Bug Id: CSCtr00165 Title: Port Forwarder ActiveX control contains a Buffer Overflow vulnerability Description: Summary The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser. Cisco has released free software updates that address this vulnerability. A companion Applied Mitigation bulletin that details potential workarounds is available. The advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient The companion AMB document is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120314-asaclient PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 9.3/8.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-0358 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(2.13) Known Fixed Releases: 100.7(13.40), 100.7(13.61), 100.7(14.31), 100.7(17.5), 100.7(18.13), 100.7(18.4), 100.7(19.2), 100.7(6.48), 100.7(6.65), 100.8(0.35) Bug Id: CSCsy56403 Title: ASA stops accepting IP from DHCP when DHCP Scope option is configured Description: Symptom: - with no ASA configuration changes after a random period of time vpn users connecting to group-policy using dhcp-network-scope aren't assigned an ip address and therefore can't establish a vpn client connection. Conditions: - dhcp-network-scope defined within group-policy to assign ip addresses to vpn clients using dhcp scope as defined on an internal Microsoft server - ex:Server defined network scope: 10.10.10.40 - 10.10.10.200 group-policy DfltGrpPolicy dhcp-network-scope 10.10.10.254 - note that the dhcp-network-scope value doesn't overlap the scope defined on the server Behavior Experienced: - the server responds to the DHCP Discover with a DHCP Offer & the ASA receives the offer on the inside interface as seen in a packet capture taken on the inside interface - comparing successful dhcp debugs versus debugs in this broken state wel never see the following message in the failed attempt, but we do in the success "DHCP: Received a BOOTREP pkt" - although the DHCP packet is received on the ASA the dhcp process is not listening for or responding to packets during the failed attempt - sh asp drop doesn't show any correlated dhcp drops from the time of the dhcp discover & dhcp offer Workaround: - change the dhcp-network-scope ip address & it will work again temporarily Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.4(0.29), 8.0(5.6), 8.1(2.39), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.14), 8.3(1) Bug Id: CSCtj46900 Title: Last CSD data element is not being loaded into DAP Description: Symptom: The final hostscan data element is not being loaded into DAP processing on the ASA. For iPhone, since there are only two attributes, feature and version, this manifests as the version not being returned. This prevents from detecting the OS for the Iphone or any other attribute that may be the last. Conditions: Last data element is used for DAP processing. Workaround: Downgrade to the following versions or earlier than below if possible: 008.003(001.007) 008.002(002.018) Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(1.9), 8.4 Known Fixed Releases: 100.5(5.47), 100.7(0.66), 100.7(6.12), 100.7(8.1), 8.2(3.111), 8.2(4), 8.3(2.9), 8.4(0.99), 8.4(1), 8.5(0.99) Bug Id: CSCtg14368 Title: ASA traceback when phone proxy debugging is enabled. Description: Configure ASA for phone proxy (see the attached config). Reload the ASA and turn on "debug phone". As phones start to register, the corresponding debugs are printed out for a few seconds, then the ASA crashes. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(2.6) Known Fixed Releases: 100.7(0.17), 8.0(5.18), 8.1(2.45), 8.2(2.109), 8.2(2.17), 8.3(1.100), 8.3(1.6), 8.4(0.99), 8.4(1) Bug Id: CSCtc36600 Title: Traceback In a Datapath Threat with Threat Detection Enabled Description: Symptom: Adaptive Security Appliance (ASA) unexpectedly reloads with a traceback in DATAPATH-X-XXX thread. Conditions: Threat Detection enabled with a significant amount of traffic. Workaround: Disable Threat Detection. Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.36), 8.2(2.16) Known Fixed Releases: Bug Id: CSCtd37102 Title: checkheaps Reason: Free buffer corrupted reload w/ xauth disabled Description: Symptom: Connecting an IPSec client into a tunnel-group with xauth disabled may cause the ASA to reload. Conditions: Workaround: Enabled xauth by setting the following in the tunnel-group ipsec-attributes isakmp ikev1-user-authentication xauth Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 7.2(4.43), 7.2.4.33 Known Fixed Releases: Bug Id: CSCth03659 Title: clear conf all with syslog without any traffic causes a crash. Description: Symptom: ASA crashed with clear conn all Conditions: logging is enabled with loghost Workaround: disable logging before do clear conn all Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(2), 8.2(2.116) Known Fixed Releases: 100.5(5.24), 100.7(0.23), 100.7(5.1), 8.2(2.127), 8.2(2.18), 8.3(1.100), 8.3(1.7), 8.4(0.99), 8.4(1) Bug Id: CSCtb35842 Title: traceback eip:lavg_dp_work+1 at slib/loadavg.c:241 with vpn & failover Description: Symptom: Traceback may occur with VPN, faiover and high session count Conditions: Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.22), 100.5(0.24) Known Fixed Releases: 8.0(4.100), 8.0(4.45), 8.1(2.35), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) Bug Id: CSCtc40891 Title: memory leaks after anyconnect test with packet drops Description: This problem was fixed and verified Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.36) Known Fixed Releases: 100.3(0.26), 100.4(0.26), 8.0(5.4), 8.1(2.39), 8.2(1.109), 8.2(1.18), 8.2(4), 8.3(0.7) Bug Id: CSCti94112 Title: Max UDP 64 bytes PPS drop 75% from single mode to multi routed firewall Description: Symptom: Max UDP 64 bytes PPS drop 75% from single mode to multi routed firewall Conditions: 64 bytes UDP packet with 20,000 flwos. Workaround: Use single mode to get the max PPS for Spyker platform. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(3.103) Known Fixed Releases: 100.5(5.44), 100.7(0.61), 100.7(5.25), 100.7(6.9), 100.7(8.1), 8.2(3.109), 8.2(4), 8.3(2.8), 8.4(0.99), 8.4(1) Bug Id: CSCtj09979 Title: IKEv2 traceback with 1 L2L and 1 RA tunnel Description: Symptom: Active ASA may crash inThread Name: DATAPATH-2-1403 Conditions: This was first identified on an ASA5585 failover pair running 8.2.4 code. Workaround: None at this time. Further Problem Description: The next 8.2.5(x) interim will contain the fix for this defect. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(0.119), 8.4(0.15) Known Fixed Releases: 100.7(0.67), 100.7(0.71), 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.12), 100.7(6.15), 100.7(6.21), 100.7(8.1), 100.7(8.12) Bug Id: CSCtq33081 Title: Traceback during certificate operation in IKEv2 EAP processing Description: Symptom: The ASA could reload when processing an Anyconnect connection with IKEv2 where any certificate operations are possible like tunnel group lookups, certificate validation, etc. Conditions: AnyConnect IKEv2 connection to the ASA that requires certificate operations during authentication of the client. Workaround: upgrade Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(9.34), 8.4(1) Known Fixed Releases: 100.7(13.17), 100.7(14.5), 100.7(16.1), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(9.49), 100.8(0.14), 100.8(10.14), 100.8(12.15) Bug Id: CSCth56065 Title: DAP_ERROR:...dap_add_csd_data_to_lua: Unable to load Host Scan data: Description: Symptom: The following DAP error is seen in the "debug dap trace" + "debug dap errors" output on the ASA, when connecting from a Client PC using DAP: ---snip--- DAP_ERROR: Username: , dap_add_csd_data_to_lua: Unable to load Host Scan data: [string "dapxlate_lua"]:559: bad argument #1 to `find' (string expected, got nil) DAP_ERROR: Username: , ERROR selecting DAP records DAP_TRACE: Username: , Action set to terminate DAP_TRACE: Username: , DAP_close: ---snip--- The AnyConnect client presents an error like the following: ---snip--- Login denied. Your environment does not meet the access criteria defined by your system administrator ---snip--- Conditions: This appears to have been introduces in ASA version 8.2.2.19. ASA version 8.0.5.19 is not affected. ASA version 8.3.1.9 might be affected as well. There must be DAP policies defined on the ASA. Workaround: There is not a work around at this time. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(0.28) Known Fixed Releases: 100.5(5.28), 100.7(0.30), 100.7(5.4), 100.7(6.2), 8.2(2.144), 8.2(3), 8.3(2.1), 8.4(0.99), 8.4(1), 8.4(1.99) Bug Id: CSCtq52661 Title: Cisco ASA Local Path Inclusion Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:P/RL:OF/RC:C CVE ID CVE-2014-3391 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(5), 8.4(1), 8.7(1) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.43), 100.8(0.11), 100.8(0.14), 100.8(0.31), 100.8(10.11) Bug Id: CSCtb18913 Title: Assert ctm_ipsec_process_outbound_pkt+485 ... mp_counter.h:124 Description: Symptoms: Crash occurs during stress testing with IPsec sessions in network extension mode using cert authentication. Conditions: IPsec with certificate authentication. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5739 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.21), 100.5(0.34), 100.5(0.35), 8.2(1), 8.2(2), 8.2(2.17) Known Fixed Releases: 100.4(0.54), 100.5(5.1), 8.2(2.99), 8.2(4), 8.3(0.5), 8.3(1), 8.4(1) Bug Id: CSCsx75647 Title: General protection fault on a 5580-20 when webvpn enabled Description: Symptom: One time general protection fault crash on ASA-5580-20 Conditions: Enabling webvpn on the outside interface Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(0.212) Known Fixed Releases: Bug Id: CSCta06013 Title: Fuzzing testbed, traceback in the javascript parser Description: Symptom: ASA running 8.0.5 may reload in Unicorn Proxy Thread. Conditions: ASA running 8.0.5 code. Workaround: none. Further Problem Description: Issue seems to be related to javascript parser. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5738 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.213) Known Fixed Releases: 100.7(13.59), 100.7(13.61), 100.7(18.10), 100.7(18.13), 100.7(19.9), 100.7(20.1), 100.7(6.65), 100.8(0.65), 100.8(11.10), 100.8(14.9) Bug Id: CSCtq97430 Title: Coverity 100595: FORWARD_NULL in ppp_auth_process_attributes() Description: Symptom: ASA reloads Conditions: This has been seen on a box running 8.4.2 with AAA configured. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(13.77), 100.7(6.41), 100.8(0.147), 100.8(11.22), 100.9(0.29), 100.9(6.3), 8.2(4.99), 8.3(1.100) Known Fixed Releases: 100.7(13.20), 100.7(14.6), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(9.50), 100.8(0.16), 100.8(10.16), 100.8(12.19), 100.8(15.5) Bug Id: CSCsz92485 Title: Traceback in ak47 debug command. Description: Symptom: Running the service internal command show ak47 ramfs x detail may result in an error-recovery event if enabled or a traceback if error recovery is disabled. The argument x is an instance number gathered from the output of show ak47. Conditions: Running the command show ak47 ramfs x with the detail optional argument can cause the traceback Workaround: Run the command without the detail argument. Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.26) Known Fixed Releases: 100.4(0.2), 8.0(4.35), 8.0(5), 8.1(2.26), 8.2(1.10), 8.2(2.99), 8.2(4), 8.3(0.0) Bug Id: CSCsx52748 Title: ASA may crash under high IPSEC load Description: Symptom: 5580-40 crash when running 5000 tunnel IPSec RAS throughput test ** This was only experienced during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA configured for IPsec and using an internal test tool establishing ~ 5000 tunnels. Workaround: none Further Problem Description: none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(0.209) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.2(0.212), 8.2(1), 8.2(2.99), 8.2(4) Bug Id: CSCsu00068 Title: IP packets being dropped due to invalid IP header;bad checksum Description: Symptom: ASA drops most packets due to bad IP checksum, this might look like a full connectivity loss on an interface that remains up, ARP resolution should still be working. Condition: in some unlikely conditions, a corruption of the hardware registers of the network interface chipset could cause checksum errors and packet corruption. Workaround: none (upgrade to a a fixed version) Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(1.7) Known Fixed Releases: 7.0(8.4), 7.1(2.77), 7.2(4.11), 8.0(4.5), 8.0(5), 8.1(1.100), 8.2(0.151) Bug Id: CSCtq60450 Title: Degraded Xlate Teardown Performance Description: Symptom: Xlate entries are timing out at a low rate as compared to creation on an Adaptive Security Appliance (ASA) running 8.4(1) software. Conditions: 1. Running 8.4(1) software. 2. Port Address Translation (PAT) is in use. 3. Steady PAT conn setup rate of about 20,000 per second. Workaround: Reduce PAT usage. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(3.112), 8.4(1) Known Fixed Releases: 100.7(13.22), 100.7(14.10), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.54), 100.8(0.17), 100.8(10.20), 100.8(12.24) Bug Id: CSCtd44244 Title: Traceback seen at thread: Dynamic Filter VC Housekeeper Description: Symptom: Traceback seen in thread : Dynamic Filter VC Housekeeper Conditions: Normal inside to outside PAT environment. Workaround: Not Known. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1), 8.2(1.100), 8.2(1.111), 8.3(0.10), 8.3(0.12), 8.3(0.4) Known Fixed Releases: 100.4(0.29), 100.5(5.1), 8.2(1.113), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.14), 8.3(1) Bug Id: CSCtj11690 Title: Packet-tracer not working in Multi Routed mode Description: Symptom: When running the packet-tracer command in a multi context ASA configuration, the below action is seen even though if the actual packet is allowed. Action: drop Drop-reason: (ifc-classify) Virtual firewall classification failed Conditions: Multicontext ASA with or without shared interfaces. Workaround: None at this time. This is a cosmetic issue only. Traffic is not affected by this bug. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(5.20), 7.2(2), 8.4(0.15) Known Fixed Releases: 100.5(5.43), 100.7(0.59), 100.7(5.23), 100.7(6.8), 100.7(8.1), 100.7(9.1), 8.2(4.101), 8.2(4.6), 8.2(5), 8.3(2.14) Bug Id: CSCtg69742 Title: standby unit crashes under heavy multicast traffic and continuous script Description: Symptom: Standby unit may experience a device reload during internal testing. ** This issue is only present in code that was never released to customers. It was fixed before FCS. Conditions: Cisco ASA configured for failover. Stanby unit is only affected. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(5.19), 8.2(2.99) Known Fixed Releases: 100.5(5.16), 100.7(0.17), 100.7(6.1), 8.2(2.107), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCtc38762 Title: ASA may reload with traceback in thread name PTHREAD Description: Symptom: ASA may reload with traceback in thread name PTHREAD. Conditions: ASA running 8.2.2 or prior code. Workaround: None at this time. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.41) Known Fixed Releases: 100.4(0.30), 100.4(0.35), 8.2(2.1), 8.2(2.99), 8.2(4), 8.3(0.10), 8.3(0.19), 8.3(1) Bug Id: CSCte80609 Title: Actions attached to class class-default don't apply to traffic Description: Symptom: Actions attached to class-default doesn't apply for traffic or flows matching that class-default class-map (i.e. any any traffic) Conditions: MPF Actions configured under class class-default. Ex : class class-default police output 10000 1500 police won't be applied for traffic matching the class-default class-map Workaround: Workaround is to define a user-defined class with match-any to replace class-default. Ex: If class-default had action police output 10000 1500, workaround will be ! class user match any policy-map global_policy class user police output 10000 1500 ! Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.4(0.34), 8.3(0.22), 8.4(2.18) Known Fixed Releases: 100.4(0.36), 100.7(2.1), 8.0(5.15), 8.1(2.44), 8.2(2.10), 8.2(2.99), 8.2(4), 8.3(0.24), 8.4(1) Bug Id: CSCti68577 Title: ASA 5505 traceback with 'show switch mac-address-table' command Description: Symptom: In a rare corner case, executing the command 'show switch mac-address-table' on the ASA 5505 platform might cause a traceback and reload of the ASA. Conditions: The ASA model must be a 5505, and the command 'show switch mac-address-table' must be entered on the CLI of the firewall. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.2(3), 8.4(0.9) Known Fixed Releases: 100.7(0.57), 100.7(5.22), 100.7(6.7), 100.7(8.1), 100.7(9.1), 8.2(3.105), 8.2(3.5), 8.2(4), 8.4(0.99), 8.4(1) Bug Id: CSCtk63595 Title: "access-list webtype permit" CLI command is not recognized by parser Description: Symptom:"access-list webtype permit" CLI command is not getting accepted Conditions: All Workaround:None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2, 8.4, 8.4(0.34) Known Fixed Releases: 100.5(5.58), 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.18), 100.7(8.4), 8.2(4.5), 8.2(5), 8.3(2.13), 8.4(0.113) Bug Id: CSCtn77962 Title: Tmatch: Traceback on Primary when adding User Group based ACL Description: Symptom: ASA may crash in Thread Name: tmatch compile thread Conditions: This was first identified on an ASA5540 running 8.4.1 code. Workaround: The defect is resolved in 8.4.2 or above. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1.52) Known Fixed Releases: 100.7(13.5), 100.7(14.1), 100.7(15.4), 100.7(6.39), 100.7(8.34), 100.7(9.26), 100.8(0.4), 100.8(10.4), 100.8(12.3), 100.8(2.1) Bug Id: CSCtl41236 Title: Traffic not passing through with IPS inline on ASA running VPN traffic Description: Symptom: Traffic gets dropped by ASA when IPS is in inline mode. When service policy is applied promiscuous to IPS module there are no issues in traffic, but when we have IPS in inline mode the ASA starts dropping packets. qf1-8014(config)# show asp drop Frame drop: Invalid IP header (invalid-ip-header) 14 On IPS side these packets are seen as bad checksum packets Conditions: 1. Have two ASA's setup in site-to-site VPN tunnel mode 2. Apply the service-policy for IPS to send traffic in promiscuous mode 3. Ping the traffic from client to service and check the traffic passes through. 4. Now change the ips mode to inline from promiscuous. 5. Restart the ping and note the traffic does not pass through Workaround: Remove the service-policy or have the IPS in promiscuous mode Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(4), 8.4(0.115) Known Fixed Releases: 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.26), 100.7(6.27), 100.7(8.18), 100.7(9.9), 100.8(0.14), 100.8(12.15) Bug Id: CSCtn74649 Title: BTF DNS-Snooping TTL maxes out at 24 hours, less than actual TTL Description: Symptom: The ASA Botnet filtering system relies on a DNS-to-IP binding stored in the DHCP Snooping table. The Table should contain entries that exist as long as the TTL listed in the DNS response it was generated from. Currtently the TTL maximum for the DNS-SNooping database is limited to 24 hours while DNS TTL's could be as high as 2^31 seconds. Conditions: This is present in all current builds that support botnet filtering. Workaround: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(4), 8.3 Known Fixed Releases: 100.7(13.2), 100.7(14.1), 100.7(15.2), 100.7(6.36), 100.7(8.34), 100.7(9.23), 100.8(0.2), 100.8(10.2), 100.8(12.2), 100.8(2.1) Bug Id: CSCtl19107 Title: Traceback in Thread Name: rtcli async executor process fiber_yield Description: Symptom: ASA 5550 crashed due to Traceback in Thread Name: rtcli async executor process fiber_yield Conditions: Thread Name: rtcli async executor process (Old pc 0x087e2cd5 > > ebp 0xa910abd0) Page fault: Address not mapped > > Traceback: > > 0: 080586c3 > > 1: 0805a429 > > 2: 0898ada9 > > 3: dd7a76d5 > > 4: dd6a61e0 > > 5: 08c43857 > > 6: 08c400ce > > 7: 08c40339 > > 8: 08c40583 > > 9: 08c48ab2 > > 10: 08b6b99a > > 11: 08c43857 > > 12: 08c48e2e > > 13: 08ba1af4 > > 14: 08b9c867 > > 15: 08b695a6 <_fiber_jumpstart+230> > > 16: 08b69655 <_fiber_setup_for_jumpstart+37> > > 17: 0805f84d > > 18: 08b9bffb > > 19: 08b9c136 > > 20: 08ba1a58 > > 21: 080b4d90 > > 22: 080c9fa4 > > 23: 080c999d > > 24: 080b22c2 > > 25: 080b2cf7 > > 26: 080b3dce > > 27: 080b4869 > > 28: 0805e953 Customer described circumstance when the crash occurred: Customer diffed configs before and after the crash and he noticed that ACLs are applied at about 17:30 every day. On the 19th the deployment failed. It looks like that deployment have failed while sending the config. Most likely while the ACL was compiling on the ASA. Workaround: No as of now. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.29) Known Fixed Releases: Bug Id: CSCtf37506 Title: TLS test tls10-hs-multiple with mutated packet causes ASA to traceback Description: Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.4(0.43), 8.2(2) Known Fixed Releases: 100.5(5.15), 100.7(0.15), 100.7(6.1), 8.2(2.104), 8.2(2.17), 8.3(1.100), 8.3(1.6), 8.4(0.99), 8.4(1) Bug Id: CSCsu29376 Title: ASA 5580-20 traceback occurs when running multicast. Description: Symptom: The following error message occurs on the console... %SYS-5-CONFIG_I: Configured from console by console dmzrtr# core0: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. assertion "!hash_entry_hashed(entry)" failed: file "mps_hash_table_simple.c", line 233 "show crashinfo" is saved in another attachment. Workaround: 8.1.1.4 does not exhibit this behaviour Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(101.10) Known Fixed Releases: 8.1(1.102), 8.1(1.11), 8.2(0.151) Bug Id: CSCsv71555 Title: Traceback on ASA during configuration of h323 inspection Description: Symptom: Traceback was observed during the configuration of the H323 inspecton parameters, specifically was configuring the phone number filtering feature. when I tried to remove the service policy applied on the interface and re-add it, I saw this traceback. Conditions: when the service policy applied on the interface is removed and then re-added. Workaround: None. Further Problem Description: Several instances of H225 and H245 inspection were getting instantiated. Some of them were not created properly also and their cleanup was not proper Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(0.173), 8.2(0.184) Known Fixed Releases: 7.2(205.1), 7.2(4.21), 7.2(4.22), 8.1(2.7), 8.1(2.8), 8.2(0.184), 8.2(0.187), 8.2(4) Bug Id: CSCte69935 Title: Beta Box assertion: snp_tcp_timeout_cb+0 at np/soft-np/snp_tcp_norm.c:82 Description: Regression caused by fix for CSCte42788 ASA crashes with assertion: snp_tcp_timeout_cb+0 at np/soft-np/snp_tcp_norm.c:82 Annotated for unknown's private 8.3(0)21 build Image Type: smp Executable: /auto/pix-asa-image/broadview/8.3.0.21//smp Symbol File: /auto/pix-asa-image/broadview/8.3.0.21//smp.sort Thread Name: CP Midpath Processing Abort: Assert failure vector 0x00000020 edi 0x35b95f6c esi 0x08779300 ebp 0x3d5f3968 esp 0x3d5f3e98 ebx 0x34b62828 edx 0x0000029e ecx 0x00000000 eax 0x09835927 error code n/a eip 0x0944215c <__assert+12 at ../finesse/snap_api.h:141> cs 0x00000023 eflags 0x00003246 CR2 0x00000000 Cisco Adaptive Security Appliance Software Version 8.3(0)21 Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(5.10), 8.0(5.9), 8.3(0.21) Known Fixed Releases: 100.4(0.35), 100.7(2.1), 8.0(5.17), 8.1(2.40), 8.2(2.3), 8.2(2.99), 8.2(4), 8.3(0.23), 8.4(1) Bug Id: CSCtg07755 Title: ASA: Traceback with error updating the database on the SSM Description: Symptom: Under rare conditions, the ASA may reload and generate a traceback, citing the following error: Error updating the database on the SSM The traceback may reference one of the following threads: PTHREAD rpc_client ci/console Conditions: The ASA must be running an affected software version and have an IPS module installed. Workaround: There is no known workaround at this time. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.4(0.53), 100.4(0.58), 8.3(1) Known Fixed Releases: 100.7(0.10), 8.0(5.18), 8.1(2.45), 8.2(2.102), 8.2(2.13), 8.3(1.100), 8.3(1.3), 8.4(0.99), 8.4(1) Bug Id: CSCsy99063 Title: traceback Thread Name: fover_tx after multiple SSH to active unit Description: Symptom: traceback Thread Name: fover_tx (Old pc 0x083922f5 ebp 0xaafe22f0) after multiple SSH to the failvoer active console and issue "no failover active" Conditions: 1)Redundant failover link interface 2)Issue "no failover active" from the active console. Workaround: None Further Problem Description: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4), 8.0(4.29) Known Fixed Releases: 7.2(4.34), 8.0(4.163), 8.0(4.220), 8.0(4.33), 8.1(2.167), 8.1(2.24), 8.2(1.10), 8.2(4) Bug Id: CSCta85025 Title: Traceback on deleting 60k+ static entries Description: Symptom: ASA5580-40 traceback on deleting 60k+ static entries. Conditions: Workaround: Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(2.31) Known Fixed Releases: Bug Id: CSCte03164 Title: eip 0x08a7464d <policymap_attach_action+573 at qos/policymap.c:1399> Description: Symptom: After a code upgrade to 8.2.2 the ASA gets in a boot loop. The root cause was "global_policy" existing in a migrating config, but no "class inspection_default." This caused a lookup on a non-existent class. Conditions: Cisco ASA running release 8.2.2 which is upgraded and which has a config which contains a policy-map global_policy command without a following class statement. Workaround: #1: Add a class statement for the policy-map. ! policy-map global_policy class inspection_default ! #2: Remove the policy-map statement since it is not doing anything. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1.111) Known Fixed Releases: 100.4(0.31), 8.2(2.5), 8.2(2.99), 8.2(4), 8.3(0.19), 8.3(1), 8.3(1.100), 8.3(2) Bug Id: CSCtc91042 Title: ASA does not handle HTTP HEAD requests for pages served on its Aware web Description: Symptom: CSD fails to load using ActiveX or Java when using a proxy. Event logs show: Error: The description for Event ID ( 1001 ) in Source ( libcsd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: [libcsd][error][asa_opswat_license_is_valid] error getting license data from peer: (https://asa-url.com). Conditions: Must be using a proxy. Workaround: Disable proxy settings. Further Problem Description: The ASA does not conform to standards when handling "HTTP HEAD" requests. As per the RFC, a server should not respond with actual data when issued a HEAD request. However, the ASA does so for its AWARE server, which causes errors on the client side due to the incorrect response from the server. With different client-side transport mechanisms, this results in different behavior. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1.11) Known Fixed Releases: 100.3(0.21), 100.4(0.23), 8.2(1.106), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.5), 8.3(1) Bug Id: CSCud00451 Title: L2 learning/ARP DOS attack possible Description: Symptoms: Cisco ASA running in transparent mode, contains a vulnerability that could allow an unauthenticated remote attacker to cause a partial Denial of Service (DoS). Under a heavy flow of ICMPv4 or ICMPv6 packets towards unknown L2 destinations, CPU utilization of an ASA in transparent mode may go high and cause other production traffic to drop. Conditions: Certain ICMPv4 and ICMPv6 traffic may cause a partial Denial of Service on the Cisco ASA. A large number of Syslog messages ID 313005 will be produced during this time. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-5423 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4.1), 9.0(0.1) Known Fixed Releases: 100.8(0.245), 100.8(11.45), 100.8(27.20), 100.8(34.1), 100.8(38.3), 100.8(39.3), 100.9(0.6), 9.0(2.100), 9.0(3), 9.2(0.99) Bug Id: CSCuq27342 Title: Traceback and reload triggered by failover configuration Description: Symptom: When configuring a failover interface using the command "failover lan interface " on ASA5585, the ASA might crash with a traceback and reload. The crash would occur righter after the software responds and executes the code for setting up the failover interface. If a crash occurs during normal system operation then it is not due to this bug. Conditions: Configure a failover interface using the "failover lan interface " command. The chances of a crash are statistically very low, but may increase if traffic into the CPU from network interfaces is high. In lab testing it was only reproducible on a single instance of 5585 and using ASDM with an HTTP interface to the device to send over the configuration commands. In theory though it could occur through console CLI configuration as well. Workaround: The problem is only triggered when configuring a failover interface with the above given command. Once the failover interface configuration is complete, if no crash occurs then the problem will not present itself. Further Problem Description: If a coredump is captured, then it can be compared to information in this DDTS to determine with high likelihood whether or not it was due to failover interface configuration. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(3), 9.1(4.5), 9.2(2.8) Known Fixed Releases: 100.11(0.56), 100.11(0.57), 100.12(0.113), 100.12(0.115), 100.13(0.34), 100.13(0.49), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.13(21.8) Bug Id: CSCui44095 Title: ASA 9.1: timer app id was corrupted causing to Dispatch Unit traceback Description: Symptom: Dispatch Unit thread was crashing because of timer app id callback coming with corrupted entry. Conditions: ASA running release 9.1.1 with ICMP and DNS inspections enabled. Packets included ip options. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.10(0.68), 100.10(2.5), 100.10(6.1), 100.10(9.1), 100.7(6.135), 100.8(38.102), 100.8(40.56), 100.8(56.11), 100.9(10.23), 8.2(5.210) Bug Id: CSCtt15869 Title: ASA-SM/MA1B: session to proc 1 doesn't work Description: Symptom: Session slot proc 1 into ASA-SM doesnt work service-module session access works session switch slot processor 1 does not work CA-STDALONE-SUP2T#session slot 9 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.91 ... % Connection timed out; remote host not responding CA-STDALONE-SUP2T# CA-STDALONE-SUP2T#service-module session slot 9 You can type Ctrl-^, then x at the remote prompt to end the session Trying 127.0.0.90, 2065 ... Open ASA-SM-VSS-P2> en Password: ASA-SM-VSS-P2# exit Logoff Conditions: ASA-SM running 8.5.1 Workaround: Use Virtual Console (service-module session command) or ASDM. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 0.0(0), 8.5(1) Known Fixed Releases: 100.10(0.64), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(8.34), 100.8(0.35), 100.8(11.2), 100.8(15.11), 100.8(17.8), 100.8(19.28) Bug Id: CSCuq66085 Title: Traceback in crash spin_lock with ASA Clustering Description: Symptom: An Adaptive Security Appliance (ASA) cluster member reloaded with a traceback when attempting to join a cluster under maximum connection load with TCP State Bypass enabled. Conditions: An ASA cluster subjected to a connection stress test with TCP State Bypass enabled. Workaround: Reduce the number of connections that fall under the TCP State Bypass policy. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCui08074 Title: WebVPN doesn't accept connections, Unicorn Proxy Thread no longer exists Description: Symptom: Clientless VPN doesn't accept connections any more or ASA crashes when error-recovery is disabled. Conditions: High server load Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7, 100.8, 8.4, 8.4(4.6), 9.0 Known Fixed Releases: 100.10(0.13), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.122), 100.8(27.94), 100.8(38.33), 100.8(41.2), 100.8(45.2), 100.8(46.1) Bug Id: CSCuq09347 Title: ASA as a TLSv1.2 client returns an invalid response to cert request Description: Symptom: ASA sends alert when server sends back cert request. ASA should respond with empty cert field by TLSv1.2 RFC5248. Conditions: Server sends back cert request. Workaround: None at this time. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.12(13.13), 9.3(2) Known Fixed Releases: Bug Id: CSCuc45808 Title: DOC: ASA config guide: Full Customization indicates incorrect url name Description: Symptom: In Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 document under section "Configuring the ASA to Use the New HTML File" step 3 we have specified url as: +CSCOU+/login.inc configuring url like above will cause full customization not to work Conditions: ASA configuration guide 8.3, 8.4 & 8.6 Workaround: Configure the url as: /+CSCOU+/login.inc Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.6(0) Known Fixed Releases: Bug Id: CSCue30158 Title: Traceback while editing objects attached to NAT Description: Symptom: While modifying ASA NAT configuration, device may reload. Conditions: ASA 8.4 NAT changes. Workaround: N/A Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.7(6.117), 8.4(6.1), 8.4(6.99), 8.4(7) Bug Id: CSCtu51297 Title: Coverity 103606: USE_AFTER_FREE in show_webvpn_config() Description: Symptom: ASA reloads with traceback in thread name: ssh Conditions: Ran a "show tech" with webvpn bookmarks configured and in use Workaround: Avoid running a "show tech" or exporting webvpn bookmarks Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(6.50), 100.8(0.40), 100.8(2.29), 8.2(4.99), 8.3(1.100), 8.4(3), 8.6(0.112) Known Fixed Releases: 100.7(13.50), 100.7(14.44), 100.7(17.12), 100.7(18.4), 100.7(6.57), 100.8(0.50), 100.8(11.5), 100.8(14.2), 100.8(15.19), 100.8(16.13) Bug Id: CSCtz03292 Title: ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC Description: Symptom: ASA may reload with a traceback in one of the following thread names: Thread Name: DATAPATH-x-xxxx (Datapath can have different numbers here) Thread Name: DHCP Client Thread Name: SSH Conditions: Affects all ASA platforms. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-6390 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(20.4), 100.8(0.101), 100.8(0.103), 100.8(0.106), 8.0(5.27), 8.4(3.5), 8.4(3.9) Known Fixed Releases: 100.7(13.71), 100.7(20.5), 100.7(21.4), 100.7(6.73), 100.8(0.110), 100.8(11.17), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1) Bug Id: CSCus89139 Title: Exception on asdm_handler stream line: </threat-detection> Description: Symptom: Threat detection stats graphs on ASDM in ASA cluster setup show "Lost Connection to Firewall" message. Conditions: Following errors are observed in the Joava Console Debugs - 813 [Poller] ERROR com.cisco.dmcommon.util.DMCommonEnv - (Poller) Exception on asdm_handler stream line: 2015-02-11 11:05:52,718 [ERROR] Exception : Error on line 62: An invalid XML character (Unicode: 0x5) was found in the element content of the document. Workaround: Disable threat detection statistics under Device Management until you can upgrade to the ASA code where this defect is fixed. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.13(0.30) Known Fixed Releases: 100.13(0.36), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5), 100.14(26.2) Bug Id: CSCuh44052 Title: Cisco ASA SIP Denial of Service Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2129,CVE-2014-2128 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(5), 8.4(6.4) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.53), 100.9(10.1), 100.9(6.29) Bug Id: CSCuo93225 Title: Traceback during AnyConnect IPv6 TLS TPS Test Description: Symptom: ASA may crash in emweb/https due to the np_conn_shrlock_t lock being held for a long time. Conditions: The issue is very rare corner case that is unlikely to be encountered. Heavy SSL VPN usage may exacerbate the issue. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.10(7.8), 9.1(5) Known Fixed Releases: 100.10(17.2), 100.10(2.26), 100.10(7.13), 100.11(0.17), 100.11(5.21), 100.11(6.1), 100.12(11.9), 100.12(12.1), 100.12(15.2), 100.12(8.5) Bug Id: CSCuj33496 Title: Cisco ASA ASDM Privilege Escalation Vulnerability Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2126 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(6), 8.4(6.1), 8.4(6.2), 8.4(6.3), 8.4(6.4), 8.4(6.5), 8.4(6.6), 8.4(7), 9.1(3) Known Fixed Releases: 100.10(0.22), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.117), 100.7(6.124), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11) Bug Id: CSCtr23854 Title: traceback in Crypto CA during multiple ocsp requests Description: Symptom: The ASA may reload if multiple OCSP requests are made where the ocsp request results in a failure. Conditions: Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(4.8), 8.2(5.6) Known Fixed Releases: 100.7(13.40), 100.7(14.32), 100.7(17.5), 100.7(18.4), 100.7(6.48), 100.8(0.35), 100.8(11.2), 100.8(15.11), 100.8(17.8), 100.8(19.27) Bug Id: CSCsx64741 Title: Page fault traceback in Thread Name: DATAPATH-X-XXX Description: Symptom: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp. Conditions: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp. Workaround: remove rate limiting (police) from configuration Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 7.2(4), 7.2(4.30), 7.2(4.33), 8.0(4.16), 8.0(4.23), 8.2(0.210) Known Fixed Releases: 100.3(0.2), 7.0(8.7), 7.2(4.35), 8.0(4.25), 8.0(5), 8.1(2.15), 8.2(0.214), 8.2(4) Bug Id: CSCtf26014 Title: DAP selection fails when parameter names contains = equal sign character Description: Symptom:DAP selection fails when parameter names contains = equal sign character, Conditions: DAP and CSD hostscan processing for SSL VPN. Workaround:For those DAP parameters names you can control (ie. File Checks) don't use equal sign character. For all other dynamic paramaters , like certifcate DNs, then there's no way to avaid the issue at the moment. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.2 Known Fixed Releases: Bug Id: CSCta45509 Title: inspect-http: Crash in Dispatch Unit with HTTP inspect regex Description: Symptom: Crash in Thread Name: Dispatch Unit (Old pc 0x0817f904 ebp 0xd3d3b078) Page fault: Address not mapped Conditions: ASA running 8.0.4.38 or higher versions with http inspect policy map. Workaround: Disable the using class _default_gator with inspect http ! regex _default_gator "Gator" ! class-map type inspect http match-all _default_gator match request header user-agent regex _default_gator ! Further Problem Description: This crash is being investigated further. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.38), 8.3(0.6) Known Fixed Releases: Bug Id: CSCtq94775 Title: Unable to get block detail about 2048 byte blocks Description: Symptom: Debuggin potential block leaks is difficult since the 'show block' sub commands do not work for the 2048 byte blocks. ASA# show block pool 2048 pack ASA# show block pool 2048 dump ASA# show block pool 2048 diag ASA# show block pool 2048 header Conditions: This has been seen on all current versions of ASA code. Workaround: None at this point. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(5), 8.3(3), 8.4(2) Known Fixed Releases: 100.7(13.45), 100.7(14.40), 100.7(17.9), 100.7(18.4), 100.7(6.53), 100.7(8.34), 100.8(0.43), 100.8(11.4), 100.8(15.17), 100.8(19.40) Bug Id: CSCti35517 Title: 5555: Traceback in system test with DFP and FO Description: Symptoms: Stress testing with AnyConnect and clientless sessions and with Failover and DFP enabled may cause a device reload. Conditions: AnyConnect and failover are configured. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5737 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.5(0.18), 8.0(5.5), 8.2(1), 8.2(3), 8.3 Known Fixed Releases: 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.12), 100.7(6.17), 100.7(6.26), 100.7(8.18), 100.7(9.9), 8.4(1.99), 8.4(2) Bug Id: CSCtg71572 Title: vpn-simultaneous-logins does not work for cert-only AnyConnect Description: <B>Symptom:</B> "vpn-simultaneous-logins" command is not respected for cert only AnyConnect 2.5 and 3.0 connections <B>Conditions:</B> * AnyConnect tunnel-group with cert only auth * No authorization server configured <B>Workaround:</B> Configure local authorization: tunnel-group DefaultWEBVPNGroup general-attributes authorization-server-group LOCAL no authorization-required Even if the user is not in the local database, the request will be allowed (because of the "no authorization-required"), and the appropriate vpn-simultaneous-logins check will be done. Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.7(13.67), 100.7(20.4), 100.7(21.3), 100.7(6.72), 100.8(0.106), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1) Bug Id: CSCug19491 Title: ASA drops some CX/CSC inspected HTTP packets due to PAWS violation Description: Symptom: Certain HTTP connections might experience slowdowns or fail to complete if the packets are inspected by the CX module. HTTP packets might be dropped by the ASA for the ASP drop reason "TCP packet failed PAWS test (tcp-paws-fail)" Conditions: All of the following conditions must be met to encounter this problem: 1) The traffic flow must be subjected to inspection by the ASA CX module 2) The connection must be HTTP over TCP 3) The HTTP GET message must be so big as to become segmented into multiple TCP packets. This might occur if the cookie values in the get are very long Workaround: Using the ASA's modular policy framework, disable TCP timestamps for the connections: ! access-list http-traffic extended permit tcp any any eq www ! class-map http-class match access-list http-traffic ! tcp-map TCP-map-timestamps tcp-options timestamp clear ! policy-map global_policy ... class http-class set connection advanced-options TCP-map-timestamps ! Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(5.2), 9.0(1.2), 9.1(1.1) Known Fixed Releases: 100.7(6.123), 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.39), 100.9(4.5), 100.9(6.17), 100.9(7.21), 8.4(7.1), 9.0(2.100) Bug Id: CSCtc96018 Title: ASA watchdog when inspecting malformed SIP traffic Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.1, 8.2, 8.3(0.2) Known Fixed Releases: 100.3(0.24), 7.2(4.45), 8.0(5.2), 8.1(2.37), 8.2(1.107), 8.2(1.16), 8.2(4), 8.3(0.8) Bug Id: CSCtk55056 Title: Clientless Sessions are leaking licenses Description: Symptom: Webvpn clientless active connections does not match with license limits. ASA may hit license limits even though active sessions are not there. This also impacts Anyconnect client connections. Conditions: Unsuccessfull webvpn sessions attempted Workaround: Not known Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(0.107) Known Fixed Releases: 100.5(5.57), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 8.2(4.3), 8.2(5), 8.3(2.12), 8.4(0.110) Bug Id: CSCsv56718 Title: Traceback while testing ftp performance thru VPN tunnel Description: Symptom: Traceback in snp_fp_encrypt_internal. Conditions: Cisco ASA5580-40 running release 8.1.1. Running ftp perfromance test across a VPN tunnel. Workaround: None. Further Problem Description: Status: Other Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(1) Known Fixed Releases: Bug Id: CSCsx73295 Title: MOC clients can not register with OCS with ASA SIP INSPECT Description: Symptom: MOC client can not register with OCS server if: 1 ASA is in between the client and OCS server 2.ASA is performing SIP INSPECT Conditions: The condition is only seen with initial shipped version of 8.1.0 release of ASA The condition is not seen with any other ASA version Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(0.208) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.1(2.17), 8.2(0.216), 8.2(1), 8.2(2.99), 8.2(4) Bug Id: CSCtb07060 Title: ASA bootloops with 24 or more VLANs in multimode Description: Symptom: When booting an ASA in multi-context mode with more than 24 VLAN interfaces configured the ASA loads up to the ciscoasa> prompt. However, it doesn't respond to any input entered, and about 2 seconds later prints "Rebooting..." and drops back to ROMMON or says in a boot loop until you break into ROMMON. Conditions: ASA configured in multi-mode with 24 more more VLANs configured. Workaround: Break into ROMMON and change the config register to ignore the startup configuration rommon #1<confreg 0x41 After the device boots up copy the startup configuration to the running configuration copy start run Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.2, 8.2(0.1) Known Fixed Releases: 8.0(4.43), 8.0(5), 8.1(2.34), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4), 8.3(0.0) Bug Id: CSCtd53601 Title: TELNET session not pass active context without standby ipv6 address Description: Symptom: Through the box IPV6 connection is not working if only active IPV6 address is configgured in HA setup. Conditions: On a data interface with only active IPV6 address is configured with ASA running in HA mode. Workaround: Configure standby IPV6 address on the data interface as well. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1.109), 8.2(2) Known Fixed Releases: 100.3(0.29), 100.4(0.27), 100.5(5.1), 8.2(2.99), 8.2(4), 8.3(0.12), 8.3(1) Bug Id: CSCte46460 Title: Post migration ACL allows traffic that was denied prior Description: Symptoms: Post migration ACL allows traffic that was denied prior to the migration of the configuration. ** This was only experience during internal testing in code that was never released to customers. It was fixed prior to first customer shipment (FCS). Conditions: Cisco ASA with no special configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(0.18) Known Fixed Releases: 100.5(5.2), 100.5(5.3), 8.3(0.21), 8.3(0.22), 8.3(0.24), 8.3(1), 8.3(1.100) Bug Id: CSCtn93052 Title: WebVPN: Office WebApps don't work for SharePoint 2010 in IE Description: Symptom: Office WebApps don't work for SharePoint 2010 in Internet Explorer Conditions: Try to open any document in Browser mode Workaround: Use Firefox Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2, 8.3(2) Known Fixed Releases: 100.7(13.2), 100.7(14.1), 100.7(6.37), 100.7(9.23), 100.8(0.3), 100.8(10.3), 100.8(12.2), 100.8(2.1), 100.8(20.1), 100.8(8.2) Bug Id: CSCtd26388 Title: Traceback in IKE daemon Description: Symptom: Traceback in IKE daemon with DFP enabled Conditions: This crash occurred under low memory conditions with DFP enabled Workaround: No work around Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.3(0.23), 7.2(4.44), 8.0(5.2), 8.1(2.37), 8.2(1.107), 8.2(1.16), 8.2(4), 8.3(0.8) Bug Id: CSCth03806 Title: traceback after snmp walk Description: Symptom: The ASA may generate a traceback and reload after receiving an SNMP walk. Conditions: This issue only affects ASAs running software versions before 8.4(1) or 8.2(3). Workaround: Avoid sending SNMP walks to the ASA. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(2.117) Known Fixed Releases: 100.7(0.22), 100.7(6.1), 8.2(2.124), 8.2(3), 8.4(0.99), 8.4(1) Bug Id: CSCtf99907 Title: mcast: fix smp locking issues Description: Symptom: various crashes in mcast code on 5580 Conditions: multicast and timing issues related to CP mfib changing while DP is forwarding a flow assoc. w/ the mfib entry. Workaround: none Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2, 8.2(1.191), 8.2(1.192), 8.2(2), 8.2(2.99) Known Fixed Releases: 100.7(0.15), 100.7(0.17), 100.7(0.9), 8.2(2.102), 8.2(2.13), 8.3(1.3), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCtc05793 Title: WebVPN: Using Mac 10.6 with Smart Tunnels crashes browser in 8.0.x Description: Symptom: Mac 10.6 using Smart Tunnels will crash broswer with 8.0 release code Conditions: Mac 10.6 OSX with Safari or Firefox will crash the browser against 8.0. ASA image while trying to use Smart Tunnels. Workaround: NA Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.43) Known Fixed Releases: Bug Id: CSCtf83508 Title: ASA 8.2.1 traceback in thread name fover_parse Description: Symptom: Console hangs. Conditions: Yet unknown. Workaround: None. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: Bug Id: CSCtb37219 Title: Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 7.0, 7.1, 7.2, 8.0(4.32) Known Fixed Releases: 8.0(4.100), 8.0(4.44), 8.1(2.35), 8.2(1.10), 8.2(1.100), 8.2(1.102), 8.2(4), 8.3(0.0) Bug Id: CSCsv02535 Title: Crash at eip 0x0817a861 <output_context+97 at dbgtrace/dbgtrace.c:1145> Description: Symptom: While in an ssh session to the box, the box crashes. Conditions: Phone-proxy was configured and debug phone-proxy tftp was turned on. Workaround: Do not turn on debug phone-proxy. Further Problem Description: This problem was seen once and was not reproducible. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.6) Known Fixed Releases: Bug Id: CSCsv66510 Title: Smart Tunnel on Mac Leopard 10.5.x failing Description: Symptom: There are inconsistencies with Smart Tunnels on 10.5.x leopard versions. In some cases it works, for others, it does not. This is something we need to further investigate and correct. Smart Tunnel with simple curl in a terminal window With Java 1.4.2, fails to start With Java 5.0, starts but curl fails to connect to server Same ASA accessed from Tiger delivers content fine Conditions: Workaround: Use Tiger OS Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4), 8.0(4.7) Known Fixed Releases: 100.3(0.2), 100.4(0.1), 8.0(4.24), 8.1(2.14), 8.2(0.205), 8.2(2.99), 8.2(4) Bug Id: CSCsy75720 Title: asdm does not connect to secondary on failover Description: Symptom: asdm cannot connect to active/standby units on failover Conditions: Active/Standby failover in multi-routed mode Workaround: none Further Problem Description: asdm cannot connect to active/standby units on failover from active to standby and vice-versa. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(2.162), 8.2(0.225), 8.2(1) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 8.0(4.33), 8.0(5), 8.1(2.24), 8.2(1.10), 8.2(2.99), 8.2(4) Bug Id: CSCtr43773 Title: SCEP proxy misconfig allows cert auth bypass Description: Symptoms: a misconfiguration of SCEP proxy on a tunnel-group can allow for authentication bypass. Conditions: ASA is running version > 8.4. This is seen when using WebVPN with Anyconnect <3 or with clientless. Workaround: Configure ''authentication aaa certificate'' under the webvpn-attributes of the tunnel-group. Further Problem Description: The misconfiguration consist in configuring ONLY certificate authentication without also adding the aaa method as mandate in the config guide. Proper configuration should include the following under the webvpn-attributes of the tunnel-group authentication aaa certificate PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2011-2550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.21), 100.7(14.9), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(9.53), 100.8(0.17), 100.8(10.19), 100.8(12.22), 100.8(15.5) Bug Id: CSCtq35045 Title: HA: Monitored interfaces fail to move out of waiting state Description: Symptom: Standby ASA in failover may show interface status as waiting. You will not be able to ping the active interface IP from the standby firewall. Conditions: This is seen in multi context mode with the same interface shared across multiple contexts. The shared interface will be in a waiting state after a failover event and will never recover. You may see spoof syslogs related to the failover IP addresses on this interface. Bug causes the standby ASA to think that it owns the active macs. So it treats packets that it generates destined to the active mac as spoof packets. Workaround: Upgrade to fixed code. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(13.11), 8.2(4), 8.2(5), 8.3(1.100), 8.4(1.101), 8.4(1.104) Known Fixed Releases: 100.7(13.13), 100.7(14.1), 100.7(18.1), 100.7(6.42), 100.7(8.34), 100.7(9.38), 100.8(0.14), 100.8(0.31), 100.8(0.8), 100.8(10.9) Bug Id: CSCsu11412 Title: Watchdog traceback in CTM under high data load/small packets Description: <B>Symptom: A traceback due to a watchdog failure may occur under high data load. </B> <B>Conditions: Sending high data load, small packets (66 bytes) over 500 connections bidirectionally via a 10 GbEnet port results in a hardware watchdog failure. </B> <B>Workaround: None known at this time. </B> Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.1(1.8), 8.1(101.9) Known Fixed Releases: 8.1(2.19) Bug Id: CSCtc35051 Title: ASA 5580 hangs with only 200 concurrent users due to 2048-bit keys Description: Symptom: ASA can shortly hang for few seconds while processing the SSL handshake if the number of clients is above >100 and the connection request are concurrent. Conditions: This only happens if the RSA key used in the ASA certificate is >2048. Workaround: Use a 1024 key. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.19), 100.5(5.1), 8.2(1.105), 8.2(1.180), 8.2(2), 8.3(0.5), 8.3(1) Bug Id: CSCtg63818 Title: Memory leak when using certs for SSL AAA Description: Symptom: memory leak with Conditions: using certs Authenticaiton for SSL Session. Workaround: none at this time Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(1.3) Known Fixed Releases: 100.5(5.15), 100.7(0.15), 100.7(6.1), 8.2(2.104), 8.2(2.15), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCtc90935 Title: WebVPN Configuration: ASA 5505 crash during config restoration from ASDM Description: Symptom: 5505 may traceback when using restore configuration thru ASDM Conditions: When ASDM was sending the restore commands to restore the configuration , the CPU usage went to 99% and after sometime it crashed. Workaround: Workaround Using ASDM - Workaround for downgrade to 8.2.1 is either through ASDM CLI tool and follow instruction below or go to A) Configuration>Device Management> System Image/Configuration >Boot Image/Configuraiton and only select 8.2.1 boot image. B) After this Reload using Tools > System Reload Panel. Wait for ASA to come up and then Go to Tools>Restore Configurations and select 8.2 backed up files. The workaround through CLI - 1) Downgrade image to 8.2.1 2) Restore the config clear config all copy flash:8_2_1_startup_cfg.sav running-config What works - 8.2 image with 8.2 config restore works. 8.3 image with 8.3 config restore works. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1), 8.3(0.1) Known Fixed Releases: 100.3(0.22), 100.4(0.24), 8.2(1.107), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.6), 8.3(1) Bug Id: CSCsy91157 Title: Watchdog when inspecting malformed SIP traffic Description: Summary: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4.29) Known Fixed Releases: 8.0(4.161), 8.0(4.38), 8.0(5), 8.1(2.165), 8.1(2.29), 8.2(1.10), 8.2(4), 8.3(0.0) Bug Id: CSCsy21727 Title: Failover pair is not able to sync config and stuck in Sync Config state Description: Symptom: Fairover pair is not able to sync and stuck in Sync Config state. Conditions: Unable to sync after boot. Workaround: Incrase the unit hold time. Further Problem Description: This problem only applies to 007.002(004)029, 008.000(004)027, and 008.001(002).018. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 7.2(4.28) Known Fixed Releases: 7.2(4.30), 8.0(4.161), 8.0(4.220), 8.0(4.28), 8.1(2.162), 8.1(2.19), 8.2(1.10), 8.2(4) Bug Id: CSCsz01314 Title: Traceback in ci/console after sh crypto ipsec sa Description: Symptom: ASA crashes in ci/console with a vector page fault Conditions: Lots's of phase II are present and phase I and Phase II got rekeyed 'show crypto ipsec sa' has been issued Workaround: none. Do not use that command Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 7.2(4), 7.2(4.26), 7.2(4.31) Known Fixed Releases: 7.2(4.43), 8.0(4.100), 8.0(4.45), 8.1(2.35), 8.2(1.100), 8.2(1.102), 8.2(1.12), 8.2(4) Bug Id: CSCtc43396 Title: Coredump from emweb/https when connecting phone VPN client Description: Symptom: ASA coredump in emweb/https due to page fault Conditions: Attempt to connect the phone's VPN client to an ASA configured with webvpn svc Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.13), 100.4(0.19), 8.2(1.103), 8.2(1.13), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.0) Bug Id: CSCsw93225 Title: page fault reload Thread Name: Dispatch Unit, possible flow corruption Description: Symptom: ASA reloads and produces a crashinfo file indicating the Thread Name: Dispatch Unit. Condition: ASA5550 running both 8.0.4.16 and 8.0.3.14. Other ASA platforms and versions are most likely affected too. The crash appears to be a memory corruption associated with an existing data flow and the investigation into the root cause is in the early stages. This release-note will be updated when more information is known. Workaround: A potential workaround may be to disable all inspection engines OR disable the service-policies. Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(3.14), 8.0(4.16) Known Fixed Releases: Bug Id: CSCth08903 Title: WebVPN: "Invalid Canary" error for different options in OWA 2010 Description: Symptom: It is hardly reproducable defect. Periodically "Invalid Canary" error can appear for different actions in "Option" section Conditions: Detail description given in defect summary section Workaround: Use FF browser or Use OWA light client Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(7.0), 8.2(3) Known Fixed Releases: 100.5(5.54), 100.7(0.71), 100.7(11.2), 100.7(6.15), 100.7(8.3), 8.2(4.1), 8.2(5), 8.3(2.13), 8.4(1.1), 8.4(1.99) Bug Id: CSCte15729 Title: 5580 traceback at CP process while running 600 calls on 2 trunks Description: Symptom: ASA5580 crashes due to process CP Processing. Conditions: SIP traffic must be passing through the ASA. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3(0.13) Known Fixed Releases: 100.7(0.16), 8.2(2.104), 8.2(2.15), 8.3(0.19), 8.3(1), 8.3(1.100), 8.3(1.5), 8.4(0.99), 8.4(1) Bug Id: CSCtt17328 Title: Nested Checkheaps traceback w/ domain-lookup & dynamic-filter blacklist Description: Symptom: In some cases, the ASA may generate a nested traceback in the Checkheaps thread and reload. This may occur when the ASA receives certain DNS responses to queries generated by the firewall. Conditions: The ASA must be configured as a DNS client and have a dynamic-filter static blacklist defined. For example: dns domain-lookup inside DNS server-group DefaultDNS name-server ! dynamic-filter blacklist name Workaround: Disable DNS lookups on the ASA: no dns domain-lookup inside PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2), 8.4(2.10) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.32), 100.8(0.36), 100.8(0.46), 100.8(0.54) Bug Id: CSCuj33701 Title: traceback ABORT(-87): strcpy_s: source string too long for dest Description: Symptom: Device crashes at boot time with the following error: ABORT(-87): strcpy_s: source string too long for dest coreX: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. assertion "0" failed: file "constraint.c", line 76 Conditions: 8.4.7.3 software. An SSL client attempting to connect to the ASA during the early stages of boot with a cookie that is longer than 64 bytes. Workaround: Shutdown the interfaces in the configuration. Reboot with the interfaces in this "shutdown" state, and then after the logging system has bee initialized, issue "no shutdown" on the interfaces. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(40.27) Known Fixed Releases: 100.10(0.22), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.126), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11), 100.8(51.1) Bug Id: CSCty75440 Title: Traceback after checkheaps detecting a memory corruption after FO switch Description: Symptom: ASA1000V crashed by checkheap after vMotion Conditions: The problem occurs after vMotion is done from particular ESXi hosts. Internal vCenter data from these particular hosts causes buffer overflow. It may take up to 15 minutes for the overflow to occur. This does not require HA configuration. This does not require traffic. Workaround: Boot the ASA1000V on another ESXi host. Once the ASA1000V is booted and has been running for 30 minutes, it can be migrated back to the host that seems to cause the problems. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(13.57), 100.8(38.38), 8.7(0.2), 8.7(1.6) Known Fixed Releases: 100.7(13.118), 100.8(38.52), 100.8(45.6), 100.8(46.17), 100.8(51.1), 100.9(10.13), 8.7(1.9), 9.2(0.99), 9.2(1) Bug Id: CSCup28968 Title: When ACL optimization is enabled, wrong rules get deleted Description: Symptom: ++ Access-rules getting deleted on adding or deleting a member in associated object-group Conditions: ++ ACL optimization in enabled. ++ Object-group is associated with the ACL. ++ We see an error message as below when adding a member in object-group Adding obj to object-group (OBJECT_GROUP_NAME) failed; cause access-list error Workaround: ++ If some new addresses are to be added, create separate new objects and use them to create a new access-list entry. or ++ Removing "object-group-search access-control" command when the above 'adding obj' error is not seen. Further Problem Description: When ACL optimization is enabled and we add or delete a member of an object-group used in the source or destination field of an optimized ACL, all the associated access-rules are getting deleted instead of just adding/deleting the member in the object-group. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0, 9.1, 9.2 Known Fixed Releases: 100.11(0.25), 100.11(6.3), 100.12(0.13), 100.12(1.2), 100.12(11.22), 100.12(12.1), 100.12(13.7), 100.12(15.2), 100.12(16.4), 100.12(17.8) Bug Id: CSCuo00627 Title: Saleen copper module port speed/duplex changes ineffective Description: Symptom: CLI settings of speed or duplex on copper Ethernet expansion ports on plugin modules for 5525 and 5545 are ineffective. Autonegotiation is always enabled and all modes are always advertised, regardless of CLI settings. Conditions: Use CLI to set speed/duplex of GigabitEthernet1/x and the examine the result via "show interface gi1/x". Workaround: Be sure that autonegotiation is always enabled on the link partner for the copper expansion ports. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.10(0.88), 100.10(2.14), 100.10(6.16), 100.10(7.3), 100.11(0.7), 100.11(3.1), 100.11(5.1), 100.11(6.1), 100.8(40.68), 100.8(56.50) Bug Id: CSCuf31607 Title: Linux Kernel Invalid fs and gs Registry KVM Denial of Service Vulnerab Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-3698 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-3698 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1), 100.13(17.1) Bug Id: CSCuc58260 Title: ICMP to management-access interface through VPN fails Description: Symptom: Unable to ping from one ASA to another to establish a VPN session. Unable to ping the management-access interface through the VPN tunnel. Conditions: ASA setup a site to site tunnel. Affects versions 8.2 and 8.4 of ASA code. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.240), 8.2(5.34), 8.2(5.35), 8.4(4.100) Known Fixed Releases: 100.7(13.104), 100.7(6.104), 100.8(0.242), 100.8(11.42), 100.8(27.20), 100.8(33.27), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCuc92292 Title: ASA may not establish EIGRP adjacency with router due to version issues Description: Symptom: Due to the way the ASA reports its EIGRP version information to an adjacent neighbor, the ASA may not be able to exchange EIGRP routes with an IOS peer. The neighbor adjacency comes up, but no routes are installed in the routing table. Conditions: The ASA must be peering with an IOS device that does not have the fix for CSCtt17785. Workaround: Downgrade/upgrade the IOS device to a version with the fix for CSCtt17785. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2), 9.0(1) Known Fixed Releases: 100.7(13.109), 100.7(13.111), 100.7(6.105), 100.8(27.30), 100.8(34.1), 100.8(38.4), 100.8(50.11), 100.9(0.19), 100.9(4.1), 100.9(9.1) Bug Id: CSCuh84378 Title: ASA: Last packet in PCAP capture file not readable Description: Symptom: The ASA does not correctly terminate the end of a capture file in PCAP format. This causes the last packet in the buffer to not be visible. Conditions: This issue only affects capture buffers downloaded in PCAP format. The packet will still be visible in the ASCII version of the capture (i.e. 'show capture '). Workaround: Ensure that at least one extra packet is captured by the ASA before stopping/downloading the capture. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(6.3) Known Fixed Releases: 100.11(0.38), 100.11(5.47), 100.11(6.10), 100.12(0.20), 100.12(1.15), 100.12(10.7), 100.12(12.5), 100.12(13.11), 100.12(15.5), 100.12(16.11) Bug Id: CSCtx81354 Title: CPU hog in process names "tmatch compile thread" with VPN tunnels Description: Symptom: The ASA's CPU may be held by the IKE VPN process for too long before yielding the CPU to other processes. If the data rate is high enough on the ASA, packets might be dropped. The output of the CLI command 'show process cpu-hog' will show entries for 'tmatch compile thread': Process: tmatch compile thread, NUMHOG: 4, MAXHOG: 48, LASTHOG: 23 LASTHOG At: 14:18:51 EST Feb 6 2012 PC: 0x0806a7e4 (suspend) Call stack: 0x081bd575 0x081acdb7 0x081ad1fa 0x081ad1fa 0x081ad1fa 0x081b0c69 0x081b2b4e 0x081ad1fa 0x081ad1fa 0x081ad552 0x081b0c69 0x081b27ae 0x081b6fed 0x081c715b Process: tmatch compile thread, NUMHOG: 12, MAXHOG: 76, LASTHOG: 33 LASTHOG At: 14:19:00 EST Feb 6 2012 PC: 0x0806a7e4 (suspend) Call stack: 0x081bd575 0x081a849b 0x081aaa7a 0x081ab56c 0x081b4b9d 0x081ad1fa 0x081ad1fa 0x081b6fed 0x081c70f5 0x081c10cb 0x0806897c Conditions: To encounter this problem, the ASA must be configured for VPN termination. There have been no reports of problems associate with these hogs, and therefore have decided not to pursue a code change Workaround: None known. Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCua66053 Title: Hostscan ASA token times out on slow connections Description: Symptom: remote access VPN connection ttempt times out Conditions: slow link, hostscan configured and turned on Workaround: use higher speed link Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4, 9.0(4.17) Known Fixed Releases: 100.7(13.102), 100.7(24.3), 100.7(6.100), 100.8(0.240), 100.8(11.39), 100.8(27.20), 100.8(33.24), 100.8(34.1), 100.8(38.1), 100.8(39.1) Bug Id: CSCuh20372 Title: ASA adds 'extended' keyword to static manual nat configuration line Description: Symptom: This problem was introduced in version 9.1(2)1. It does not affect version 9.1(2) If a static manual NAT line is added to the configuration, the 'extended' keyword is also incorrectly added to the configuration line by the parser Example: ASA(config)#nat (any,any) source static dmz-pc dmz-pc destination static vpn-network vpn-network ASA(config)# ASA(config)#show run nat nat (any,any) source static dmz-pc dmz-pc destination extended static vpn-network vpn-network ASA(config)# The configuration then can no longer be removed by putting a 'no' in front of the entire line: ASA(config)#no nat (any,any) source static dmz-pc dmz-pc destination extended static vpn-network vpn-network ^ ERROR: % Invalid input detected at '^' marker. ASA# Additionally, after this problem is encountered after upgrading to 9.1(2)1, if the configuration is saved and the ASA is rebooted so that it boots up 9.1(2), the manual NAT commands with the 'extended' keyword will fail to be loaded into the configuration due to the syntax error. Conditions: ASA running 9.1(2)1 or later. 9.1(2) is not affected by this problem. Manual NAT (aka Twice NAT) is affected by this problem, but auto-NAT (aka object-NAT) is not. Workaround: If possible, downgrade the ASA to version 9.1(2) and ensure that the manual NAT lines are present in the configuration. If necessary, re-add the manual NAT lines if they fail to be loaded when booting 9.1(2). To remove the static manual NAT line, use the command 'no nat #' where # is the manual NAT line number with the extended keyword. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(2.1) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.18), 100.8(40.7), 100.8(41.2), 100.8(60.16), 100.9(0.48), 100.9(10.1), 100.9(6.24), 100.9(7.26) Bug Id: CSCtw72728 Title: AdvCrypt: AnyConnect can connect but can't pass data Description: Symptom: AnyConnect can connect, but I can't pass data. The ASA syslog shows: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x885F9FE4, sequence number= 0xF5) from x.x.x.x (user= user-suiteb) to 10.136.0.247. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.136.0.247, its source as x.x.x.x, and its protocol as udp. The SA specifies its local proxy as 0.0.0.0/0.0.0.0/ip/0 and its remote_proxy as 192.168.247.2/255.255.255.255/ip/0. On the ASA, if I issue "show vpn-sessiondb detail anyconnect" I see IKEv2: Encryption: AES-GCM-256 Hashing: none - IPsecOverNatT: Encryption: AES-GCM-256 Hashing: none On the AnyConnect stats page it shows (just IPsec) AEAD_AES_256_GCM" Conditions: ASA 100.08.20.8 or 8.4.3.1 build CSCtw72728 was introduced by fix for CSCtt74695. Workaround: Back down to 100.08.20.7 or 8.4.3 Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.42), 100.8(20.8) Known Fixed Releases: 100.7(13.45), 100.7(14.40), 100.7(17.9), 100.7(18.4), 100.7(6.53), 100.8(0.43), 100.8(0.55), 100.8(11.4), 100.8(11.7), 100.8(14.2) Bug Id: CSCts26909 Title: CPU spikes to 100% and causes traceback when Syslog interface is down Description: Symptom: CPU Spikes to 100% and Crash in ASA when interface connecting to syslog server is down Conditions: Interface connecting to syslog server is down Workaround: none Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2.190), 8.6(1) Known Fixed Releases: 100.7(13.40), 100.7(14.30), 100.7(17.5), 100.7(18.4), 100.7(6.48), 100.7(8.34), 100.8(0.35), 100.8(11.2), 100.8(15.11), 100.8(17.8) Bug Id: CSCtu77637 Title: ASASM: ARP replies sent by ASA are not forwarded by 6500 line card Description: Symptom: When a host or device tries to resolve the MAC address of an ASASM interface via ARP, the ASASM will receive the request and generate an ARP reply. However, the ARP reply is never forwarded by the 6500. Conditions: This issue occurs with the combination of an ASASM and certain 6500 line cards. These line cards require a minimum packet size of 48 bytes. However, if the ARP reply generated by the ASASM is smaller, the packet will be dropped. This issue only affects ASASMs running 8.5.1.6 and earlier. 9.x versions of software are not affected. Workaround: Separate the ASASM and relevant line card(s) into separate chassis if the ASASM does not have the fix for this issue installed. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 15.0(1)XJR111.309 Known Fixed Releases: 100.7(8.34), 100.8(0.56), 100.8(11.7), 100.8(14.4), 100.8(24.28), 100.8(30.3), 100.8(31.3), 100.8(32.2), 8.5(1.242), 8.5(1.7) Bug Id: CSCuf31654 Title: Linux Kernel GUID Partition Tables Handling Arbitrary Code Execution V Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-1776 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-1776 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.12(10.47), 100.8(40.84), 9.0(4.25), 9.1(5.100), 9.1(5.20), 9.2(2.100), 99.1(2.27), 99.1(3.9) Bug Id: CSCuj50862 Title: Unable to launch ASDM with no username/password or with enable password Description: Symptom: After upgrading to 9.1.3, the use can no longer launch ASDM with no username/password or with the enable password alone (the factory default configuration). Either one or both of the following need to be configured on the ASA in order for an ASDM user to login: 1. http authentication-certificate outside 2. aaa authentication http console LOCAL ASDM versions 7.1.3 and below can still be launched through the ASDM Launcher, but not ASDM 7.1.4. From the browser, ASDM cannot be launched without proper authentication configured, regardless of the ASDM version. Conditions: ASA 9.1.3 with ASDM 7.1.4 Workaround: Configure user authentication on the ASA by creating a user and configuring one or both of the following: 1. http authentication-certificate outside 2. aaa authentication http console LOCAL Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCut61491 Title: traceback in filebrowsing Description: Symptom: ASA crashes when the issue occurs Conditions: file browsing via cifs Workaround: N/A Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCum63039 Title: Assert in CTM Daemon Description: Symptom: ASA crashes with: Thread Name: CTM Daemon Console logs also show: assertion "0" failed: file "ctm_daemon.c" Conditions: - Large number of TLS sessions on the ASA. - High rate of traffic being sent over the VPN tunnels. Workaround: None. Further Problem Description: NA. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.12(0.80), 9.1(4.108), 9.3(1.80) Known Fixed Releases: 100.11(4.1), 100.12(0.83), 100.12(23.2), 100.12(6.26), 100.13(0.9), 100.13(11.15), 100.13(12.26), 100.13(15.10), 100.13(16.8), 100.13(17.4) Bug Id: CSCuo78285 Title: Firewall may crash while clearing the configuration Description: Symptom:A firewall may crash and reload when trying to clear a portion or all of the configuration. This likely manifests during a configuration sync from an Active firewall. The first step of an config sync is to clear the existing local configuration in preparation for the re-sync of policies from the existing Active firewall. The Standby firewall will reload and attempt to re-sync its configuration from the Active resulting in another crash, thus starting a crash loop on the Standby firewall. Conditions:In a failover pair this may affect the Standby Firewall during config replication or it may affect the Active firewall if active removal of interface configuration is being done. From initial analysis it appears to be related to very large configurations with significant amounts of NAT configured. Workaround:None at this time. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.11(3.11), 100.11(3.14), 9.1(5.10), 9.2(2) Known Fixed Releases: 100.10(17.1), 100.10(2.21), 100.10(7.10), 100.11(0.9), 100.11(3.15), 100.11(5.13), 100.11(6.1), 100.8(40.74), 9.1(5.13), 9.2(1.108) Bug Id: CSCuq02741 Title: ASA traceback on clearing FQDN entry used in ACL and object-group-search Description: Symptom: The ASA might traceback and reload if a FQDN (DNS) object is cleared from the ASA's DNS cache, and the command 'object-group-search access-control' is removed from the configuration. Conditions: The ASA must be configured with the following features to be susceptible to this problem: 1) An ACL that uses a network object that contains a fqdn entry 2) The command 'object-group-search access-control' must be enabled in the configuration Workaround: Disable object-group-search Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1, 9.2 Known Fixed Releases: Bug Id: CSCue17876 Title: Some java applets won't connect via smart tunnel on windows with jre1.7 Description: Symptom: When JRE1.7 is used, java applets are not passing traffic through smart tunnel on windows platforms Conditions: Java applets, JRE1.7, Windows plaforms, other conditions unknown Workaround: Use earlier JREs Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.4(4.1) Known Fixed Releases: 100.7(13.111), 100.7(6.109), 100.8(27.34), 100.8(50.21), 100.9(0.23), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.4(5.99) Bug Id: CSCty59567 Title: Observing traceback @ ipigrp2_redist_metric_incompatible+88 Description: Symptom: ASA may generate traceback when clearing Dynamic Routing configuration and writing to memory Conditions: ASA running 8.2.2 and seen in 8.4.3 Problem occurs in the following situation: - EIGRP process configured to redistribute routes from another routing protocol (OSPF, RIP) - Other routing protocol is removed via "clear config router xyz" - User deletes redistributed route via "no redistribute xyz ..." - User attempts to write or show running configuration Workaround: Change the order of operations to issue the "no redistribute xyz..." command for EIGRP before removing the routing protocol. - router eigrp nnn - no redistribute xyz ... - clear config router xyz Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(2), 8.4(3), 8.4(3.9) Known Fixed Releases: 100.9(0.23), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.2(5.39), 8.4(5.6), 8.7(1.4), 9.0(2.100), 9.0(2.3) Bug Id: CSCuf85524 Title: Traceback when NULL pointer was passed to the l2p function Description: Symptom: A crash occurs and the console at the time of the crash should say: " Panic: DATAPATH-0-2764 - _mempool_dma_l2p: Invalid laddr 0x21a0 passed in. DMA pool 0 starts 0x___________ ends 0x_________ DMA pool 1 starts 0x__________ ends 0x__________ " Conditions: Establishing AnyConnect DTLS connections. Crash occurs after ~1000. Workaround: There are no workarounds. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.9(0.34), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(38.13), 100.8(40.3), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(6.17), 100.9(7.20) Bug Id: CSCuh44815 Title: ASA Digital Certificate HTTP Authentication Bypass Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5511 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4), 9.0(2.101), 9.1(1.2), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(13.115), 100.7(6.120), 100.8(27.85), 100.8(38.24), 100.8(40.13), 100.8(41.2), 100.8(60.31), 100.9(0.54), 100.9(10.2) Bug Id: CSCum70258 Title: ASA crashes w/ syslog 702307 & syslogs sent over ipsec conn w/ load Description: Symptom: ASA5585-SSP-20 9.1.4.1 and 8.4.7.9 crashes multiple times with Thread Name: DATAPATH Conditions: The ASA is configured to terminate VPN tunnels. Logging is enabled and syslog messages are sent through the tunnel. Workaround: In our testing we have found that disabling syslog ID 702307 prevents the issue from occurring. You can disable this log with the command 'no logging message 702307' Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(7.9), 9.1(4.1) Known Fixed Releases: 100.10(9.6), 100.8(38.124), 100.8(40.63), 100.8(56.31), 100.8(63.2), 100.8(64.5), 100.8(65.4), 100.8(66.5), 9.1(5.100), 9.2(0.99) Bug Id: CSCub80728 Title: ASA Traceback in Thread Name:DATAPATH.Crash in Threat detection function Description: Symptom: ASA Traceback in threadname: DATAPATH. Crash in threat_detection function Conditions: Random crash. No changes were done. Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: Bug Id: CSCsm55947 Title: Failover interface is not listed in "ifTable" MIB Description: Symptom: The failover interface is missing from the snmpwalk of the ifTable. Conditions: Failover and SNMP is configured on the firewall. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 7.2(1), 7.2(3.12), 7.2(4), 8.0(2) Known Fixed Releases: 7.0(8.4), 7.1(2.79), 7.2(4.1), 8.0(103.9), 8.0(3.11), 8.1(1.2) Bug Id: CSCum77083 Title: traceback in Thread Name: IKEv2 Daemon Description: Symptom: ASA reloads with Thread Name: IKEv2 Daemon Conditions: ASA running 9.1 or later code and configured to terminate IKEv2 connections. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(38.104) Known Fixed Releases: 100.10(9.5), 100.11(4.1), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.3), 100.8(67.1) Bug Id: CSCty67816 Title: Traceback in DATAPATH Thread Due to Page Faul: Address Not Mapped Description: Symptom: Under certain rare circumstances, the ASA may traceback in the Datapath thread. Conditions: This is caused by a condition where a connection stored in memory is not properly cleaned up. The incorrectly freed piece of memory causes a traceback condition causing the ASA to reload. Workaround: There are no known workarounds except for upgrading to a fixed version of code. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.92) Known Fixed Releases: 100.8(0.129), 100.8(11.20), 100.8(27.7), 100.8(33.4), 100.8(34.1), 100.9(0.1), 100.9(2.1), 9.0(0.99), 9.0(1), 9.1(1) Bug Id: CSCtx52081 Title: Deadlock/Traceback in CTM Message Handler Description: Symptom: A deadlock or traceback may be encountered in the CTM Message Handler Conditions: Large amount of IPSec based traffic when a crypto reset occurs. The crypto reset may occur due to a hardware crypto error, or via certain CLI commands. The deadlock/traceback will not necessarily occur every time as this issue is a race condition. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.52), 8.4(5.7) Known Fixed Releases: 100.7(6.115), 100.8(0.59), 100.8(11.9), 100.8(14.6), 100.8(24.30), 100.8(30.4), 100.8(32.3), 100.9(0.1), 8.4(5.102), 8.4(5.8) Bug Id: CSCub66513 Title: Spyker "show environment" hang for top slot in a Spyker dual fw setup Description: Symptom: CLI sessions may hang on running "show environment" command. Home page of ASDM may display "lost connection to firewall". Conditions: First seen on ASA 5585 with 2 firewall slots running 8.4(4)9. Workaround: Reload the ASA. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(6), 8.4(4.9) Known Fixed Releases: 100.7(6.102), 100.8(27.63), 100.8(50.28), 100.9(0.31), 100.9(4.1), 100.9(6.3), 100.9(7.6), 100.9(8.1), 100.9(9.1), 8.4(4.99) Bug Id: CSCuh69992 Title: 8.4(6)4: assertion "mah->mah_magic == MALLOC_ALIGNED_MAGIC" failed: Description: Symptom: The ASA will assertion "mah->mah_magic == MALLOC_ALIGNED_MAGIC" failed: Conditions: The exact conditions are unknown, but this problem seems to occurs after disconnecting/reconnecting IKEv1 clients on a busy ASA. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(6), 8.4(6.4) Known Fixed Releases: 100.10(0.6), 100.7(6.120), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.54), 100.9(10.1), 100.9(6.29) Bug Id: CSCuj66766 Title: TFTP Request for Unprovisioned Phone/Config Creates Race in sec_db Description: Symptom: Due to a design limitation of the phone proxy feature of the Cisco Adaptive Security Appliance (ASA), it is possible for a race condition to occur for entries in the phone proxy connection database. This could allow a malicious user to pass traffic from an untrusted phone through the ASA. Conditions: ASA configured for the phone proxy feature. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C CVE ID CVE-2014-0739 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0739 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: Bug Id: CSCuf68858 Title: ASA: Page fault traceback in dbgtrace when running debug in SSH session Description: Symptom: When running debugs from 2 different SSH sessions, the ASA may generate a traceback and reload in the dbgtrace thread when one of the SSH sessions closes. Conditions: This issue occurs when 2 SSH sessions have enabled debugs and one session disconnects while the debug is still running. Workaround: Disable debugs with the 'undebug all' command before closing the SSH session. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(5), 8.4(5.7) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(40.3), 100.8(41.1), 100.8(60.7), 100.9(0.41), 100.9(6.17), 100.9(7.20), 8.4(6.1) Bug Id: CSCui63073 Title: 5580-20 crashes while running aggressive ipv4 webvpn tput/cap test. Description: Symptom: The 5580-20 is crashing when ASA 9.0.3 image is running a very aggressive webvpn ipv4 tput/cap test Conditions: This is the usual tput/cap test with a 40/sec session bring up rate. This is 4 times faster than the normal 10/sec session bring up rate. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0(2), 9.0(3) Known Fixed Releases: 100.10(0.13), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(27.94), 100.8(38.33), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1) Bug Id: CSCuf27302 Title: Radius Authorization fails with L2TP and eap-proxy Description: Symptom: Radius Authorization request contains EAP-Message and Message-Authenticator attributes; however, those attributes are only used for authentication. Depending on the AAA server implementation, this may cause all authorizations to be rejected (if server responds with Access-Reject), or all connections to be rejected (if server drops offending request). Conditions: L2TP with eap-proxy configured. Radius server set as authorization server. Workaround: Do not use radius server as authorization server. EAP-proxy requires a Radius server to be used for authentication, so in most cases attributes can be obtained from the authentication server, and the authorization server isn't required. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.216), 100.9(4.2), 8.4(4.1), 8.4(5), 9.0(1), 9.1(2) Known Fixed Releases: 100.7(13.111), 100.7(6.114), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.9), 8.4(5.99), 8.4(6) Bug Id: CSCtz79578 Title: Port-Channel Flaps at low traffic rate with single flow traffic Description: Symptom: Port-Channel flaps continously Conditions: Observed on ASA 5585-SSP-60 under performance testing for single flow traffic Workaround: change the channel-group mode to ON PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-2485 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.6), 100.9(0.12), 100.9(4.1), 8.4(5.240) Bug Id: CSCuh61321 Title: AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect Description: Symptom: ASA does not respond to DTLS requests when an alternative DTLS port is configured with the `dtls port ` command in the config-webvpn submode. So, a DTLS tunnel is not built. Therefore, anyconnect will reconnect after one minute. Conditions: ASA 9.0.2 and newer Anyconnect 3.x Alternate DTLS port configured Workaround: Temporary workaround: 1. Disable webvpn on the interface of the ASA. 2. Configure the non-default DTLS port 3. Enable webvpn back on the interface. If you follow the steps above, the issue will come back once the ASA is reloaded. A more permanent workaround would be to use the default DTLS port (443). Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.50), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.79), 100.8(40.50), 100.8(46.53), 100.8(51.13), 100.8(56.1), 100.8(56.10) Bug Id: CSCub14196 Title: FIFO queue oversubscription drops packets to free RX Rings Description: Symptom: When the ASA sees a certain traffic profile that oversubscribes a single RX Ring, this will put back pressure on the FIFO queue. When the FIFO queue is filled, traffic destined to available RX Rings could be dropped. This causes a scenarios where exhaustion of a single RX Ring can cause device wide traffic failure. Conditions: For the 5585 series of ASA, oversubscription on the Internal-Data0/0 or Internal-Data0/1 interfaces can cause this situation. Workaround: The workaround is to rate limit the oversubscription traffic before it arrives on the ASA. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.7(13.96), 100.7(6.92), 100.8(0.228), 100.8(0.240), 100.8(11.35), 100.8(11.40), 100.8(27.19), 100.8(27.20), 100.8(33.19), 100.8(33.24) Bug Id: CSCtu16815 Title: ASA runs low/out on memory after continuous SSL VPN use Description: Symptom: "show blocks" output was like this: stbu-sjc-vpn# sh blocks SIZE MAX LOW CNT 0 1450 1427 1450 4 900 898 899 80 5000 4987 5000 256 4864 4828 4858 1550 21374 21331 21371 2048 6100 0 0 2560 7320 7319 7320 4096 100 97 100 8192 100 98 99 9344 100 99 100 16384 210 209 210 65536 16 16 16 The syslog message: "System is low on free memory blocks of size 2048 (0 CNT out of 6358 MAX) " Conditions: ASA 8.4.2 stops accepting new SSL VPN connections. Workaround: none Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.7(14.11) Known Fixed Releases: 100.7(13.43), 100.7(13.65), 100.7(14.37), 100.7(17.7), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62), 8.4(2.102) Bug Id: CSCuc14520 Title: Doc: ASA 8.4 command reference needs to add safari proxy support info Description: Symptom: This is a doc bug to add information about our support for Safari proxy settings on MACs. Conditions: n/a Workaround: n.a Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.3, 8.4 Known Fixed Releases: Bug Id: CSCuc65775 Title: ASA CIFS UNC Input Validation Issue Description: Symptoms: The Cisco Adaptive Security Appliance (ASA) is susceptible to an input validation issue which can result in a crash of the ASA. Conditions: ASA running an affected release of software. Workaround: None. Further Problem Description: The potential for the issue to occur is present when a user authenticated through WebVPN attempts to access a shared directory using the browse network interface. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C CVE ID CVE-2012-6395 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.111), 100.7(6.109), 100.8(27.63), 100.8(50.32), 100.9(0.33), 100.9(4.2), 100.9(6.4), 100.9(7.9), 100.9(8.1), 8.2(5.43) Bug Id: CSCub50435 Title: Proxy ARP Generated for Identity NAT Configuration in Transparent Mode Description: Symptom: Adaptive Security Appliance (ASA) and ASA Services Module (ASASM) operating in transparent mode may proxy ARP for mapped addresses that are referenced in identity NAT configurations such as these: object network INSIDE subnet 192.168.2.0 255.255.255.0 nat (inside,outside) static INSIDE or object network INSIDE subnet 192.168.2.0 255.255.255.0 nat (inside,outside) source static INSIDE INSIDE As the result, incoming traffic from the mapped to real interface may be blackholed until ARP packets are initiated from the protected host on the real interface. Conditions: Running 8.4 and later software with identity NAT configured in transparent firewall mode. Workaround: Use Twice NAT with the no-proxy-arp option: object network INSIDE subnet 192.168.2.0 255.255.255.0 nat (inside,outside) source static INSIDE INSIDE no-proxy-arp Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(3), 9.0(0.100) Known Fixed Releases: 100.10(0.6), 100.7(6.117), 100.8(27.83), 100.8(38.13), 100.8(40.4), 100.8(41.2), 100.8(60.7), 100.9(0.42), 100.9(6.17), 100.9(7.21) Bug Id: CSCuh25271 Title: Upgrade fails w/ msg "No Cfg structure found in downloaded image file." Description: Symptom: Upgrade fails with error message "No Cfg structure found in downloaded image file." Conditions: Upgrade from version without fix for CSCua99091 (e.g. 9.1.1) to image with fix for CSCud21312 (e.g. 9.1.2.2). Workaround: If the customer is running an image without the fix for CSCua99091 (e.g. 8.4.4, 9.1.1) then the customer needs to do an intermediate upgrade to a version that includes the fix for CSCua99091 (e.g. 8.4.6, 9.1.2) and then upgrade to the desired image (e.g. 9.1.2.2) Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(0), 8.4(0.1), 8.5(1), 8.6(0), 9.0(1), 9.1(1), 9.1(1.1), 9.1(2.1) Known Fixed Releases: Bug Id: CSCts62187 Title: Safari Browser crashes when accessing SmartTunnel link in Mac OS 10.7 Description: Symptom: Safari Browser crashes when accessing Smartunnel Link on Mac OS 10.7 Conditions: Environment: Safari 5.1(7534.48.3) MAC OS Version 10.7 (11A2063) ASA Version : 100.8.15.3 ASDM Version : 6.7.0.63 Steps to Reproduce: 1. Configure SmartTunnel Access to Any HTTP server or any Enterprise APP. 2. Login to the portal and start smarttunnel. 3. Access the created link. 4. After trusting the Certs you will see the below error. "Safari Web Content Quit Unexpectedly While Using the "narwhal.dylib" plug-in. Workaround: N/A Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0), 100.8(15.3), 8.4(3) Known Fixed Releases: 100.7(13.56), 100.7(14.50), 100.7(18.9), 100.7(19.8), 100.7(6.62), 100.8(0.58), 100.8(0.60), 100.8(11.8), 100.8(11.9), 100.8(14.5) Bug Id: CSCtu07405 Title: traceback on ASA with fn_EZVPN_sua script Description: Symptom: Traceback on ASA Conditions: ASA object groups using both ipv4 and ipv6 ACLs with 'any' keyword for both ipv4 and ipv6 which prevents different hashes from being created. Workaround: Fixed in 9.x code. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(16.3), 100.8(2.24) Known Fixed Releases: Bug Id: CSCum96401 Title: Cisco ASA IKEv2 Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3384 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(4.3) Known Fixed Releases: 100.10(9.6), 100.7(6.129), 100.8(38.117), 100.8(40.61), 100.8(56.21), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Bug Id: CSCuc15670 Title: Twice nat with destination any any does not work for dhcp traffic Description: Symptom: DHCP traffic is affected for a 'destination any any' rules configured Conditions: If we have configuration as shown below: nat (outside,dmz) source dynamic sub_any interface destination static sub_any sub_any and clients on outside doesnt receive the IP address from the DHCP server Workaround: Do not use the 'destination any any' in the source nat rule. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4.8), 9.0(0.108) Known Fixed Releases: 100.7(6.101), 100.8(0.240), 100.8(11.40), 100.8(27.20), 100.8(33.25), 100.8(34.1), 100.8(37.15), 100.8(38.1), 100.8(39.1), 100.9(0.6) Bug Id: CSCup81146 Title: jumbo frame enabled will cause ASA5585-20 in boot loop from 9.3.0.101 Description: Symptom: jumbo frame enabled will cause ASA5585-20 in boot loop from 9.2.1 Conditions: ASA5585-20 with jumbo frame support enabled and reload the ASA. Workaround: Disable the jumbo frame support Further Problem Description: N/A Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.3(0.102) Known Fixed Releases: 100.11(0.38), 100.11(0.39), 100.11(5.47), 100.11(5.48), 100.11(6.10), 100.12(0.20), 100.12(0.22), 100.12(1.15), 100.12(1.24), 100.12(10.7) Bug Id: CSCtb17498 Title: ASA traceback in 'Thread Name: ssh' when working with captures Description: Symptom: ASA traceback in 'Thread Name: ssh' when working with captures Conditions: Captures configured on ASA. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.4(0.29), 100.4(0.33), 8.1(2.39), 8.1(2.40), 8.2(2.1), 8.2(4), 8.3(0.14), 8.3(0.20) Bug Id: CSCub53088 Title: Arsenal:twice NAT with service type ftp not working. Description: Symptom: with many to few static pat, first ftp data transfer is sucessful and second time it will fail.but after 30 sec it will work. Conditions: When the first time data transfer ('ls' or any other data command) is done, it will try to augment the static policy . When again the new data request comes, the pat-xlate cannot match because the ports will be different, and so it will again try to augment the parent policy, which yields the same address. Because it is nat-pool, we cannot give back the address when it is used, so the pool allocation will be failed. Workaround: configure 1:1 static nat instead of many to few. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.208), 9.0(1), 9.2(1) Known Fixed Releases: 100.11(0.47), 100.12(0.48), 100.12(6.7), 100.13(0.3), 100.13(11.2), 100.13(12.3), 100.13(13.1), 100.13(14.2), 100.13(15.1), 100.13(16.1) Bug Id: CSCul22215 Title: Traceback when using IDFW ACL's with VPN crypto maps Description: Symptom: ASA crashes Conditions: ACLs used by crypto map contain IDFW options (e.g., user, user-group, object-group-user). Workaround: Don't use ACL's which contain IDFW options with crypto maps. Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(40.43), 9.0(3.8), 9.1(2) Known Fixed Releases: 100.10(0.56), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.85), 100.8(40.55), 100.8(51.16), 100.8(56.1), 100.8(56.10), 100.9(10.21) Bug Id: CSCun10916 Title: Cisco ASA SCH Digital Certificate Validation Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 5.0/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-3394 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.10(9.6), 100.11(2.1), 100.11(4.1), 100.7(6.130), 100.8(38.126), 100.8(40.63), 100.8(56.31), 100.8(63.2), 100.8(64.5), 100.8(65.4) Bug Id: CSCtr71372 Title: ASA5585-SSP-20 crashing on bootup with asa100810-20-smp-k8.bin Description: Symptom: ASA may crash in Thread Name: Init Thread Abort: Assert failure Unit may go into a boot loop Conditions: This was first identified on an ASA5585 running 8.4.3. Workaround: Downgrade to 8.2.4 if possible. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0), 100.8(10.20) Known Fixed Releases: Bug Id: CSCty47007 Title: CSC: Secondary goes to pseudo standby state when failover is enabled Description: Symptom: When failover is enabled, the secondary goes to pseudo standby state. Conditions: service module (CSC SSM 6.6.1125.0 or later) is used on ASA. Workaround: None Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.81) Known Fixed Releases: 100.7(13.71), 100.7(21.5), 100.7(6.75), 100.8(0.116), 100.8(11.18), 100.8(27.2), 100.8(33.2), 100.8(34.1), 100.8(36.1), 100.9(0.1) Bug Id: CSCus92650 Title: Webvpn portal stops working with no data received/connection reset error Description: Symptom: After a variable period of normal operation, the WebVPN service presents a no data received/ connection reset Error , and no new clientless SSL VPN session can be opened. Conditions: Free memory reaching around 33% . Workaround: Reloading the ASA will restore the service . Further Problem Description: ASA 5540 running as a webvpn/anyconnect gateway with software version 8.4.7.23 . When the free memory reaches the value around 33% . Users start seeing problems with the portal and anyconnect . If you try to access the portal using the browser you get the following error : No data received . Connection reset . No SSL errors at the ASA . No logged memory error . I have noticed with wireshark the second time we had the issue that we open the tcp connection , we negotiate SSL . We send the first packet carrying application data and then we get a FIN packet for the conn from the ASA. Status: Open Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCul84302 Title: ASA may crash when trying to release a lock on a VPN tunnel Description: Symptom: An ASA may crash and reload due to a race condition when processing VPN traffic. The crash appears to occur under high VPN load. Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: Bug Id: CSCuj62146 Title: RU : Traceback on Thread Name : Cluster show config Description: Symptom: ASA devices in a cluster may reload when issuing the command "cluster show config" Conditions: This is a rare corner case issue and primarily affects the Master. Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(40.27), 100.8(46.3), 9.0, 9.1(3.101) Known Fixed Releases: 100.10(0.36), 100.10(1.21), 100.10(2.2), 100.10(3.1), 100.10(9.1), 100.8(38.63), 100.8(40.40), 100.8(45.8), 100.8(46.28), 100.8(51.5) Bug Id: CSCum16088 Title: ASA 100V PNSC mode: DisassociateConfigPA, unassigning ASA stuck in 22% Description: Symptom: ASA 1000V is disassociating from PNSC and is stuck in this state indefinitely Conditions: ASA 1000V is manually instantiated via vcenter, and being unassigned from PNSC Workaround: Reboot ASA that is stuck in disassociation state Further Problem Description: (release notes added by addprefcs-org.ksh) Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.7(1.8) Known Fixed Releases: Bug Id: CSCuh21682 Title: ASA traceback with less PAT with huge traffic Description: Symptom: ASA crashes Conditions: Configure less Dynamic PAT address and send huge traffic more Connection that this PAT address can handel Workaround: None. Increasing number of PAT address would just alleviate the problem. Further Problem Description: pat_range bit array is used to track port allocation for dynamic pat. This bit array was being modified without acquiring a lock at few places. When modified at same instance of time by multiple cores under huge load, this bit array was getting corrupted. Once corrupted, a search operation for a free port within this bit array was taking significant amount of time leading to crash. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0(2.9), 9.1(2.1) Known Fixed Releases: 100.10(0.23), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11), 100.8(51.1) Bug Id: CSCup98176 Title: Jumbo Frame is not support in the ASA558560 due to wrong bigphys size Description: Symptom: Jumbo frame is not support in the ASA558560 due to wrong bigphys size Conditions: Enable jumbo frame support for the ASA platforms. Workaround: Do no jumbo-frame reservation jumbo-frame reservation write memory reload no confirm Further Problem Description: N/A Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(5.16), 9.3(0.104) Known Fixed Releases: 100.11(0.41), 100.11(5.51), 100.11(6.15), 100.12(0.28), 100.12(10.15), 100.12(15.10), 100.12(21.1), 100.12(6.1), 100.12(9.7), 100.8(40.91) Bug Id: CSCtt96526 Title: SharePoint2010:Cannot create new document Description: Symptom: Cannot create new Word document in SharePoint 2010 on Win 7 through WEBVpn Conditions: Push 'New document' button on ribbon panel of Sharepoint 2010 Workaround: None for Win7 except creating document locally and uploading on a server Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8, 100.8(15.8), 8.4(2), 8.4(3), 8.6(1.2) Known Fixed Releases: 100.7(13.57), 100.7(13.61), 100.7(18.10), 100.7(18.13), 100.7(19.7), 100.7(19.8), 100.7(6.63), 100.7(6.65), 100.8(0.50), 100.8(0.55) Bug Id: CSCuh45559 Title: ASA: Page fault traceback when changing ASP drop capture buffer size Description: Symptom: When changing the buffer size on an ASP drop capture that has been stopped, the ASA may generate a traceback and reload. Conditions: This issue only occurs on stopped ASP drop captures. Captures that are actively running are not affected. Interface captures are also not affected. Workaround: Resume all captures before changing the buffer size. For example: ciscoasa# show capture capture drop type asp-drop [Capturing - 259 bytes] ciscoasa# capture drop type asp-drop all ciscoasa# capture drop buffer 1000000 capture drop type asp-drop all buffer 1000000 [Capturing - 1521 bytes] More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(6.3), 9.1(1) Known Fixed Releases: 100.10(0.6), 100.7(6.120), 100.8(27.84), 100.8(38.23), 100.8(40.12), 100.8(41.2), 100.8(60.29), 100.9(0.54), 100.9(10.1), 100.9(6.29) Bug Id: CSCug34469 Title: ASA OSPF LSA Injection Vulnerability Description: Summary Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.8/5.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:U/RC:C CVE ID CVE-2013-0149 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(13.115), 100.7(6.118), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(46.17), 100.8(60.15), 100.9(0.46), 100.9(10.1) Bug Id: CSCtz53586 Title: ASA: Crash when out of stack memory with call-home configured Description: Symptom: An ASA may generate a traceback and reload when the firewall runs out of memory and Smart Call Home is configured. The traceback generated will contain references to one or more of the following lines: Thread Name: pix_flash_config_thread Abort: Assert failure process_create: out of stack memory Panic: pix_flash_config_thread could not create sch_module_thread Conditions: This has been seen on all versions of ASA 8.2.5.x software. Other versions may also be affected. Workaround: The following workarounds can be used: 1. Reduce the memory utilization or configuration size or 2. Remove all 'call-home' commands from the configuration Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.2(5.28) Known Fixed Releases: 100.11(0.37), 100.11(5.46), 100.11(6.9), 100.12(0.19), 100.12(1.14), 100.12(10.5), 100.12(12.4), 100.12(13.11), 100.12(15.4), 100.12(16.10) Bug Id: CSCuo68855 Title: BGP:router bgp missing in system context if admin is in transparent mode Description: In muticontext ASA if admin context is configured in transparent mode, System mode is not allowed to create BGP Symptom: Router BGP command missing in system context. Conditions: If Admin context is configured in Transparent mode. Workaround: Configure admin context in routed mode Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(56.67) Known Fixed Releases: 100.10(2.25), 100.10(7.13), 100.11(0.11), 100.11(3.15), 100.11(5.17), 100.11(6.1), 100.12(18.1), 9.2(2.100), 9.3(0.99), 9.3(1) Bug Id: CSCuh10076 Title: Some interface TLVs are not sent in a bridge group in trans mode ASA Description: Symptom: After adding IP addresses to a transparent context of an ASA, some to the box management features fail to use the new IP address. For example, the ASA may not allow SSH or other management connections to a transparent context if the IP address associated with the BVI interface is removed or not present while the SSH/TELNET/HTTP commands are present in the configuration. Conditions: This is seen in ASA code version 9.1.2 in transparent mode as well as other builds Workaround: In the case of being unable to to manage the device using these IP's simply remove and re-apply the SSH, TELNET, or HTTP commands as needed. Further Problem Description: You can verify your are hitting this issue by checking the output of 'show asp table socket' from the affected firewall or context. If the firewall is configured for SSH based management you should see a LISTEN line for tcp port 22 ( ':22' ) and the Local Address should be the address of the BVI for the firewall/context: ASA# show asp table socket Protocol Socket State Local Address Foreign Address TCP 0000b5f8 LISTEN :22 0.0.0.0:* Telnet should show as ':23' and ASDM/HTTP should register as port 443 by default. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(60.11), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.10(0.9), 100.10(1.10), 100.8(27.84), 100.8(27.89), 100.8(38.22), 100.8(38.30), 100.8(40.11), 100.8(40.20), 100.8(41.2) Bug Id: CSCuc24547 Title: TCP ts_val for an ACK packet sent by ASA for OOO packets is incorrect Description: Symptom: When the ASA firewall proxies a TCP connection, it may create an invalid ACK packet in response to packet loss. The ACK has invalid TCP timestamp values resulting in the ACK being dropped. Conditions: This was seen with traffic being inspected and normalized by the ASA. Please refer to the bug details for fixed version information. Workaround: Disable the inspection that is running on the affected traffic flow. You may need to exclude this traffic from being inspected by the IPS/CX module in order to prevent this traffic from being normalized or proxied. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.237), 8.4(4.1) Known Fixed Releases: 100.7(13.107), 100.7(6.104), 100.8(0.244), 100.8(11.48), 100.8(11.49), 100.8(27.20), 100.8(27.25), 100.8(33.28), 100.8(34.1), 100.8(38.3) Bug Id: CSCtu30581 Title: ASA 5580 traceback when CSM attempts deployment Description: Symptom: ASA 5580 crashes when CSM attempt deployment SSLVPN/CSD is not enabled on the ASA firewall, however, when CSM (Cisco Security Manager) attempts to make a cofiguration deployment for the ASA (which contains configuration for the Default Group-Policy), the ASA5580 crashes! CSM version is 4.1 and ASA is 5580 on 8.4.2(11). Attached is the traceback information I could collect from the console of the firewall during the crash. Conditions: Seen only when there is a functional interaction between CSM and the ASA 5580 firewall. Workaround: None. Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2.11) Known Fixed Releases: 100.7(13.46), 100.7(14.40), 100.7(17.10), 100.7(18.4), 100.7(6.53), 100.8(0.43), 100.8(11.4), 100.8(14.2), 100.8(15.17), 100.8(19.40) Bug Id: CSCts13848 Title: ASA may traceback in dns_process Description: Symptom: Cisco ASA may crash in dns_process Conditions: The crash is due to improper handling of DNS queries generated by the ASA. Condition for the crash to happen is to have a DNS server configured on the ASA ex: dns server-group DefaultDNS domain xxx and the ASA is triggering a DNS resolution request to the server. Workaround: Removing the DNS server command can workaround this issue PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2011-4651 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8, 8.4(2.10), 8.4(2.7), 8.4(2.8) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.31), 100.8(0.36), 100.8(0.46), 100.8(0.54) Bug Id: CSCtz28671 Title: ASA crash in Thread Name: IKEv2 Daemon Description: Symptom: ASA crash in Thread Name: IKEv2 Daemon Conditions: ASA running IKEv2 IPsec VPN Workaround: No workaround Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.108), 100.8(0.116) Known Fixed Releases: 100.8(0.127), 100.8(11.20), 100.8(27.7), 100.8(33.4), 100.8(34.1), 100.9(0.1), 100.9(2.1), 9.0(0.99), 9.0(1), 9.1(1) Bug Id: CSCuc36831 Title: Traceback when removing group-policy Description: Symptom: The ASA will crash and reboot when removing a group-policy if the parameter 'attributes' is specified. The standby ASA might be the only one of a failover pair to crash and reboot. Conditions: This condition occurs when the command 'no group-policy attributes' is executed. Workaround: To avoid this crash, a group-policy can be removed by simply using the command 'clear config group-policy '. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4.8), 9.0(0.123), 9.0(0.16) Known Fixed Releases: 100.7(13.103), 100.7(6.104), 100.8(0.240), 100.8(11.40), 100.8(27.20), 100.8(33.25), 100.8(34.1), 100.8(37.16), 100.8(38.1), 100.8(39.1) Bug Id: CSCua98219 Title: Traceback in ci/console during context creation - ssl configuration Description: Symptom: Traceback occurs while trying to create a new context in multi-context mode. If the ssl cert auth config is present on any one of the contexts and we reload the device, traceback seen again. Conditions: Cisco ASA running release 8.4.5 in multi-context mode where one of the contexts has the ssl certificate-authentication command configured. Workaround: Remove the ssl certificate-authentication from all contexts. More Info: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.200), 8.4(5.7) Known Fixed Releases: 100.10(0.6), 100.7(6.118), 100.8(0.206), 100.8(11.32), 100.8(27.19), 100.8(27.83), 100.8(33.16), 100.8(34.1), 100.8(35.3), 100.8(36.1) Bug Id: CSCud20887 Title: ASA reloads after issuing "show inventory" command Description: Symptom: An Adaptive Security Appliance (ASA) 5505 or ASA Services Module (ASASM) reloads unexpectedly when issuing the show inventory command. Conditions: ASA5505 or ASASM running 8.6(1.5) and later, 9.0(1.1) and later, or 9.1(1.1) and later software. Workaround: None. Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(11.46), 9.0(1.113) Known Fixed Releases: 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.11), 9.0(1.114), 9.0(2), 9.1(1.8), 9.2(0.99) Bug Id: CSCuj45332 Title: ASA IDFW Susceptible to RADIUS CoA Replay Vulnerability Description: Symptom: The Identity Firewall (IDFW) feature of the Cisco Adaptive Security Appliance (ASA) is susceptible to replayed RADIUS Change of Authorization messages. This issue is due to insufficient input validation of received CoA messages. Conditions: Installation of an affected release of ASA software with IDFW configured. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2014-0655 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0655 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.76), 100.10(2.7), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(2.1), 100.11(4.1), 100.7(6.129), 100.7(6.130), 100.8(38.111) Bug Id: CSCtt51614 Title: ASA Multicontext: Traceback in Datapath while deleting a context Description: Symptom: ASA Traceback when deleting an existing context. Conditions: Deleting an existing context with "no context " command Workaround: N/A Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(16.2) Known Fixed Releases: 100.8(0.52), 100.8(11.6), 100.8(14.4), 100.8(15.22), 100.8(16.3), 100.8(19.63), 100.8(24.26), 100.8(30.2), 100.8(31.2), 100.8(32.1) Bug Id: CSCtr93804 Title: DCERPC inspection for RCI message type broken Description: Symptoms: DCERPC message type RCI may not pass through the Cisco ASA firewall. Conditions: ASA firewall doing DCERPC inspection. Workaround: None at this time. Further Problem Description: This defect is a regression in some versions of 8.4.2 ASA software. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(2.4) Known Fixed Releases: 100.7(13.27), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.21), 100.8(10.29), 100.8(15.5), 100.8(19.4), 100.8(2.10), 100.8(20.1) Bug Id: CSCuc83828 Title: ASA Logging command submits invalid characters as port zero Description: Symptom: -Random string on logging command results in port 0. -Command is accepted and logging is enabled on port 0. Conditions: -logging command must be appended with random string. Workaround: -Must avoid setting logging with string value. Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.4(4) Known Fixed Releases: 100.7(13.107), 100.7(6.104), 100.8(11.46), 100.8(34.1), 100.8(38.3), 100.8(50.2), 100.9(0.6), 8.4(5.2), 8.4(5.99), 8.4(6) Bug Id: CSCul41718 Title: traceback on master VPNLB ASA after switch port failure conditions Description: Symptom: malloc assertion under heavy load with continuous reloading of certificates Conditions: load balancing Master crashed after some interface error Workaround: Sort the certificates in the ASA's config in the reverse order of Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.0(3.220), 9.1(3.111) Known Fixed Releases: 100.10(0.46), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.74), 100.8(40.48), 100.8(46.47), 100.8(51.10), 100.9(10.18), 9.0(3.103) Bug Id: CSCsv03305 Title: ASA/PIX: May crash in Thread Name: IP Thread Description: Symptom: ASA/PIX may crash in Thread Name: IP Thread Conditions: This was first observed in an ASA failover pair running 8.0.4 Workaround: None Further Problem Description: N/A Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: Bug Id: CSCub23459 Title: On upgrade to 8.4(4)3 Twice NAT statements may override routing table Description: Symptom: Starting with version 8.4(4)3, manual NAT entries that do not specify the destination NAT parameters will now install a divert-entry for the destination IP address. This means that they will match a packet even if the ASA's routing table is in conflict with the NAT statement Conditions: Manual NAT entries must be configured on the ASA, and the destination translation must not be configured. For example: ----------- In version 8.4(4)2: ----------- ASA(config)# nat (inside,outside) source static obj-10.10.12.0 obj-10.10.12.0 Behavior: This translation specifies how to translate the source subnet 10.10.12.0/24 when those hosts send packets destined to the outside interface. However, due to this problem traffic sourced from the inside subnet 10.10.12.0/24 destined to a host on the DMZ interface will not match this (inside,outside) NAT rule and be passed to the DMZ interface. ----------- In version 8.4(4)3 (same configuration as 8.4(4)2): ----------- ASA(config)# nat (inside,outside) source static obj-10.10.12.0 obj-10.10.12.0 Behavior: Traffic that arrives on the inside interface from the 10.10.12.0/24 network destined to any host (even a host that lives off of the DMZ, DMZ2 or any other interface where a more specific route to the destination IP exists) will match this divert entry and be forwarded to the outside interface. Traffic from this subnet destined to the DMZ interface will fail. Workaround: Downgrading to a version prior to 8.4(4)3 will mitigate the problem, since the behavior change was introduced in 8.4(4)3 ----------- For static manual NAT entries: ----------- nat (inside,outside) source static obj-10.10.12.0 obj-10.10.12.0 Add the 'route-lookup' keyword to the end of the command. This will cause the ASA to check the routing table to confirm that the egress interface of the translation matches the routing table before applying the translation. nat (inside,outside) source static obj-10.10.12.0 obj-10.10.12.0 route-lookup ----------- For dynamic manual NAT entries (below we have a dynamic PAT): ----------- The 'route-lookup' keyword does not exist for manual dynamic NAT. These entries must be converted to auto-NAT (aka object-NAT) statements: Before: nat (inside,outside) source dynamic insideSubnet interface After: (first, remove the manual dynamic NAT statement) object network insideSubnet nat (inside,outside) dynamic interface Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(35.3), 8.4(4.3) Known Fixed Releases: Bug Id: CSCtu15722 Title: Assertion in "timer_services.c", line 149 in XDMCP Inspection Description: Symptom: ASA crashes with Assertion in timer_services.c", line 149 Conditions: Issue is found in script testing XDMPC inspection Workaround: None Status: Terminated Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.8(0.34), 100.8(2.24), 8.5(1) Known Fixed Releases: Bug Id: CSCur42998 Title: traceback @ hash_table_simple.c:192 Description: Symptom: ASA reloads with Thread Name: tmatch_compile_thread Conditions: ASA running 9.3.1 with heavy SIP inspection traffic. Workaround: Disable SIP inspection. Further Problem Description: NA Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 100.12(0), 100.13(11.14) Known Fixed Releases: 100.11(0.54), 100.12(0.94), 100.12(0.97), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(11.17), 100.13(12.36), 100.13(15.20), 100.13(16.16) Bug Id: CSCuv21431 Title: ASA WebVPN traceback on website thieme.de Description: Symptom: ASA may traceback in WebVPN (or recover automatically if webvpn recovery is configred) . Conditions: ASA 9.3(3) in failover mode with webvpn enabled. Workaround: Downgrade to 9.3(1). Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.3(3.2) Known Fixed Releases: Bug Id: CSCup22532 Title: Multiple Vulnerabilities in OpenSSL - June 2014 Description: Symptom: The following Cisco products Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including: 8.0.2 - 8.0.5.39, 8.1.1 - 8.1.2.56, 8.2.1 - 8.2.5.49, 8.3.1 - 8.3.2.40, 8.4.1 - 8.4.7.20, 8.5.1 - 8.5.1.20, 8.6.1 - 8.6.1.13, 8.7.1 - 8.7.1.11, 9.0.1 - 9.0.4.13, 9.1.1 - 9.1.5.7, and 9.2.1 include a version of openssl that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0195 - DTLS invalid fragment vulnerability CVE-2014-0224 - SSL/TLS MITM vulnerability This bug has been opened to address the potential impact on this product. Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted: CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference CVE-2014-0221 - DTLS recursion flaw CVE-2014-3470 - Anonymous ECDH denial of service Conditions: The Cisco Adaptive Security Appliance (ASA) running software v9.2.1 is vulnerable to CVE-2014-0195 - DTLS invalid fragment vulnerability when SSLVPN is enabled and configured to use DTLS. Previous ASA software releases are NOT affected by this vulnerability. The Cisco Adaptive Security Appliance (ASA) running software v8.0 and later is vulnerable to CVE-2014-0224 - SSL/TLS MITM vulnerability when using the following configurations: * When SSLVPN is enabled and configured to allow clientless VPN tunnels, OR * When TLS-proxy is configured (either stand-alone or in conjunction with the phone proxy feature), OR * When the ASA is configured to join an Active Directory domain using the 'kcd-server' command. When the ASA is acting as a server (or listener) it is not vulnerable. However, since there are no tools available for testing when we are a client, we have to assume that we could be vulnerable. The ASA must be acting as a client, connecting to a server with the SSL vulnerability and the MITM attacker must be on the network between the ASA and the server. Note that "WebVPN" and "SSLVPN" are synonymous. Workaround: CCVE-2014-0195: This vulnerability impacts only DTLS connectivity on 9.2.1 and later 1. Disable DTLS connectivity to the ASA by changing all of the WebVPN-enabled interfaces to include 'tls-only'. asa(config)# webvpn asa(config-webvpn)# enable outside tls-only INFO: WebVPN is enabled on 'outside', DTLS is disabled on 'outside'. CVE-2014-0224: This defect impacts SSL connectivity in certain circumstances. 1. Disable SSLVPN clientless connectivity by removing all 'vpn-tunnel-protocol' commands with 'ssl-clientless' from your group-policies. asa(config)# group-policy my_policy attributes asa(config-group-policy)# no vpn-tunnel-protocol ssl-clientless asa(config-group-policy)# show run group-policy group-policy my_policy internal group-policy my_policy attributes vpn-tunnel-protocol ssl-client 2. Disable TLS-proxy by removing any 'tls-proxy' commands and associated 'policy-map' commands. For instance, if you had an incoming and outgoing proxy, like: tls-proxy my_proxy_out server trust-point foreign_trust client trust-point local_trust client cipher-suite 3des-sha1 null-sha1 aes128-sha1 aes256-sha1 rc4-sha1 ! tls-proxy my_proxy_in server trust-point local_trust client trust-point foreign_trust client ciphe Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.0, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2(1) Known Fixed Releases: 100.11(0.18), 100.11(0.21), 100.11(5.25), 100.11(5.28), 100.11(6.1), 100.12(10.4), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10) Bug Id: CSCug85087 Title: ASA crashes in thread name "ssh" while running packet-tracer Description: Symptom: ASA running 8.6(1)5 crashes in thread name "ssh" while running packet-tracer Conditions: N/A Workaround: There is no workaround at this time Status: Other Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 8.6(1.5) Known Fixed Releases: Bug Id: CSCun31725 Title: ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP payloads Description: Symptom: Acting as the IKEv2 responder, ASA receives initial IKEv2 packet that contains multiple payloads for NAT_DETECTION_SO"URCE_IP from initiator. ASA rejects the connection and prints "INVALID_SYNTAX" Conditions: -ASA acts as IKEv2 responder. -ASA receives multiple payloads for "NAT_DETECTION_SOURCE_IP" from the initator. Workaround: Use IKEv1 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 15-JUL-2015 Known Affected Releases: 9.1(2.8) Known Fixed Releases: 100.10(9.6), 100.7(6.130), 100.8(38.126), 100.8(40.64), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 8.4(7.16) Bug Id: CSCug58801 Title: ASA upgrade from 8.4 to 9.0 changes context's mode to router Description: Symptom: ASA fail-over pair running v8.4 in transparent mode and multiple mode trying to do a zero downtime upgrade to v9.0. After standby upgrades to v9.0 and joins the fail-over, firewall operation mode changes to router on the standby. Conditions: ASA fail-over pair running v8.4 in transparent mode and multiple mode trying to do a zero downtime upgrade to v9.0. Workaround: Upgrade the ASA fail-over pair from v8.4 to v9.0 by taking a down time and rebooting both the ASA's simultaneously. Status: Fixed Severity: 1 Catastrophic Last Modified: 16-JUL-2015 Known Affected Releases: 9.0(1), 9.0(2) Known Fixed Releases: 100.10(0.6), 100.8(27.83), 100.8(38.16), 100.8(40.6), 100.8(41.2), 100.8(60.10), 100.9(0.45), 100.9(10.1), 100.9(6.26), 100.9(7.23) Bug Id: CSCuh29295 Title: block leak observed during ipsec l2l tests on EDVT testbed Description: Symptom:VPN and ssh stop working on the ASA and 1550 block depletion on ASA. Conditions:ASA acting as a L2L and Remote VPN Gateway Workaround:Reload fixes the problem. Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 100.9(0.46), 9.0(2.8), 9.0(3), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.52), 100.9(10.1), 100.9(6.28), 100.9(7.31) Bug Id: CSCuv34740 Title: ASA Traceback in SNMP Notify Thread Description: Symptom: ASA reloads and generates a traceback in Thread "SNMP Notify Thread" Conditions: SNMP syslog traps are enabled. Workaround: Disable SNMP syslog traps. Further Problem Description: This problem is believed to occur during a degraded memory condition since it is caused by a watchdog timeout while trying to allocate memory for the syslog trap. Status: Open Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCut18717 Title: ASA - Standby traceback in Thread Name: fover_parse Description: Symptom: Standby ASA traceback in thread name fover_parse during upgrade from 8.6.1.12 to 9.0.4.29 after Beginning configuration replication from mate. Conditions: ASA is A/S failover pair Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.0(4.29) Known Fixed Releases: Bug Id: CSCue88423 Title: ASA traceback in datapath thread with netflow enabled Description: Symptom: ASA may reload with traceback in a datapath thread (such as DATAPATH-1-1241) with abort type Assert failure. Line like the below will be seen in the crashinfo output: Panic: DATAPATH-1-1241 - Message #93 : spin_lock_fair_mode_enqueue: Lock (snp_nf_block_t) is held for a long time, owner: DATAPATH-2-1242, requestor: DATAPATH-1-1241 Conditions: Netflow is configured and enabled on the ASA. Workaround: 1. Disable Netflow or... 2. Disable the flow-teardown filtering More Info: Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 8.2(5.33), 8.4(4.11), 9.1(1), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.20), 100.9(0.50), 100.9(10.1), 100.9(6.28) Bug Id: CSCur47804 Title: ASA Crash in vpnfol_thread_msg thread Description: Symptom: Prior to the crash the following output can be seen in console: ABORT(-87): strcpy_s: source string too long for dest core3: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. assertion "0" failed: file "constraint.c", line 76 Conditions: An SSL client attempting to connect to the ASA during the early stages of boot Workaround: Shutdown the interfaces in the configuration. Reboot with the interfaces in this "shutdown" state, and then after the logging system has bee initialized, issue "no shutdown" on the interfaces. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.2(1), 9.3(1) Known Fixed Releases: 100.11(0.54), 100.12(0.94), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(11.17), 100.13(12.36), 100.13(15.20), 100.13(16.16), 100.13(17.6) Bug Id: CSCul02052 Title: ASA fails to set forward address in OSPF route redistrubution Description: Symptom: Re-distribution of connected routes does not work. The output of the command "show ospf database nssa-external" shows the forward address being set to 0.0.0.0 rather than the router id of the firewall. TEST-FE-ASA-UC1/uc1/pri/act# show ospf database nssa-external 10.116.11.32 OSPF Router with ID (10.116.11.4) (Process ID 100) Type-7 AS External Link States (Area 10.116.11.0) LS age: 82 Options: (No TOS-capability, Type 7/5 translation, DC) LS Type: AS External Link Link State ID: 10.116.11.32 (External Network Number ) Advertising Router: 10.116.11.4 LS Seq Number: 8000070a Checksum: 0xeb6a Length: 36 Network Mask:255.255.255.248 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 Conditions: ++ ASA with OSPF enabled and a part of NSSA ++ Connected routes on ASA are being distributed. Workaround: Workaround 1: Clearing the ospf process ensures that forward ip address is set as router id. Workaround 2: Reboot of the devcie Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.7(6.129), 100.8(38.120), 100.8(40.61), 100.8(64.2), 100.8(65.3), 100.8(66.4), 100.8(67.1), 8.4(7.12), 9.0(4.8), 9.1(5.1) Bug Id: CSCui40499 Title: ICMP inspection closes TCP conns with "Flow closed by inspection" Description: Symptom: This DDTS is a Duplicate of CSCuh13899 The ASA might tear down TCP connections with this syslog: Jul 31 2013 10:45:27: %ASA-6-302014: Teardown TCP connection 163 for outside:10.1.100.4/62750(LOCAL\cisco) to dmz:14.36.103.220/5901 duration 0:00:05 bytes 1382784 Flow closed by inspection (cisco) Conditions: Workaround: Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 8.4(5.7), 9.0(2.3), 9.1(1.5) Known Fixed Releases: Bug Id: CSCtf99449 Title: Traceback in thread name Dispatch Unit Description: Symptom: The ASA reloads unexpectedly. Conditions: When the ASA returns to normal operation. Check to see if there is a crashinfo file created. If there is the Thread name will say "Dispatch Unit" and the next line will say "Abort Watchdog failure". This has only been seen in 8.2.2 and above so far. Workaround: The crash is related to tcp-proxy. workaround 1: turn off tcp-proxy related features workaround 2: upgrade to 8.2.2(12) image. TCP proxy related: All voip such as h323, sip, skinny, ctiqbe. Others are rtsp, sqlnet, http, smtp...etc. Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.5(5.40), 100.7(0.54), 100.7(5.18), 100.7(6.6), 100.7(8.1), 8.2(3.104), 8.2(3.5), 8.2(4), 8.3(2.5), 8.4(0.99) Bug Id: CSCue31900 Title: Flapping the CCL or Data spanned port-channel causes intermittent crash Description: I have an ASA cluster in routed, multi-context, spanned Po mode. When flapping either the CCL or spanned data etherchannel it can crash. Workaround: This issue is related to having open telnet sessions. A workaround is to use SSH. Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.0(1), 9.0(1.107) Known Fixed Releases: 100.10(0.6), 100.8(27.86), 100.8(38.15), 100.8(40.4), 100.8(41.2), 100.8(60.7), 100.9(0.43), 100.9(6.19), 100.9(7.21), 9.0(2.100) Bug Id: CSCsq00631 Title: Connected routes lost for a Interface Description: Symptom: Connected route lost of a Interface. Conditions: No special config needed, but Interface state change can triggers this issue. When Interface goes DOWN connected route will be deleted, this is expected. When Interface comes UP ASA needs to add the Connected route back. ASA is missing to add the route, and is BUG. Workaround: On affected interfaces, remove and reconfigure the IP address. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 7.2(4) Known Fixed Releases: Bug Id: CSCug51375 Title: ASA SSL: Continues to accept SSLv3 during TLSv1 only mode Description: Symptom:ASA negotiates connections over SSLv3 in spite of it being configured to negotiate TLSv1. ASA(config)# sh run ssl ssl server-version tlsv1-only Conditions:Cisco ASA running release 8.2 and later. If the 'ssl server-version' or 'ssl client-version' value is modified after boot, the changes may not be applied properly. This could lead to the default of SSLv3 being enabled. Workaround:There is no workaround. More Info:Upgrade to one of the Known Fixed Release: * 8.2.5.55 or later * 8.4.7.26 or later * 8.5.1.23 or later * 8.6.1.16 or later * 8.7.1.15 or later * 9.0.4.26 or later * 9.1.5.21 or later * 9.2.3 or later * 9.3.1.1 or later Status: Fixed Severity: 2 Severe Last Modified: 16-JUL-2015 Known Affected Releases: 9.1(1.105) Known Fixed Releases: 100.10(0.6), 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(11.18), 100.13(12.41) Bug Id: CSCuu55258 Title: ASA 9.4: very slow RX speed for SFR module Description: Symptom: Low transfer speed from SFR module, causing failure when applying SFR policy. Conditions: Running ASA 9.4 Workaround: Use ASA9.3 or 9.2 code. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.4, 9.4(1) Known Fixed Releases: Bug Id: CSCue46275 Title: Connections not timing out when the route changes on the ASA Description: Symptom: Connections on the ASA are not timing out after a route change Conditions: timeout floating-conn was set to 30 seconds Workaround: clear out the connections manually Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.2(5), 8.3(2), 8.4(5), 9.0(1), 9.1(1) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.24), 100.9(0.52), 100.9(10.1), 100.9(6.28) Bug Id: CSCty32412 Title: ASA: Anyconnect u-turn to ipsec tunnel fails Description: Symptom: ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan to lan tunnel is dropped. The show asp drop shows the following reason: Expired VPN context (vpn-context-expired) No log message is generated for the drops. Issue is seen on ASA 8.2.5.26 as well Conditions: Anyconnect client uturns into a ipsec lan to lan tunnel. Workaround: Use ipsec vpn client as a temporary workaround Status: Fixed Severity: 1 Catastrophic Last Modified: 17-JUL-2015 Known Affected Releases: 8.2(5.26), 8.4(3.1), 8.4(3.6) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.126), 100.8(11.20), 100.8(27.7), 100.8(33.3), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.29) Bug Id: CSCuo58584 Title: Cisco ASA fix for CSCun56954 Description: Symptom: This bug is tracking the necessary change on the ASA side to fix a vulnerability in the FirePOWER services. For additional info refer to the Cisco Security Advisory: Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See Cisco Security Advisory Workaround: See Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 17-JUL-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18), 100.13(18.7) Bug Id: CSCth26474 Title: Inspection triggers block depletion resulting in traffic failure Description: Symptom: 1550 blocks depletion causing network outage and breaking management access. Symptoms appear the same as CSCtd36422 and are appearing on customer after upgrade to 8.2.2.16 where CSCtd36422 should be solved. Conditions: After some undetermined time of operation of the firewall the blocks are decreasing until they run out. Inspection has to be enabled. Systems which suffered from CSCtd36422 have also seen this. Workaround: Not tested so far. Hypothetically disabling inspection could solve the problem as it did with the parent bug mentioned above. Status: Fixed Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.2(2.16) Known Fixed Releases: 100.5(5.42), 100.7(0.58), 100.7(5.22), 100.7(6.7), 100.7(8.1), 8.1(2.49), 8.2(3.105), 8.2(3.5), 8.2(4), 8.3(2.5) Bug Id: CSCut70248 Title: ASA SIP inspection breaks Telepresence content share Description: Symptom: Telepresence conference are unable to share content when going through ASA Conditions: Telepresence end-points are behind ASA firewall configured with SIP inspection, when end-point tries to share content users will only see a black screen. Audio and Video work without any issue. Workaround: This issue is only seen when SBC is configured with two IP address one for signaling and another for media. Only known workaround is to use same IP for both signaling and media Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.4(3.9) Known Fixed Releases: Bug Id: CSCuq29136 Title: Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3392 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.1(5.3) Known Fixed Releases: 100.11(0.42), 100.12(0.31), 100.12(10.21), 100.12(15.8), 100.12(21.1), 100.12(6.2), 100.12(9.9), 100.7(6.134), 100.8(40.82), 8.2(5.51) Bug Id: CSCup74532 Title: ASA failover standby device reboots due to delays in config replication Description: Symptom: Standby appliance reboots during config replication Conditions: ASA in Active/Standby failover pair Large configuration can exacerbate this issue this issue has been seen in 8.4(7)15, 8.4(7)22, 9.1(4)5, other versions may be affected. Workaround: currently no workarounds available. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.4(7), 9.1(4) Known Fixed Releases: 100.11(0.40), 100.11(5.50), 100.11(6.14), 100.12(0.23), 100.12(1.24), 100.12(10.8), 100.12(15.5), 100.12(2.25), 100.12(6.1), 100.12(9.4) Bug Id: CSCui98316 Title: ASA traceback in Thread Name: tmatch compile thread Description: Symptom: ASA reloads unexpectedly with traceback in Thread Name: tmatch compile thread. Conditions: There is no known trigger. Workaround: There is no workaround at this time. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.4(5.2) Known Fixed Releases: Bug Id: CSCus89013 Title: Multiple Child SAs created Description: Symptom: Multiple Child SA creatted BXB-3-5520-ASA3(config)# show crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:903 Tunnel-id Local Remote Status Role 162705863 80.1.1.1/500 70.1.1.1/500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/5804 sec Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x3c02014/0x23cc61ca Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x755d4447/0x1f426716 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xb196ff93/0x9fbacd9c Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xba728d67/0x6e159e3d Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xec951076/0x4d20bdd6 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x80dc69fe/0x9a072e95 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0xc719b56e/0xf1e350a3 Child sa: local selector 90.1.1.11/0 - 90.1.1.11/65535 remote selector 60.1.1.11/0 - 60.1.1.11/65535 ESP spi in/out: 0x4ebdbb5d/0x89d5e9c2 Conditions: Create a crypto map with two sequence number and then try to connect via 2nd sequence number. Make 1st sequence number not matching on both peers Workaround: Connect via crypto map's first sequence number Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCuv14752 Title: ASA Traceback Unicorn Proxy Thread Description: Symptom: ASA Traceback with Unicorn Proxy Thread Conditions: ASA 9.3.3.220 Workaround: NONE Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.3(3.220) Known Fixed Releases: Bug Id: CSCuv27584 Title: ASA crashes on Thread:IPSec message handler on pushing new tunnel config Description: Symptom: ASA crashes generating crashinfo Conditions: Pushing a new tunnel config to the ASA running version 9.0(4) Workaround: NA Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: Bug Id: CSCts64324 Title: ASA may reload with traceback in threadname Dispatch unit Description: Symptom: ASA may reload with traceback in thread name Dispatch Unit. This crash may be seen in conjunction with failover. Conditions: ASA running 8.4.2 with failover enabled. Workaround: None at this time. Status: Other Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Bug Id: CSCtq90158 Title: ASA5585 (8.4.1.11) traceback in Thread Name: DATAPATH-7-1379 Description: Symptom: Standby ASA 5585 crashed in Thread Name: DATAPATH-7-1379 Page fault: Address not mapped Logs show "LU allocate xlate failed" messages. Conditions: Cisco ASA 5585 running release 8.4.1. Workaround: None Status: Other Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 8.4(1.11) Known Fixed Releases: Bug Id: CSCut49034 Title: ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal Description: Symptom: CPU on standby ASA spikes to 100% Conditions: Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN. Stateful failover configured on an active-standby failover pair. Workaround: None Further Problem Description: High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled. Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN. When this particular connection goes through the ASA, we find that the active ASA builds a single connection. standby ASA builds numerous connections with same source and destination ports. Connection on the primary/active: act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO Connections on secondary:(close to 2500) stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO We see a lot of connection teardown on the standby for this connection. Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O We also see a lot of reset packets in asp drops in the standby ASA. 1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54 66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738) Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop. We see overruns on the failover interface of the standby unit. stby/sec/alan3usv01# show int gig0/3 Interface GigabitEthernet0/3 "failover1", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 5475.d091.518f, MTU 1500 IP address 10.99.101.114, subnet mask 255.255.255.248 432217782 packets input, 556229026142 bytes, 0 no buffer Received 556 broadcasts, 0 runts, 0 giants 204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort And we see a lot of packets being transferred from active to standby ASA. In the failover debugs we only find the following messages in the debugs of fover rx. lu_rx: HA TRANS: receive message for client vpnfo, length 48 lu_rx: HA TRANS: receive message for client vpnfo, length 72 lu_rx: HA TRANS: receive message for client vpnfo, length 72 The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA. Status: Open Severity: 2 Severe Last Modified: 17-JUL-2015 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: Bug Id: CSCus84220 Title: ASA crashes for the OSPFv2 packets from codenomicon Description: Symptoms: Cisco ASA crashes in thread name OSPF-3 Conditions: OSPFv2 configured and crafted packets are sent to the ospf interface Workaround: none Further Problem Description: A vulnerability in OSPFv2 code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of the affected system. The vulnerability is due to improper handling of OSPFv2 packets . An attacker could exploit this vulnerability by sending crafted packets to the affected system PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-4239 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 100.13(0.21), 9.3(2.243) Known Fixed Releases: 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3), 100.14(3.4) Bug Id: CSCus57241 Title: ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions Description: Symptom: After upgrade from 9.2.(2.4) to 9.3(2) , VPN remote access connections are intermittently matching the DfltAccessPolicy instead of matching the appropriate policy. If the DfltAccessPolicy policy's action is to terminate, the VPN RA sessions will not establish. Conditions: - DAP is configured - ASA upgraded from 9.2(2.4) to 9.3(2) Workaround: - allow permit in the default policy (action=continue), if your security policy allows for this. -Downgrade to ASA pre-9.3.2 release, if at all possible. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.112), 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2), 100.14(12.1) Bug Id: CSCuv38705 Title: ASA may crash in Thread Name: CP Crypto Result Processing Description: Symptom: ASA may crash in Thread Name: CP Crypto Result Processing Conditions: It occurs when asdm is accessed Workaround: Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: Bug Id: CSCuc98398 Title: ASA writes past end of file system then can't boot Description: Symptom: After upgrading the ASA OS the device does not boot successfully, and will continually loop the unsuccessful boot sequence. The following will be seen on the console of the ASA (The ASA and image file will vary): ----------------------------------------------------------------------------------- Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008 Platform ASA5505 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Launching BootLoader... Boot configuration file contains 1 entry. Loading disk0:/asa844-9-k8.bin... Booting... Platform ASA5505 Loading... IO memory blocks requested from bigphys 32bit: 9672 ## APPLIANCE REBOOTS AUTOMATICALLY HERE ## ----------------------------------------------------------------------------------- Conditions: Cisco ASA where the disk (Compact Flash) is already close to full or is fragmented from frequent use and a new version of the OS is saved on the disk (without removing any files) and the new file is made the boot file in the configuration. Workaround: Delete the bad file from flash, as well as any other images that are no longer in use to free up more space on the flash. Then, re-download the new file to flash - or - 1) Copy all the files off of the ASA's disk 2) Format the disk: 3) Copy the files back onto the disk, starting with the OS image you wish the ASA to boot. The second procedure (involving the re-format) is the preferred workaround, as it places the ASA image towards the beginning of the filesystem, making the chances of encountering this problem much less. Status: Fixed Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 100.7(6), 8.4(2.8), 8.4(4.1), 8.4(5), 8.4(6) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.25), 100.9(0.27), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.4(5.6) Bug Id: CSCui86820 Title: ASA - Some redirected CWS tower traffic being sent to actual server Description: Symptom: ASA running scansafe inspection will redirect http traffic to the tower as part of the filtering. All communication to the site should be passed through the tower. When the ASA receives a partial packet and is unable to reassemble, the ASA ends up sending the request back to the server instead of the scansafe tower which can cause performance problems on the http download. Conditions: - ASA running 9.x code with scansafe inspection enabled. - Large http downloads with possible packet loss involved in the internet Workaround: none at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 9.1(1), 9.1(1.8), 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.19), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.43), 100.8(40.26), 100.8(41.2), 100.8(45.4), 100.8(46.5), 100.8(48.1) Bug Id: CSCun45787 Title: Duplicated CHILD SAs in 1 IKEv2 SA, traffic dropped vpn-overlap-conflict Description: Symptom: When the below condition matches, ASA may end-up creating multiple SPI-sets for a single proxy-id set. i.e. Multiple IPSec SAs or Child-SAs are created for the same local and remote Subnets/Idents. Note that this only occurs for the second or the subsequent Child-SA negotiations, barring the first Child-SA created during IKE-AUTH. When this occurs, ASA drops the traffic over this SA with "vpn-overlap-conflict" asp drop reason [show asp drop]. Conditions: ASA acting as IKEv2 L2L End-point, where we have more than one IPSec SAs negotiated. IKEv2 SA goes down, and re-negotiates due to an external comm-failure. Workaround: Clear the SA and make sure that the race condition does not occur Further Problem Description: Note that there are no duplicate crypto acl entries [aka procy-identities], and if it exists, this scenario does not apply and it is not supported Status: Fixed Severity: 2 Severe Last Modified: 18-JUL-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.12(30.2), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18) Bug Id: CSCuo08511 Title: ASA 9.0.4.1 traceback in webvpn datapath Description: Symptom: ASA reload unexpectedly at random times Conditions: Crash due to Webvpn-datapath Workaround: NONE Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 19-JUL-2015 Known Affected Releases: 9.0(4.1) Known Fixed Releases: 100.10(0.88), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(0.6), 100.11(5.1), 100.7(6.131), 100.8(40.68), 100.8(56.49), 100.8(64.15) Bug Id: CSCtt27599 Title: Standby Firewall traceback citing nat_remove_policy_from_np+383 Description: Symptom: When a Standby ASA tries to sync its config from its Active mate, the ASA may generate a traceback in the fover_parse thread and reload. Conditions: All of the following conditions must be met: 1. The ASA must be configured in a failover pair and 2. The ASA must be configured with a NAT rule that uses the 'any' keyword as one of its interfaces. For example: object network hostA host 192.168.1.10 nat (inside,any) static 10.0.0.10 Workaround: Avoid using the 'any' keyword as an interface in the NAT command. Status: Fixed Severity: 2 Severe Last Modified: 19-JUL-2015 Known Affected Releases: 100.8(19.22), 8.4(2.16) Known Fixed Releases: 100.7(13.38), 100.7(14.28), 100.7(17.5), 100.7(18.3), 100.7(6.46), 100.7(8.34), 100.8(0.34), 100.8(15.9), 100.8(17.6), 100.8(19.24) Bug Id: CSCuv25327 Title: bgp ipv6 neighborship fails with ASA after hard reset on router Description: Symptom: bgp ipv6 neighborship fails with ASA after hard reset on router Conditions: ASA with 9.5.1 or above has this issue. Workaround: Reset connection on ASA using clear ip bgp * command. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 100.14(0.61) Known Fixed Releases: 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62), 100.15(3.16) Bug Id: CSCul47481 Title: ASA WebVPN Login portal returns to login page after successful login Description: Symptom: After a period of operation, a users are unable to login to the Clientless WebVPN portal. After logging in, the user is redirected back to the login page. The problem happens after authentication, so failed logins still report as failures. Reloading the ASA or failing over to the standby ASA resolves the issue for a period of time. Conditions: Clientless WebVPN on ASA. Workaround: The problem appears to happen after a period of operation after upgrading to 8.4.7 (This issue has not been reported against 8.4.5/9.0.3 releases). Reloading the ASA or failing over to the standby unit should resolve the issue for a period of time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.95), 100.8(40.56), 100.9(10.23), 8.4(7.8), 9.0(4.2) Bug Id: CSCtt96550 Title: x-late Pairing Denial of Service Vulnerability Description: Symptom: A vulnerability exists in the xlate code of the Cisco ASA that may allow an unauthenticated remote attacker to trigger the reload of the affected system. The vulnerability is due to a improper deletion of one xlate while still active pairing. The attacker should be able to exploit this race condition in order to trigger this vulnerability. Conditions: This race condition may be triggered by the following inspection engines: H323, skinny, sip, rtsp Workaround: if possible disable the above inspections PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5412 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 20-JUL-2015 Known Affected Releases: 8.2(4.4), 8.2(5.15), 8.4(2) Known Fixed Releases: 100.7(13.46), 100.7(14.41), 100.7(17.11), 100.7(18.4), 100.7(6.54), 100.7(8.34), 100.8(0.44), 100.8(0.49), 100.8(0.51), 100.8(0.52) Bug Id: CSCtx69498 Title: Traceback when Converting ACL Remarks of 100 Characters Description: Symptom: Adaptive Security Appliance running 8.4(2.18) and later software may continuously reload during the pre-8.3 software configuration conversion process if maximum length (100 characters) Access Control List (ACL) remarks are present. Conditions: Performing an upgrade with pre-8.3 configuration to 8.4(2.18) or later software with long ACL remarks. Workaround: Remove ACL remarks completely or reduce the length to less than 100 characters. Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 8.4(2.18) Known Fixed Releases: 100.7(13.57), 100.7(18.9), 100.7(19.8), 100.7(6.62), 100.8(0.61), 100.8(11.9), 100.8(14.7), 100.8(24.31), 100.8(30.5), 100.8(32.3) Bug Id: CSCur99653 Title: Codenomicon HTTP-server suite may cause crash Description: Symptom: Codenomicon HTTP-server suite may cause crash Conditions: Codenomicon server testing Workaround: none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 100.12(0.108), 100.13(1.10), 9.3(1.113) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCtw68156 Title: Memory leak by chunk_create_internal Description: Symptom: Free memory keeps decreasing over time. Conditions: This has been seen on ASA running 8.2.4 Workaround: Reload the ASA before free memory gets too close to 0% Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Bug Id: CSCuv10938 Title: 'redistribute' cmds under 'router eigrp' removed on deleting any context Description: Symptom: 'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console: ERROR: unable to locate route-map Conditions: 1. ASA is multiple context mode. 2. More than one context on the ASA has EIGRP enabled with redistribution configured. 3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ". Workaround: None apart from re-adding all those commands back manually. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62), 100.15(3.16) Bug Id: CSCuu86195 Title: conn-max counter is not decreased accordingly Description: Symptom: Problem description: - after the maximum number of TCP connections for a class-map are exceeded the counter for the active connections("current conns") starts to decrease into negative values - all the new connections that are matching our configured policy are dropped even if we are not exceeding the number of configured connections %ASA-3-201011: Connection limit exceeded -36/30 for input packet from 10.100.48.4/54675 to 172.29.41.10/8443 on interface in Similar scenarios: - legitimate connections are dropped when the counter: - "current conns" is decreased into negative values; Ex: -36/30 - "current conns" is not dropping to zero(after all the connections are closed) and is stuck to a random value; Ex: 26/30 --> just 4 new connectios are allowed - "current conns" is going over the maximum value and is not dropping to zero(after all the connections are closed); Ex: 32/30 Conditions: issue observed in ASA software version 9.2.2 and 9.2.24(tested versions) just for TCP traffic Workaround: N/A Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 9.2(2), 9.2(2.4) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCuu97304 Title: SSL connection failing to WebVPN portal Description: Symptom: access to webvpn portal broken Conditions: try to access the webvpn portal via a browser Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 100.12(0.130), 100.14(0.39), 100.14(0.43), 100.14(0.46) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.56), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12), 100.15(4.15), 100.15(5.20) Bug Id: CSCuu73716 Title: Traceback in Thread CP Processing Description: Symptom: ASA crashes in thread name CP processing . Conditions: ASA5585-SSP-60 running version 932-smp-k8.bin Workaround: None at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.63), 100.15(3.16), 100.15(4.20), 100.15(5.23) Bug Id: CSCut46019 Title: MARCH 2015 OpenSSL Vulnerabilities Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0286, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. First Fixed Information: 8.2.5.58 (April 2015) 8.3.2.45 (April 2015) 8.4.7.29 (April 2015) 8.5.1.25 (April 2015) 8.6.1.18 (April 2015) 8.7.1.17 (April 2015) 9.0.4.34 (April 2015) 9.1.6.2 (24-Apr-2015) 9.2.3.5 (April 2015) 9.3.3.1 (8-May-2015) 9.4.1.1 (8-May-2015) Published advisory is at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl Workaround: Not available. More Info: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 8.2(5), 9.2(1), 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.123), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Bug Id: CSCuv12564 Title: Memory leak @regcomp_unicorn with APCF configured Description: Symptom: WebVPN portal page access is denied because of low availability of the memory due to memory leak. Conditions: APCF should be configured and it should be executed very frequently. One example is to configure APCF to block the portal navigation toolbar. Workaround: Remove APCF from the configuration. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(2.58), 100.15(3.13), 100.15(4.16) Bug Id: CSCut40270 Title: ASA: Traceback in Thread Name DATAPATH Description: Symptom: ASA can unexpectedly reload and generate a traceback in Thread Name DATAPATH Conditions: ASA running 9.2(3)3 software version Workaround: n/a Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 20-JUL-2015 Known Affected Releases: 9.2(3.3) Known Fixed Releases: Bug Id: CSCus62884 Title: ASA 9.1.5 does not always drop connections after receiving RST+ACK flag Description: Symptom: ASA does not always drop connections after receiving RST+ACK flag Conditions: Verify that the problem occurs when the server receives duplicate packets from the client to the server and replies to both SYN Example Server packets client -> server SYN (seq=3922308568) ------> 1st SYN client -> server SYN (seq=3922308568) --------> 2nd SYN client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ACK (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN Firewall packets client -> server SYN (seq=3922308568) client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ack (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN, which the Firewall doesn't have it In the working and not working scenario the Firewall always sends one SYN packet. Workaround: TCPbypass Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.57), 100.12(0.115), 100.13(0.46), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7), 100.14(26.2) Bug Id: CSCut49111 Title: ASA traceback because of TD tcp-intercept feature Description: Symptom: Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled Conditions: When threat-detection statistics tcp-intercept is enabled Workaround: Disabling TD for tcp intercept statistics stops crash. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26), 100.15(0.10) Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.7(22.1) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCuq47381 Title: DMA memory leak in 256 byte fragments with nbns-server config Description: Symptom: ASA may experience low DMA memory due to memory leak. Conditions: The 'nbns-server' command must be configured under the webvpn tunnel group, and users accessing non-existing shares from a NetApp filer Workaround: Remove 'nbns-server' commands Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(4), 9.1(5.10) Known Fixed Releases: 100.11(0.53), 100.12(0.83), 100.12(23.2), 100.12(6.26), 100.13(0.9), 100.13(11.15), 100.13(12.26), 100.13(15.10), 100.13(16.8), 100.13(17.4) Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 108.2(0.7) Known Fixed Releases: 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Bug Id: CSCur68845 Title: Linux Kernel Networking recvmsg Memory Leak Local Information Disclosu Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-6405 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-6405 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCus71190 Title: LDAP over SSL fails when using TLS1.2 on ASA Description: Symptom: Cannot authenticate/authorize users via AAA when using Secure LDAP (LDAP over SSL) using TLSv1.2.. Conditions: LDAP over SSL when the LDAP server supports TLS1.2 Workaround: NONE Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.12(13.13), 100.13(0.16), 9.3(2) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.34), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Bug Id: CSCut11895 Title: Failover assembly remained in active-active state permanantly Description: Symptom: Both the primary and secondary ASA assume the active role simultaneously until a manual reload is executed Conditions: The problem was encountered while applying a test load of 750 vpn sessions using tls1.2 with ECDHE-ECDSA-AES256-SHA384. Another test scenario was when the Primary ASA was power-cycled. Workaround: Disable and enable failover again on the secondary unit or reload secondary unit. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.13(0.32), 9.4(0.113) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.9), 100.14(0.4), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) Bug Id: CSCus32005 Title: ASA - Traceback in thread name SSH while applying BGP show commands Description: Symptom: ASA traceback in thread name SSH during performing BGP show commands. Conditions: ASA running 9.2.2.4 Workaround: not known Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.4) Bug Id: CSCuq62925 Title: ASA: standby traceback during replication of specific privilege command Description: Symptom: ASA: standby unit crash during replication of specific privilege command Conditions: ASA in A/S failover mode with 'privilege cmd level 1 mode exec command debug' configured on active unit. Workaround: Remove problematic command. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(1), 9.2(2) Known Fixed Releases: 100.11(0.54), 100.12(0.100), 100.12(24.4), 100.12(30.2), 100.13(0.12), 100.13(1.8), 100.13(11.21), 100.13(16.21), 100.13(19.6), 100.13(20.3) Bug Id: CSCuf31726 Title: uLinux Kernel agp_generic_remove_memory() Local Privilege Escalation Vu Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2022 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2022 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.50), 100.12(0.70), 100.12(6.20), 100.13(0.6), 100.13(11.11), 100.13(12.16), 100.13(15.7), 100.13(16.2), 100.13(17.2), 100.13(18.1) Bug Id: CSCus30833 Title: ASA: Page fault traceback in SXP CORE thread Description: Symptom: An ASA configured for CTS may generate a traceback and reload. The traceback will contain the following strings: Thread Name: SXP CORE Page fault: Unknown Conditions: The ASA must be configured to receive and process SXP packets from one or more devices. For example: cts sxp enable cts sxp connection peer 192.168.110.100 password none mode peer speaker Workaround: There is no known workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.38), 100.13(19.9), 100.13(21.6), 100.13(23.5), 100.13(24.4), 100.8(40.94), 9.2(3.101) Bug Id: CSCuq99821 Title: ASA/ASASM drops SIP invite packets with From field containing "" and \ Description: Symptom: ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field: "\"210*******\"" ;tag=SD7osu201-gK0d0f565b Conditions: ASA/ASASM running 9.1.4.6 with SIP inspection turned on. Workaround: disable SIP inspection. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(4.6) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41), 100.14(5.13) Bug Id: CSCur20322 Title: ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment Description: Symptom: ASA in an L2 cluster environment causes a DATAPATH traceback. The unit comes back up but will not join the cluster and results in an RPC_SYSTEMERROR failure. Manual joining into the cluster causes an immediate crash after entering "enable". Conditions: ASA operating in 9.2.1 code and in multi-context. ASA in a cluster L2 environment. Workaround: No workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCut45114 Title: 2048-byte block leak if DNS server replies with "No such name" Description: Symptom: The ASA may become responsive due to excessive loss of 2048-byte memory blocks. Conditions: Many DNS lookups for bad hostnames are done from the ASA, so that the DNS server replies "no such name". Workaround: A reboot is required to recover the lost memory blocks. Further Problem Description: To monitor block utilization, use the CLI command "show blocks". Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2.101) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCur68873 Title: Linux Kernel Reliable Datagram Sockets Denial of Service Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-7339 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-7339 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCus91636 Title: Adding subnet(s) to the object group for NAT causes high CPU Description: Symptom: The CPU spikes on an ASA when we add an object to an object group that is being used in NAT command. Conditions: ASA 5585 running 8.4 and above code with a huge number of object groups configured and passing heavy traffic. Workaround: None known yet. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: 100.11(0.56), 100.12(0.114), 100.13(0.40), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.5), 100.14(11.5), 100.14(2.5) Bug Id: CSCur38451 Title: ASA DSCP marking applies to all SSL traffic Description: Symptom: All traffic to an AnyConnect client is being marked with DSCP values that are not 0x00 Conditions: At least one inspected flow going through that tunnel has sent at least one packet with a DSCP marking through the AnyConnect SSL tunnel. Workaround: N/A Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.53), 100.12(0.84), 100.12(23.2), 100.12(6.26), 100.13(0.9), 100.13(11.16), 100.13(12.27), 100.13(15.11), 100.13(16.8), 100.13(17.4) Bug Id: CSCut48009 Title: Traceback in thread CP Processing Description: Symptom: ASA Crashes in CP Processing Thread Conditions: -- Skinny inspection enabled. -- Skinny traffic contains StopMediaTransmission messages that are carried in the same packet as a StartMediaTransmission, StarMediaTransmissionACK, or a StartMediaAnnouncement. -- Depending on the how many of the above messages are seen the issue can take some time to happen (the more messages seen the faster the issue can happen). Workaround: Disable Skinny Inspection Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.13), 100.14(26.10), 100.14(5.14), 100.14(6.12), 100.14(7.14) Bug Id: CSCul02601 Title: Cisco ASA SNMP Denial of Service Vulnerability Description: Symptoms: Cisco ASA crashes in Thread Name: Checkheaps during SNMP polling Conditions: SNMP configured Workaround: none Further Problem Description: A vulnerability in SNMP code of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of the affected system. The vulnerability is due to improper handling of SNMP packets . An attacker could exploit this vulnerability by sending high rate of traffic through the device while performing SNMP operations continuosly. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-4238 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(7), 8.6(1.2) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.33), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Bug Id: CSCuc80080 Title: DNS Inspection Denial of Service Vulnerability Description: Symptom: Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.0(1), 9.1(0.2) Known Fixed Releases: 100.8(0.245), 100.8(11.45), 100.8(27.20), 100.8(34.1), 100.8(38.3), 100.8(39.2), 100.9(0.6), 9.0(1.100), 9.0(1.2), 9.0(2) Bug Id: CSCut92194 Title: ASA traceback in Thread Name: CP Processing Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10) Bug Id: CSCur25542 Title: Traceback: pki-crl: Thread Name: Crypto CA with traffic through VPN L2L Description: Symptom: The customer states that whenever he tries to send traffic through a VPN L2L, that uses certificates to authenticate and that the crash occurs when he tries to send traffic through the tunnel. Conditions: IPSEC L2L VPN tunnel with certificates. Hardware: ASA5505 Software: 8.4(7) Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.11(0.52), 100.12(0.78), 100.12(23.2), 100.12(6.22), 100.13(0.8), 100.13(11.14), 100.13(12.22), 100.13(15.9), 100.13(16.5), 100.13(17.3) Bug Id: CSCus11465 Title: ASA teardown connection after receiving same direction fins Description: Symptom: ASA version 9.2.2.4 or 9.3.1 will teardown tcp connection after it receiving fin ack fin ack of the same direction Conditions: ASA version 9.2.2.4 or 9.3.1 receiving fin ack fin ack of the same direction Workaround: using tcp bypass Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(2), 9.3(1) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Bug Id: CSCuq91793 Title: ASA: RST packet forwarded with non-zero ACK number (and ACK flag clear) Description: Symptom: ASA forwards RST packet with non-zero ACK number and ACK flag cleared. If there is another ASA along the path of this connection, it will drop this RST packet and not clear the connection. In very specific circumstances (when host initiates another connection and reuses the same ports), the new connection won't be established and the host will receive PSH ACK packet in response to SYN packet. Conditions: 2 ASAs in path of a connection, RST packet sent immediately after standard connection termination. Workaround: Reduce half-closed timeout: 'timeout half-closed 0:0:30' Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.11(0.54), 100.12(0.94), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(11.18), 100.13(12.37), 100.13(15.21), 100.13(16.16), 100.13(17.6) Bug Id: CSCuu32905 Title: ASA WebVPN: Javascript fails to execute when accessing internal portal Description: Symptom: On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js. Conditions: Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6). Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.8(40.67), 9.1(6) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Bug Id: CSCut56198 Title: Clustering: Traceback in DATAPATH with transparent FW Description: Symptom: ASA traceback occurred on one of the slave units in a 4 node cluster in the DATAPATH thread. Stack trace indicates that the ASA was doing a transparent firewall operation. Conditions: Cisco ASA running release 9.2.1.213 and configured as a cluster slave with multi-context configuration which included mixed-mode contexts. Workaround: None Further Problem Description: Please see Eng-note. Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(1.213), 9.3(2.108) Known Fixed Releases: 100.11(0.57), 100.11(0.58), 100.12(0.120), 100.12(0.121), 100.13(0.61), 100.13(21.12), 100.13(21.13), 100.13(28.2), 100.14(0.7), 100.14(0.8) Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) Bug Id: CSCus47259 Title: Cisco ASA XAUTH Bypass Vulnerability Description: Symptoms: Due to a vulnerability in the IKEv1 code is it possible to bypass XAUTH authentication by sending crafted IKE messages Conditions: This applies only to deployment configured with Remote VPN and IKEv1. The knowledge of the PSK or a valid certificate is needed to perform the attack. This vulnerabilities affects only the following trains: - 7.x - 8.0 - 8.1 - 8.2 prior to 8.2.2.13 This issue has been fixed as part of another bug: CSCtg28821 Workaround: none Further Problem Description: A vulnerability in IKE version 1 code of Cisco ASA Software could allow an authenticated, remote attacker to bypass x-auth authentication and successfully login via IPsec remote VPN. The vulnerability is due to improper implementation of the logic of the x-auth code . An attacker could exploit this vulnerability by sending crafted IKEv1 packets to the affected system. The attacker would need to know the tunnel group pre-shared-key or have a valid certificate in order to exploit this vulnerability. This vulnerability affects only Cisco ASA Software configured for IKEv1 IPSec remote access and IKEv1 IPSec Lan-to-Lan. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2015-0760 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.0(2) Known Fixed Releases: 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.14), 100.14(7.14) Bug Id: CSCur16308 Title: DHCP Relay reloads after changing server interface Description: Symptom: DHCP Relay stops working. Or ASA generates traceback in thread ssh, telnet, accept/http, Unicorn Admin Handler or ci/console Conditions: 1. DHCP Relay enabled on ASA. 2. DHCP Relay server's interface was changed by the command: dhcprelay server X.X.X.X Workaround: Remove the "dhcprelay server X.X.X.X" command before configuring it with a different interface name. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(7), 9.0(1), 9.1(5), 9.2(2.4) Known Fixed Releases: 100.11(0.52), 100.12(0.78), 100.12(23.2), 100.12(6.22), 100.13(0.8), 100.13(11.14), 100.13(12.22), 100.13(15.9), 100.13(16.5), 100.13(17.3) Bug Id: CSCtu39738 Title: ASA 5585 reloads with traceback in Thread Name: NIC status poll Description: <B>Symptom:</B> ASA 5585 may go into a boot loop with traceback in Thread Name: NIC status poll Before the box enters the traceback you will see several messages on the console that look like this: INFO: MIGRATION - Saving the startup configuration to file INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_4_0_startup_cfg .sav' *** Output from config line 4, "ASA Version 8.2(4) " .....Failed to change interface status: cannot get channel *** Output from config line 442, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 443, " shutdown" Failed to change interface status: cannot get channel *** Output from config line 448, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 449, " shutdown" .Failed to change interface status: cannot get channel *** Output from config line 454, "interface GigabitEtherne..." Failed to change interface status: cannot get channel *** Output from config line 455, " shutdown" Failed to change interface status: cannot get channel <B>Conditions:</B> ASA 5585 only. Running 8.4.2 with an IPS SSP installed in slot 1 <B>Workaround:</B> Remove the IPS SSP from the chassis and the boot loop should end. The trigger for this behavior is related to using the switch on the PSU to power cycle the box. If you have an IPS blade in the chassis and you power cycle the 5585 via the switch on the PSU you may see this behavior. Call TAC to get your IPS SSP replaced. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 1 Catastrophic Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Bug Id: CSCur45455 Title: ASA crashes in DHCPV6 Relay agent feature Functionality Description: Symptoms: ASA may crash in thread name DHCPv6 Relay Conditions: This can be triggered by malformed DHCPv6 packet when DHCPv6 relay is configured. To verify whether this feature is configured, use the show run ipv6 dhcprelay and confirm that the feature is enabled on at least one interface. The following example shows DHCPv6 relay feature enabled on the outside interface: asa#show run ipv6 dhcprelay ipv6 dhcprelay enable outside Workaround: Further Problem Description: A vulnerability in the DHCP relay function of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause a reload of the affected system. The vulnerability is due to insufficient validation of crafted DHCP packets. Only Cisco ASA configured as DHCP version 6 relay are affected by this vulnerability. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets through the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-0578 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0578 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.54), 100.12(0.103), 100.12(24.5), 100.12(30.2), 100.13(0.12), 100.13(1.13), 100.13(11.23), 100.13(16.22), 100.13(19.6), 100.13(20.3) Bug Id: CSCur65317 Title: NAT pool address distribution fails,with NATtransactional-commit enabled Description: Symptom: NAT pool address distribution fails,with NAT transactional-commit enabled Conditions: ASA Cluster having the ASP transactional commands enabled. Workaround: Disabling the ASP transactional configuration commands on the ASA unit. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.13(11.17) Known Fixed Releases: 100.11(0.55), 100.12(0.107), 100.13(0.13), 100.13(1.22), 100.13(16.26), 100.13(19.7), 100.13(20.3), 100.13(21.3), 100.13(23.1), 100.8(40.94) Bug Id: CSCut01856 Title: ASA dropping traffic with TCP syslog configured in multicontext mode Description: Symptom: ASA dropping traffic in multiple-context mode with TCP syslog server unreachable. Conditions: -ASA in multiple context mode -TCP syslog server configured on one of the contexts. -"no logging permit host-down" configured on a context. Workaround: On removing and adding the context , which is having the issue,back the issue goes away. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Bug Id: CSCur49086 Title: Traceback due to fiber_create failure in unicorn remove session dir Description: Symptom: Crash when fiber_create failure when removing session dir Conditions: cert auth stress test mass logoff (vpn-sessiondb logoff all) Workaround: none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.12(0), 100.8(40), 9.1(5) Known Fixed Releases: 100.11(0.54), 100.12(0.99), 100.12(23.4), 100.12(24.4), 100.12(30.2), 100.13(0.11), 100.13(1.5), 100.13(11.19), 100.13(12.42), 100.13(16.18) Bug Id: CSCuq57307 Title: ASA 8.4 Memory leak due to duplicate entries in ASP table Description: Symptom: The ASA may experience a memory leak each time a VPN tunnel is built and torn down. Conditions: The ASA must be configured with a QoS policy that matches on per-flow destination addresses for a particular tunnel-group. For example: class-map vpn-class match flow ip destination-address <<<<<<<<<<<<< match tunnel-group 10.38.110.250 ! policy-map outside-policy class vpn-class police output 30000000 Workaround: Temporarily disable the QoS policy Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.11(0.57), 100.11(0.58), 100.12(0.116), 100.12(0.121), 100.13(0.52), 100.13(0.63), 100.13(21.13), 100.13(21.9), 100.13(28.2), 100.14(0.4) Bug Id: CSCuv27197 Title: ASA SSLVPN RDP Plugin session freezes under heavy load with activex Description: Symptom: RDP session freezes when a video is played over the session. Conditions: 9.4.1 Plugins tested: RDP1 2014 RDP2 2009 win7 process intensive applications in the RDP session like a High definition video either played locally on the RDP machine or via youtube Problem can be reproduced rather more consistently with Activex We have also observed TCP window size filling up and TCP ZeroWindow in the packet capture that was taken between the RDP server and ASA Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) Bug Id: CSCus64082 Title: ASA fails to sync objects with name ANY after upgrade from 8.4 to 9.x Description: Symptom: Standby ASA fails to sync objects with name ANY used in ACE after the zero downtime upgrade from 8.4.x/8.6.x to 9.x. The below errors are seen on the console during the configuration replication: ERROR: specified object does not exist ERROR: object () does not exist. Due to missing configuration the standby ASA may enter into a boot loop. Conditions: ASA configured with object name ANY and that object is used in an access-list. object network ANY subnet 0.0.0.0 0.0.0.0 access-list outside-in extended permit tcp object ANY host Workaround: 1. Use any other object name apart from 'ANY' 2. Rather than using object name 'ANY' use keyword 'any' in ACL configuration 3. Upgrade both the ASAs at the same time Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(2), 9.1(5) Known Fixed Releases: 100.11(0.56), 100.8(40.95), 9.0(4.31), 9.1(6.2), 9.2(3.101), 9.2(4) Bug Id: CSCut44082 Title: EIGRP configuration not being correctly replicated between failover ASAs Description: Symptom: We have found that the 'no passive-interface (interface-name)' and the 'distribute-list (distr-list-name) out interface (interface-name)' commands are not being correctly replicated between a pair of ASA firewalls configured in failover. Conditions: This issue occurs just when the active FW is replicating the configuration to the standby unit in the following two scenarios: 1.- When issuing the 'write standby' in the active FW. OR 2.- When after rebooting the standby unit, the active unit automatically replicates the configuration to the standby unit. (ASA-1/pri/act# Beginning configuration replication: Sending to mate. End Configuration Replication to mate) NOTE: In the recreation lab just disappears the distribution list but in the production environment one of the 'no passive-interface' commands disappears too. Workaround: While running ASA codes 9.2(2)4, 9.2(3) and 9.3(2): 1.- Avoid using the 'write standby' command in the active ASA and just use the 'write memory' or the 'copy running-config startup-config'. 2.- If for whatever reason the standby unit is being rebooted, then you will need to manually add the EIGRP missing configuration lines in the active unit in order to allow the standby unit to receive the whole needed EIGRP configuration. I already confirmed this EIGRP replication issue is not happening when running codes 8.6(1), 9.1(1) and 9.1(5), then downgrading to these ASA codes is another workaround. Further Problem Description: Here the detail EIGRP configuration for our testing: ASA-1/pri/act(config)# router eigrp 7 ASA-1/pri/act(config-router)# no auto-summary ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# network 10.1.4.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.50.16 255.255.255.248 ASA-1/pri/act(config-router)# network 10.1.94.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.97.0 255.255.255.128 ASA-1/pri/act(config-router)# network 10.6.254.128 255.255.255.128 ASA-1/pri/act(config-router)# network 198.209.254.0 255.255.255.0 ASA-1/pri/act(config-router)# network 198.209.255.0 255.255.255.0 ASA-1/pri/act(config-router)# passive-interface default ASA-1/pri/act(config-router)# no passive-interface outside ASA-1/pri/act(config-router)# no passive-interface inside ASA-1/pri/act(config-router)# no passive-interface dmvpndmz ASA-1/pri/act(config-router)# no passive-interface stldcdmz ASA-1/pri/act# sh run router router eigrp 7 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stldcdmz network 10.1.4.0 255.255.254.0 network 10.1.94.0 255.255.254.0 network 10.1.97.0 255.255.255.128 network 198.209.254.0 255.255.255.0 network 198.209.255.0 255.255.255.0 network 10.1.50.16 255.255.255.248 network 10.6.254.128 255.255.255.128 passive-interface default no passive-interface inside no passive-interface dmvpndmz no passive-interface stldcdmz no passive-interface outside ASA-1/pri/act# sh run all router router eigrp 7 no auto-summary distance eigrp 90 170 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stl Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(2.4), 9.2(3), 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Bug Id: CSCus57142 Title: ASA traceback in threadname Checkheaps when it hits dhcpv6 packet Description: Symptom: ASA traceback in threadname Checkheaps when it hits dhcpv6 packet Conditions: ASA loaded with 9.1.3 and running codenomicon. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: 100.11(0.57), 100.12(0.119), 100.8(40.96), 9.1(6.5), 9.2(3.101), 9.2(4) Bug Id: CSCus06652 Title: ASA5580-20 8.4.7.23: Traceback in Thread Name: ssh Description: Symptom: Both Active and Standy ASA units traceback in Thread Name: ssh when adding an extended ACL Conditions: This was found on an Active/Standby pair of ASA5580-20 running v8.4(7)23 Workaround: Make sure that a class configured to match for an ACL should have at least single element in it. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(7.23), 9.1(5.19) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.35), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.4), 100.13(24.3), 100.7(6.138) Bug Id: CSCus95290 Title: Cisco ASA VPN XML Parser Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to. The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2015-0677 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.0(4.20) Known Fixed Releases: 100.11(0.56), 100.12(0.113), 100.13(0.35), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Bug Id: CSCur20461 Title: ASA Threat detection adds Shun entry for attacker based on routing table Description: Symptom: ASA Threat detection unable to shun an attacker even though the shun entry exists Conditions: 1) Threat detection scanning threat is configured with shun functionality(threat-detection scanning-threat shun) 2) The ingress interface for triggering traffic is different from the interface based on the route lookup of the trigger source IP Workaround: none Further Problem Description: When threat detection scanning threat is configured with shun functionality(threat-detection scanning-threat shun), ASA shun the attacker IP address based on the routing table on ASA. ASA first check the routing table and shun the attacker on interface which ASA will use to forward the traffic to attacker, and not the interface on which attack is performed. Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(7), 9.1(5) Known Fixed Releases: 100.11(0.53), 100.11(0.54), 100.12(0.103), 100.12(24.6), 100.13(0.12), 100.13(1.14), 100.13(11.23), 100.13(16.23), 100.13(19.6), 100.13(20.3) Bug Id: CSCut86523 Title: ASA: Silently Drops packets with SFR Module installed. Description: Symptom: Traffic through ASA with SFR module Redirection enabled is dropped Conditions: Destination MAC address of the Packet begins with the following. 00:23 00:20 00:0d Workaround: Change the destination MAC address of the Packet to begin with something other than 00:23, 00:20,00:0d Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9) Bug Id: CSCus78450 Title: Certificate Validation Failure after upgrade post 9.1.5(12) Description: Symptom: --Certificate Validation Failure message on user PC after upgrading the ASA to any version in 9.1.5(x) post 9.1.5(12) --The debug crypto ca 255 shows the following message: CRYPTO_PKI: Certificate validation: Failed, status: 530CRYPTO_PKI: PKI Verify Cetificate Check Cert Revocation unknown error 530 CRYPTO_PKI: PKI Verify Certificate error. No trust point found Conditions: ASA running any version above 9.1.5(12) using server-side certificate authentication with ID certificate issued by a third party CA. Workaround: --Remove all the configured trustpoints and re-build them by importing the chain. --Use a self-signed certificate Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5.16) Known Fixed Releases: 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Bug Id: CSCun26772 Title: Invalid user names are logged in syslogs Description: Symptom: ASA logs invalid user name in their logs when user attempt to authenticate with incorrect user-id. Conditions: AAA and logging enabled Workaround: Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(0.2) Known Fixed Releases: 100.10(9.6), 100.11(2.1), 100.8(38.125), 100.8(40.63), 100.8(56.31), 100.8(65.4), 9.0(4.25), 9.1(5.15), 9.2(0.99), 9.2(1) Bug Id: CSCut29842 Title: Linux Kernel Memory Fault Privilege Escalation Vulnerability Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9322 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9322 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.3(2.200), 9.4(1) Known Fixed Releases: Bug Id: CSCut30741 Title: ASA redirection to Scansafe tower fails with log id "775002" in syslog Description: Symptom: ASA redirection to Scansafe tower fails with log id "775002" in syslog even when the platform limit for connections was not reached. Conditions: Was noticed in version 9.0(2) but could affect any release. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.11(0.57), 100.12(0.116), 100.13(0.52), 100.13(21.9), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) Bug Id: CSCuq50366 Title: Traceback may occur on bring up of multiple SSL sessions w/DHE Description: Symptom: On rare occasions it is possible that a traceback may occur when bringing up multiple SSL sessions with DHE. Conditions: Workaround: Use a different cipher than DHE or upgrade to a version with the fix for this issue. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 100.12(10.28), 100.12(10.32), 100.12(2.14), 9.1(5.19), 9.1(5.21), 9.2(2.4) Known Fixed Releases: 100.11(0.55), 100.12(10.33), 100.12(21.2), 100.12(9.14), 100.8(40.94), 9.1(5.101), 9.2(3.1), 9.2(4), 9.3(2.1) Bug Id: CSCuf31835 Title: Linux Kernel KVM Local Denial of Service Vulnerability Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-0309 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-0309 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: 100.11(0.51), 100.8(40.87), 9.2(3.101), 9.2(4) Bug Id: CSCus63993 Title: ASA - Traceback in thread name: CERT API Description: Symptom: ASA traceback with thread name CERT API when trying to connect to ASA with AnyConnect Client. Conditions: NA Workaround: NA Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.2(2.4), 9.2(3) Known Fixed Releases: 100.11(0.56), 100.12(0.115), 100.13(0.44), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Bug Id: CSCut10078 Title: Standby ASA does not apply OSPF route after config replication Description: Symptom: Standby unit was not following the OSPF routes that were replicated from the Active unit and installed in its routing table. For example, when trying to ping 10.202.7.135 from the Standby unit the ASA claimed it had no route to the host: Conditions: OSPF configured on active/standby ASA 5555 pair running 9.1.5.21 Workaround: A 'write standby' from the Active unit to force a bulk sync fixes the problem, though the routing table doesn't seem to change. I was able to reproduce the problem several times Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(2.25) Bug Id: CSCut12513 Title: ASA allows citrix ICA connection without authentication Description: Symptom: Cisco ASA Clientless SSL VPN integration with Citrix includes the download of a .ica file from the Citrix server and serving this to the client. The .ica file includes a session token to connect to the Citrix server. This file is stored on the client pc and deleted by the Citrix client once the session with Citrix is terminated. If this file is copied on a different machine, it is possible to reuse this file to connect to the Citrix server via the Clientless SSL VPN feature without requiring authentication as far as the session of the user that initially authenticated to the Clientless SSL VPN Portal is still active. Conditions: The file needs to be copied from the initial pc and the authenticated user session should still be active. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 21-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Bug Id: CSCuu89777 Title: ASA: Traceback in Thread Name: IP Thread Description: Symptom: ASA device traceback with Thread Name:- IP Thread Conditions: Interface should have a PPOE configured and receive PPPOE encapsulated traffic destined to the host on the other side of the Firewall. Workaround: Not using PPOE on ASA Interfaces Further Problem Description: A PPPOE data-packet, arrived on PPOE interface on ASA and was sent to control-path for de-capsulation. That packet could internally carrying the UDP/TCP packet. After de-capsulation it being sent out on other side of the ASA interface to the destination. After the packet was sent on wire, while freeing the packet Block ASA crashed, as invalid Block pointer was passed down the function calls. Status: Terminated Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Bug Id: CSCuv42720 Title: Egress ACL with ICMP Types Misbehaving. Description: Symptom: Configuring an ACL on the outbound port of a device may cause some traffic to be dropped even though the ACL policy permits the dropped packet(s). Conditions: The following policy applied to the outbound port will drop packets with Types 2-129. ASA5506X# show run access-list access-list unh-out extended permit icmp6 any6 any6 unreachable 0 access-list unh-out extended permit icmp6 any6 any6 unreachable 1 access-list unh-out extended permit icmp6 any6 any6 unreachable 2 access-list unh-out extended permit icmp6 any6 any6 unreachable 3 access-list unh-out extended permit icmp6 any6 any6 unreachable 4 access-list unh-out extended permit icmp6 any6 any6 unreachable 5 access-list unh-out extended permit icmp6 any6 any6 unreachable 6 access-list unh-out extended permit icmp6 any6 any6 packet-too-big 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 0 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 2 access-list unh-out extended permit icmp6 any6 any6 echo 0 %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 2, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 2) by access-group "unh-out" [0x0, 0x0] ASA5506X# show access-list unh-out access-list unh-out; 14 elements; name hash: 0x91e2c362 access-list unh-out line 1 extended permit icmp6 any6 any6 unreachable 0 (hitcnt=0) 0x4e0ab796 access-list unh-out line 2 extended permit icmp6 any6 any6 unreachable 1 (hitcnt=20) 0xa549de20 access-list unh-out line 3 extended permit icmp6 any6 any6 unreachable 2 (hitcnt=0) 0x3e3005b5 access-list unh-out line 4 extended permit icmp6 any6 any6 unreachable 3 (hitcnt=0) 0x60363c63 access-list unh-out line 5 extended permit icmp6 any6 any6 unreachable 4 (hitcnt=0) 0xeb98c4e3 access-list unh-out line 6 extended permit icmp6 any6 any6 unreachable 5 (hitcnt=0) 0x4b9b65f1 access-list unh-out line 7 extended permit icmp6 any6 any6 unreachable 6 (hitcnt=0) 0x53e45a3f access-list unh-out line 8 extended permit icmp6 any6 any6 packet-too-big 0 (hitcnt=0) 0x9b62e1db access-list unh-out line 9 extended permit icmp6 any6 any6 time-exceeded 0 (hitcnt=0) 0x5362e1e1 access-list unh-out line 10 extended permit icmp6 any6 any6 time-exceeded 1 (hitcnt=0) 0xf7a7cc36 access-list unh-out line 11 extended permit icmp6 any6 any6 parameter-problem 0 (hitcnt=0) 0x453e9232 access-list unh-out line 12 extended permit icmp6 any6 any6 parameter-problem 1 (hitcnt=0) 0x780a5e2e access-list unh-out line 13 extended permit icmp6 any6 any6 parameter-problem 2 (hitcnt=0) 0x4a0104ef access-list unh-out line 14 extended permit icmp6 any6 any6 echo 0 (hitcnt=0) 0xf50e5b9d ASA5506X# ASA5506X# show runn access-group access-group unh-out out interface priv Workaround: None Further Problem Description: N/A Status: Open Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuf31803 Title: Linux Kernel nfs_wait_on_request() Local Denial of Service Vulnerabili Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-1087 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-1087 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: Bug Id: CSCtf66003 Title: ASA 8.6 Traceback: CP Midpath Processing Description: Symptom: ASA 8.6 may generate a traceback in CP Midpath Processing when a large amount of AnyConnect client sessions are present and passing data Conditions: Large number of AnyConnect client sessions passing data are present Workaround: NA Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: Bug Id: CSCtt36737 Title: AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-3415 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 8.4(2.1), 8.6(1) Known Fixed Releases: 100.7(13.43), 100.7(13.65), 100.7(14.37), 100.7(17.7), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.52), 100.7(6.62), 8.4(2.102) Bug Id: CSCtq92619 Title: ASA IPsec doesn't start Quick Mode for some SA with IKEv1 SA up Description: Symptom: ASA may fail to initiate a Phase 2 SA when interesting traffic arrives at the ASA. Conditions: ASA 8.4.1.10 Static Lan-to-lan connection that has been up for about 3 weeks. Phase 1 SA is still established Phase 2 SA for another line in the same crypto map entry is up and works fine. Workaround: - Reload ASA - Remove crypto map entry and re-enter it. - Upgrade to a version that includes a fix for CSCty16864 which is caused by the same underlying issue to resolve the problem. Status: Other Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 8.4(1.10), 8.4(2) Known Fixed Releases: Bug Id: CSCur23709 Title: ASA : evaluation of SSLv3 POODLE vulnerability Description: Symptom: The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 Conditions: The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions. To see the SSL configuration: show run all ssl Default configuration of the ASA: ssl client-version any ssl server-version any The following non-default configuration values also enable SSLv3: ssl client-version sslv3-only ssl client-version sslv3 ssl server-version sslv3-only ssl server-version sslv3 Some of the previously listed options are not available on older ASA software releases. Workaround: There are no workarounds. Further Problem Description: This bug is for SSL server-side and is fixed in the following (and later) posted ASA releases: 9.3.1.1 9.2.3 9.1.5.21 9.0.4.26 8.4.7.26 8.2.5.55 It will also be available in the April/2015 timeframe on the following ASA software releases: 8.3.2.43 8.5.1.23 8.6.1.16 8.7.1.15 For the client-side (Clientless Smart Tunnel Component), please check CSCur42776. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 8.2(1), 8.3(1), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 99.1 Known Fixed Releases: 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(1.3), 100.13(11.18), 100.13(11.23) Bug Id: CSCue18975 Title: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5507 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 100.8(50.20), 100.9(7.14), 100.9(7.15), 9.1(1.4) Known Fixed Releases: 100.8(27.63), 100.8(50.35), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.19), 100.9(8.1), 9.0(2.100), 9.0(2.2), 9.0(3) Bug Id: CSCug39080 Title: HA sync configuration stuck -"Unable to sync configuration from Active" Description: Symptom: HA sync configuration stuck -"Unable to sync configuration from Active" Conditions: Reloading the standby or reconfiguring failover on the standby does not resolve the issue. Workaround: reload the active unit. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 9.0(1) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.22), 100.8(40.11), 100.8(41.2), 100.8(60.27), 100.9(0.54), 100.9(10.1), 100.9(6.29), 100.9(7.37) Bug Id: CSCuh75443 Title: Assertion in "ctm_daemon.c", line 764 Description: Symptom: Assertion in "ctm_daemon.c", line 764 Conditions: High DTLS session establishment rates Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 100.8(40.10), 100.8(46.3), 9.0(3.5), 9.1(2.4) Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11), 100.8(51.1), 100.9(10.12) Bug Id: CSCut52679 Title: Cisco ASA OSPFv2 Denial of Service Vulnerability Description: Symptoms: ASA crash in thread name OSPF-3 Router Conditions: OSPF is enabled on the interface Workaround: none Further Problem Description: A vulnerability in OSPFv2 code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of the affected system. The vulnerability is due to improper handling of OSPFv2 packets . An attacker could exploit this vulnerability by sending crafted packets to the affected system PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-4241 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 22-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.15), 100.14(5.15), 100.14(6.20), 100.14(7.19), 100.15(0.9) Bug Id: CSCut67965 Title: CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached Description: Symptom: ASA running 9.4.1 stops accepting IKEv2 connections. Conditions: ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached". Workaround: None Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 23-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.28), 100.14(10.23), 100.14(5.17), 100.14(7.33), 100.15(0.13), 100.15(1.15), 100.15(2.47) Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: Bug Id: CSCum70178 Title: Datapath:Observing Deadlock in different DATAPATH threads Description: Symptom: Cisco ASA working as a Failover Standby Unit, periodically reloads in thread name datapath. Crash message could be like the following : Deadlock in thread DATAPATH-9-2588, from: Traceback from thread DATAPATH-9-2588: Test scenario was Multiple ftp Clients from Outside to single FTP Server on Inside, with 1K conn/sec rate Conditions: Cisco ASA 8.4 when configured as standby in a failover pair. Reason problem is more evident on Standby could be that, as there isn't much work to do, it is possible that multiple Cores to work on flow-time-out at the same time As part of detaching a flow from host->h_tcp_eflow emb-flow-count is being decremeted But this is being done for a paired_flow->host, while holding the flow->host lock This can lead to dead-locck, in the following senario : Core-1 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Core-2 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 100.8(38.102), 8.4(7.9), 9.1, 9.1(4.5), 9.1(5) Known Fixed Releases: 100.10(9.6), 100.7(6.131), 100.8(38.126), 100.8(40.68), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 8.2(5.50) Bug Id: CSCuu57547 Title: ASA SIP inspected traffic matches wrong NAT rule Description: Symptom: ASA SIP inspected traffic matches wrong NAT rule This has as an effect SIP streams like BFCP traffic (source port UDP 5070) to get diverted to wrong egress interface. Conditions: Workaround: Disable SIP inspection Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.0(1), 9.1(5), 9.1(6.4), 9.2(3.4), 9.4(1) Known Fixed Releases: Bug Id: CSCuu63656 Title: ASA not generating PIM register packet for directly connected sources Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.2(1), 9.3(2), 9.4 Known Fixed Releases: 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) Bug Id: CSCuv32615 Title: ASA: LDAP over SSL Authentication failure with TLS1.2 Description: Symptom: LDAP over SSL authentication fails with the below LDAP debugs. Session Start New request Session, context 0x00007fffddc694c0, reqType = Authentication Fiber started Creating LDAP context with uri=ldaps://10.1.1.219:636 Connect to LDAP server: ldaps://10.1.1.219:636, status = Failed Unable to read rootDSE. Can't contact LDAP server. Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 Session End Can see the below errors increasing under "show asp drop" ssl-record-decrypt-error np-socket-close The "show count" output will show an increase in count SSL error. ASA5500-21# sho count | in SSL SSLERR DECRYPT_FAIL_OR_BAD_RECORD_MAC 1 Summary Conditions: LDAP over SSL used for client authentication on ASA running version 9.3(2)1 and above and TLSv1.2 is used. Workaround: Downgrade to 9.3(2) Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.3(2.1), 9.4(1) Known Fixed Releases: Bug Id: CSCuv42394 Title: ASA Traceback while testing SR628878741 (Part of CSCun12838) Description: Symptom: When we test SR628878741 of CFD CSCun12838, I noticed the traceback on Active ASA when it subjected forced crash, though it recovers from Traceback it end up with huge delay in recovery. It further crash the script. Conditions: When FO pair loaded with image 916 with customer config loaded. traceback observed with and without traffic. Type of traffice tested here is TCP (http and ftp). FO pair subjected to reload and graceful restart went fine. However when crashed, core dump generated. Even the same behaviour observed when tested under 941 image. Following credential attached. 1) Customer configs (system,ctx1 and ctx2) 2) Log files 3) Traceback decode. Logs: 941 ==> http://earms-trade.cisco.com/tradeui/resultsviewer.faces?ats=/users/pusnaik/ats5.3.0&client=web&host=sae-lnx-001&archive=pusnaik/archive/15-07/fn_Asa916Nat.2015Jul17_07:01:53.zip 916 ==> http://earms-trade.cisco.com/tradeui/resultsviewer.faces?ats=/users/pusnaik/ats5.3.0&client=web&host=sae-lnx-001&archive=pusnaik/archive/15-07/fn_Asa916Nat.2015Jul17_03:28:29.zip Workaround: May work , if we give huge delay for the traceback recovery. Even tested with 10 mins sleep, didn't work here. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.1(6.3), 9.4(1.40) Known Fixed Releases: Bug Id: CSCur30359 Title: ASA:Traceback in Thread Name: emweb/https Description: Symptom: Traceback in Thread Name: emweb/https Conditions: ASA reloaded while regular operation Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.0(2.10) Known Fixed Releases: Bug Id: CSCuu85497 Title: ASA Webvpn traceback followed by an unexpected reload Description: Symptom: ASA stops responding to ASDM/webvpn/anyconnect and users see a blank page when they connect [users start seeing a blank page ]. After a while the whole box crashes without generating a crashino . Conditions: The issue has been seen after an upgrade to 9.2.3.4 Workaround: Reload the ASA . Further Problem Description: The issue starts with the users reporting that they are unable to use clientless or anyconnect vpn . And at the same time there is no ASDM access to the device . Later the customer notices that they lose the access to the ASA [including icmp and telnet] . We found later that this is because the ASA crashes without generating a crashinfo [a silent crash]. recorded crash events for webvpn : ASA Crash Recovery Dump: Timestamp 2015-05-07 10:11:32 ASA Crash Recovery Dump: Timestamp 2015-05-07 10:11:34 Status: Terminated Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Bug Id: CSCuj88114 Title: WebVPN Java rewriter issue: Java Plugins fail after upgrade to Java 7u45 Description: Symptom: ASA WebVPN Java Plugins fail to load after upgrade to Java 7 Update 45 with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar' Conditions: Windows or Mac OSX machines using Java 7 Update 45. Also affects JRE build 1.6.0.51 and 65. Workaround: 1) Disable the option 'Keep temporary files on my computer' on the Java Control Panel -> General -> Settings. This works for both Mac OSX and Windows. 2) Downgrade Java to version 7 Update 40 or below. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 8.4, 8.4(2), 8.4(5), 9.1, 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.38), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.63), 100.8(40.41), 100.8(45.8), 100.8(46.28) Bug Id: CSCuv34202 Title: ASA5545 9.1.6.6 Flowcontrol not working. No pause frames sent Description: Symptom: ASA5545 9.1.6.6 is not sending XON pause frames Conditions: High volume of inbound traffic triggering interface overruns Workaround: There is no known workaround Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Bug Id: CSCuv20449 Title: Traceback in Thread Name: ssh when using capture or continuous ping Description: Symptom: ASA Traceback in Thread Name: ssh Conditions: Running real time captures via SSH session to ASA. Workaround: Do not run real time captures under heavy load conditions via ssh Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.1(6.1), 9.1(6.4) Known Fixed Releases: Bug Id: CSCtg76404 Title: Traceback in Thread Name: Checkheaps due to logging Description: Symptom: An ASA may crash citing Checkheaps as the crashing thread. Conditions: This has been seen in ASA version 8.2.2 and presumably other builds as well. The crash appears to be related top the presence of 'logging flash-bufferwrap' Workaround: At this point. Disabling 'logging flash-bufferwrap' may prevent the crash. Status: Fixed Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 8.2(2), 8.2(3), 8.3(2) Known Fixed Releases: 100.7(13.24), 100.7(14.13), 100.7(17.5), 100.7(18.1), 100.7(6.44), 100.7(8.34), 100.7(9.57), 100.8(0.19), 100.8(10.25), 100.8(12.26) Bug Id: CSCuj39727 Title: Unable to modify existing rules/network groups after few days up time Description: Symptom: ASA will stop accepting new commands or changes after some time. ASDM will stop responding, telnet and SSH sessions will hang, and the console will stop accepting input or presenting a prompt. Conditions: ASA running 9.1.2 Workaround: Able to clear condition with reload Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.30), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.55), 100.8(40.36), 100.8(45.7), 100.8(46.28), 100.8(52.2), 100.9(10.13) Bug Id: CSCuv05813 Title: ASA does not honor custom-defined TCP MSS Description: Symptom: Admin changes the ASA TCP MSS via the command <>". However, the ASA still continues to negotiate TCP use the default MSS of 1460 Conditions: -Configure a non-default MSS, such as "sysopt connection tcpmss 1000" -Send a TCP SYN to the ASA -The ASA will reply with the default MSS of 1460, not the customer value of 1000 -This problem has been seen on ASA 9.1.5.21, and 9.1.6.6 Workaround: None. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 23-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuq10239 Title: Windows 8 with new JRE, IE is not gaining access to smart tunnel Description: Symptom: IE on windows 8 with java start is not gaining access to smart tunnel Conditions: user is starting smart tunnel with java, UAC is turned on Workaround: turn UAC off or use active-x to start smart tunnel Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Bug Id: CSCuu27334 Title: ASA: Traceback with Thread Name - AAA Description: Symptom: ASA device Traceback with Thread Name:- AAA Conditions: ASA device running ASA 9.1(4) version Workaround: Upgrade to 9.1.6.4 or later. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Bug Id: CSCuu63223 Title: ASA 9.3(1) shared license server stops distributing licenses randomnly Description: Symptom: ASA SSLVPN shared license server stops distributing licenses at random intervals. Output of "show shared license" shows wrong values for Available and Utilized licenses. Shared license utilization: AnyConnect Premium: Total for network : 1000 Available : 287789076 Utilized : -287788076 This device: Platform limit : 1004 Current usage : -287788376 High usage : 150 Conditions: Issue seen in ASA 9.3(1) acting as a license server. Workaround: None. Reload fixes the issue. Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: Bug Id: CSCuh19234 Title: Traceback after upgrade from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3) Description: Symptom: Crash happens during upgrade migration from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3). Causing bootloop. Conditions: ASA with version pre-8.3 Workaround: Manual migration of the config Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(6), 9.0(3), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28) Bug Id: CSCut88287 Title: ASA Traceback in vpnfol_thread_msg Description: Symptom: ASA device Traceback in vpnfol_thread_msg Conditions: ASA device running in Active/Standby HA Pair. Workaround: NONE Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: 100.12(0.130), 100.13(0.79), 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Bug Id: CSCuv39775 Title: ASA cluster-Incorrect "current conns" counter in service-policy Description: Symptom: Incorrect "currents conns" counter on service-policy ASA cluster. Does not match up with the current connection "show connection count" on the unit, will lead to traffic drops in the service-policy once the limit is hit in the service-policy. Conditions: 1) ASA in a cluster setup. 2) Applies to both single or multiple mode. 3) Typical config : class connection_limit set connection conn-max 500000 embryonic-conn-max 2000 per-client-max 200 per-client-embryonic-max 50 Workaround: None. Further Problem Description: CLSTR1-Primary/ASAFW# cluster exec show service-policy | i conns CLSTR1-Primary(LOCAL):************************************************ current embryonic conns 3, current conns 5732, drop 0 CLSTR1-Secondary:******************************************************* current embryonic conns 1, current conns 88720, drop 0 <<<< CLSTR1-Primary/ASAFW# cluster exec show conn count CLSTR1-Primary(LOCAL):************************************************ 5823 in use, 36602 most used Cluster stub connections: 3300 in use, 30142491 most used CLSTR1-Secondary:******************************************************* 3270 in use, 120262 most used <<<<<<<<<<<<<<Cluster stub connections: 5794 in use, 5288523 most used Status: Open Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(2), 9.2(2.4), 9.3(3.2) Known Fixed Releases: Bug Id: CSCut71095 Title: ASA WebVPN clientless cookie authentication bypass Description: Symptom: In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over secure channels. Conditions: -- WebVPN Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1, 9.4(1) Known Fixed Releases: 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8) Bug Id: CSCus15721 Title: ASA: ICMP loop when cluster member rejoins the cluster. Description: Symptom: On ASA cluster connected with Nexus7k we can observe icmp loop triggered by the cluster member rejoing the cluster. Conditions: +cluster running with interfaces in individual mode +continuous ping to the ASAs data interfaces +same-security-permit intra-interface Workaround: +clear the icmp connection on the ASA +to prevent the loop disable same-security-permit intra-interface Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.19), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.1), 100.14(12.1), 100.14(5.1), 100.15(0.1) Bug Id: CSCti05769 Title: Migration of max_conn/em_limit to MPF is completely wrong in 8.3 Description: Symptom: Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside. Conditions: Workaround: Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCuv01177 Title: ASA: traceback in IDFW AD agent Description: Symptom: ASA5585 in failover pair may traceback in IDFW process. Conditions: ASA running IDFW features. Workaround: Disable IDFW. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCuv45756 Title: ASA may tracebeck when displaying packet capture with trace option Description: Symptom: ASA traceback. Conditions: ASA running 9.4(1) displaying captures with trace detail option. Workaround: Avoid using trace detail option in captures. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCug88962 Title: Hitless upgrade fails with error "Number of interfaces...not consistent" Description: Symptom: When attempting to perform a hitless upgrade of a failover pair of ASAs from a version prior to versions 8.4(6) and 9.0(2) and 9.1(1)3 to a version at or after 8.4(6) and 9.0(2) and 9.1(1)3 might fail. When the standby boots up with the new version, failover synchronization might fail and the following error might be printed to the console: "Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby." Conditions: To encounter the problem, all of the following conditions must be met: 1) The ASAs must be in a failover setup 2) A hitless upgrade must be attempted. This involves loading the new code version onto the disk of the standby ASA, then rebooting it so that it boots up running the new version, and syncs with the active ASA. 3) The active ASA running the old code must be running a version of code prior to 8.4(6), 9.0(2), or 9.1(1)3 4) The standby ASA must be rebooted and running a version of code 8.4(6) or 8.4(6)1, 9.0(2) or 9.1(2) or later Workaround: Since the synchronization of the ASAs fails due to this bug, a hitless upgrade might not work. The workaround is to configure both ASAs to boot up with the new version of code, and reload both ASAs (first the standby ASA, then 30 seconds later the Active ASA). Both units will boot up ok, and then since both units are running the same version of code they will synchronize correctly. Further Problem Description: And in the above situation i.e after the standby was reloaded and the error message ""Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby." shows up on the device console, if a failover would be performed to make the standby unit take the active role, then there could be issues with MAC address switchover between the ASA devices i.e the new active unit may not use the previous active device's MAC address or the new standby unit may not use the previous standby's MAC address. This would result in traffic flows failing through the ASA failover pair. Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(6.1) Known Fixed Releases: 100.7(6.118), 100.8(27.83), 100.8(38.18), 100.8(40.6), 100.8(41.2), 100.8(60.15), 100.9(0.46), 100.9(10.1), 100.9(6.28), 100.9(7.24) Bug Id: CSCuv07106 Title: ASATraceback in ssh whilst adding new line to extended ACL Description: Symptom: ASA traceback in ssh whilst adding an extended ACL Conditions: Making a change to an ACL that is part of class-map which is then applied under policy-map Workaround: 1. Remove any ethertype ACL if any configured. e.g. no access-list bpdu-deny ethertype deny bpdu 2. Do modification/add new ACE to ACL associated with class-map 3. Reapply ethertype removed and with its relevant configuration Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(7.22), 8.4(7.27), 8.4(7.28) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCus92856 Title: ASA traceback in DATAPATH Thread due to Double Block Free Description: Symptom: ASA reloads and generates crashinfo inThread DATAPATH Issue is specific to cluster with multi-context and interface sharing. Issue was exposed by fragmentation happening in shared interface Conditions: Clustering is enabled on ASA Workaround: Avoid using loopback/shared interface Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9) Bug Id: CSCur09141 Title: RRI static routing changes not updated in routing table Description: Symptom: Clearing the crypto config for a S2S tunnel does not remove the static reverse route from the routing table. We can see stuck route in the routing table. Conditions: RRI being used with static crypto map for a S2S tunnel. The crypto map config is removed using the clear config command. Workaround: None. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.12(0.131), 100.13(0.81), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.53), 100.15(3.9) Bug Id: CSCuu56912 Title: ASA change non-default port to 443 for https traffic redirected to CWS Description: Symptom: ASA change non-default port to 443 for https traffic redirected to CWS When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates ... Complete Connect Method (513) CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 ... For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 Conditions: ASA is configured to redirect non-default port for https traffic to CWS. Workaround: NONE Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.0, 9.1, 9.4 Known Fixed Releases: 100.12(0.129), 100.13(0.79), 100.14(0.39), 100.14(16.1), 100.14(5.19), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12) Bug Id: CSCuu78835 Title: Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 Description: Symptom: On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL: 1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable. 2. When trying to add a comment, the body of the comment is missing, so cannot add anything. Conditions: Using Atlassian version 6.4.5 for Confluence Workaround: Use the older versions of Atlassian Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 100.8(40.67), 9.2(2), 9.3(2), 9.4(1) Known Fixed Releases: 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Bug Id: CSCuu77207 Title: ASA - URL filter - crash on thread name uauth_urlb clean Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFr module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4.1 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFr module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFr module - Disable URL filtering (websense) Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuq76847 Title: ASA:Page fault traceback ACL FQDN Object-group Description: Symptom: An ASA generated a traceback while updating an FQDN object group. Conditions: An ASA must reference FQDN ACLs Workaround: no known workaround at this time Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 100.12(10.30), 9.1(2.3), 9.2(1), 9.2(2.4) Known Fixed Releases: 100.11(0.47), 100.12(0.51), 100.12(22.1), 100.12(6.7), 100.13(0.3), 100.13(12.5), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) Bug Id: CSCuj30119 Title: ASA Version 8.4(6)6 traceback in Thread Name: DATAPATH-2-1144 Description: Symptom: ASA traceback in Thread Name: DATAPATH-2-1144. Conditions: ASA is running version 8.4(6)6 and VPN environments. Workaround: None Further Problem Description: None Status: Terminated Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(6.6) Known Fixed Releases: Bug Id: CSCtn56501 Title: ASA may generate crypto archive with IPSec Ring timeout crash type Description: Symptom: Crashes seen on ASA crypto engine: Syslog messages 402125-402127 indicating crypto chip crash and soft-reset, on multiple occasions, which leads to a situation where: 1. Packets that should be serviced by the crypto engine [SSH, IPSec] are dropped 2. Crypto Archive files are generated: #show flash:/crypto_archive 1 590756 Oct 11 2012 19:06:28 crypto_archive/crypto_eng0_arch_1.bin 2 590756 Oct 11 2012 19:07:04 crypto_archive/crypto_eng0_arch_2.bin 3. Syslog such as: ASA-4-402125 CRYPTO: The ASA hardware accelerator Ipsec ring timed out (Desc= 0xC83DC7D8, CtrlStat= 0xB000, ResultP= 0xC5AEE8B0, ResultVal= 11, Cmd= 0x30, CmdSize= 0, Param= 0x0, Dlen=232, DataP= 0xC5AEE7D4, CtxtP= 0xC635A570, SWReset= 7) ASA-4-402126 CRYPTO: The ASA created Crypto Archive File < disk0:/crypto_archive/crypto_eng0_arch_1.bin > as a Soft Reset was necessary. Please forward this archived information to Cisco. Conditions: ASA with Crypto Services enabled [IPSec, SSH] Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.2, 8.2(5) Known Fixed Releases: 100.7(13.43), 100.7(14.36), 100.7(17.7), 100.7(18.4), 100.7(6.51), 100.8(0.40), 100.8(11.4), 100.8(15.17), 100.8(19.35), 100.8(2.30) Bug Id: CSCui20346 Title: ASA: Watchdog traceback in DATAPATH thread Description: Symptom: In rare situations, an ASA may generate a traceback and reload in the DATAPATH thread. Conditions: This issue has been seen in version 9.1(2). Other versions may also be affected. Workaround: There is no known workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.24), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.29), 100.8(45.5), 100.8(46.11), 100.8(48.1), 100.8(51.1) Bug Id: CSCud90534 Title: ASA traceback with Checkheaps thread Description: Symptom: ASA may crash with Checkheaps thread due to memory corruption: "CHECKHEAPS HAS DETECTED A MEMORY CORRUPTION Message Reason: Heap memory corrupted" Conditions: To-the-box SSL connections (HTTPS management, WebVPN, etc.) can corrupt the emweb/https thread stack. Workaround: Avoid to-the-box https connections. Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.0(1), 9.0(2) Known Fixed Releases: 100.8(27.34), 100.8(50.21), 100.9(0.23), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 9.0(2.100), 9.0(2.7), 9.0(3) Bug Id: CSCua76973 Title: ASA: Some NAT configuration removed on failover upgrade to 8.4(4) Description: Symptom: On upgrading to ASA 8.4(4) or higher, some NAT configuration maybe removed from the configuration with an error similar to below: ERROR: 192.168.1.0-192.168.1.255 overlaps with inside standby interface address ERROR: NAT Policy is not downloaded This issue also occurs when upgrading to 8.6.1.6 or higher. Conditions: To trigger this, ASA needs to be upgraded to 8.4(4) or higher (or 8.6.1.6 or higher) with following conditions met in their configuration: a) ASA needs to have a standby address configured on its interface. For example: interface eth0/0 nameif inside security-level 100 ip add 192.168.1.1 255.255.255.0 standby 192.168.1.2 b) ASAs running 8.3 or higher (but lower than 8.4(4)) should be configured with a NAT rule whose source mapped address range includes the mapped interface's subnet. For example: object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-10.10.10.0 subnet 10.10.10.0 255.255.255.0 ! nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp Note that the mapped address is "any" which include the "inside" interface and the source mapped address range specified by obj-192.168.1.0 includes the "inside" interface standby address 192.168.1.2. OR c) ASAs running version 8.2 or lower should be configured with a NAT exemption rule with an access-list entry whose source address range includes the interface on which this rule is applied. For example: access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 nat (inside) 0 access-list nonat Note that the access-list entry has a source range 192.168.1.0/24 which includes the "inside" interface standby address 192.168.1.2. Workaround: a) For ASAs running 8.2 or lower, upgrade to a version prior to 8.4(4) and apply one of the below workarounds before moving to 8.4(4). b) For ASAs running version 8.3 or higher (before 8.4(4)), ensure all such NAT rules in the configuration have the mapped interface(s) listed as specific as possible in place of "any" before upgrading to 8.4(4). For example, if the subnet 10.10.10.0/24 is reachable through the "outside" interface, the NAT command can be changed to: nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp OR c) If the above workaround can not be applied (for example, if the subnet 10.10.10.0/24 is reachable through the "inside" interface itself), then remove the standby IP address from the interface, apply the NAT command and then re-apply the standby IP address. In the above example, this will be achieved as follows: ciscoasa(config)# interface Ethernet0/0 ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config-if)# exit ciscoasa(config)# nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.10.10.0 obj-10.10.10.0 ciscoasa(config)# interface Ethernet0/0 ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 Note that removing and re-applying the IP address may result in a network outage. More Info: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 8.4(4) Known Fixed Releases: 100.7(13.91), 100.7(6.88), 8.4(4.4), 8.4(4.99), 8.4(5) Bug Id: CSCui76124 Title: Unable to telnet to ASA due to telnet limit reached Description: Symptom: Unable to telnet to the ASA due to the limit of 5 simultaneous sessions reached. This situation can be verified with the output of 'show resource usage', which will show the output like below: Resource Current Peak Limit Denied Context Telnet 5 5 5 0 System Conditions: Telnet is used to manage the ASA Workaround: Reload or failover the ASA to mitigate the problem. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.0(3), 9.1(1) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.1), 100.8(49.1) Bug Id: CSCul36176 Title: Cisco ASA VPN Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3383 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 100.10(0.42), 100.8(38.72), 100.8(40.45), 9.1(4.3), 9.1(5) Known Fixed Releases: 100.10(0.46), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.74), 100.8(40.48), 100.8(46.47), 100.8(51.10), 100.9(10.18), 9.1(5.1) Bug Id: CSCsw70786 Title: SACK is dropped when TCP inspection engines are used Description: Symptom: ASA/PIX will drop TCP segments with SACK option when TCP inspection engines are enabled at the same time. Conditions: TCP inspection engines are enabled and TCP segments going through ASA/PIX have SACK option enabled. Workaround: Turn off TCP inspection engines. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 7.0(7), 7.1(0), 7.2, 7.2(4), 8.0(2), 8.0(4), 8.1(2) Known Fixed Releases: 100.3(0.2), 100.4(0.2), 7.2(4.32), 8.0(4.30), 8.0(5), 8.1(2.21), 8.2(1.10), 8.2(4) Bug Id: CSCty54953 Title: ASA Continuously rebooting due to failed identification test Description: Symptom: ASA 5585 reloads because of Failed Indentification test during boot. This can cause the ASA 5585 to get stuck in a continuous boot loop. Conditions: This is issue is seen right after ASA 5585 boots up. This issue is caused by a memory corruption issue which is very difficult to reproduce and is seen extremely rarely. The root cause of this issue affects ASA 5585 platform only. Other ASA platforms are not impacted by this issue. Workaround: A power cycle of the ASA might resolve the issue and cause the ASA to boot up fine. More Info: Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 100.8(0.69), 100.8(0.85), 8.2(5.41) Known Fixed Releases: 100.7(13.66), 100.7(20.4), 100.7(21.3), 100.7(6.71), 100.8(0.105), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.8(36.1), 100.9(0.1) Bug Id: CSCtq30320 Title: ASA should allow AC connections without a package configured Description: Symptom: ASA does not allow Anyconnect client connections from Mobile clients without having at least one package installed on the ASA. Mobile users get the error "Anyconnect is not enabled on VPN server" Conditions: No Anyconnect pkg file configured on the ASA Anyconnect connection made from Mobile clients (IOS,Android) Workaround: Configure at least one pkg on the ASA configuration like below: webvpn anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1 Status: Fixed Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 100.8(0) Known Fixed Releases: 100.8(0.149), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1), 9.0(0.99), 9.0(1), 9.1(1) Bug Id: CSCus27687 Title: ASA crashed in "Thread Name: DATAPATH-15-2550" Description: Symptom: ASA traceback in Thread Name: DATAPATH due to double block free Conditions: Workaround: Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 24-JUL-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: Bug Id: CSCuv48048 Title: ASA not generating PIM register packet for directly connected sources Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 25-JUL-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: Bug Id: CSCug76721 Title: ipsecvpn-datapath: assert crash with Thread Name: IPsec message handler Description: Symptom: In rare cases with specific configuration, ASA crashes after reload in 1/10 of attempts Conditions: ASA setup for site-2-site VPN. Workaround: none found More Info: Status: Terminated Severity: 2 Severe Last Modified: 25-JUL-2015 Known Affected Releases: 9.1(1.8) Known Fixed Releases: Bug Id: CSCuu84085 Title: DHCP-DHCP Proxy thread Crash shortly after failover and reload Description: Symptom: Crash as soon as the standby unit becomes primary Conditions: DHCP configured on ASA running 9.1(6)5 or 9.1(6)6. Workaround: Downgrade to 9.1(6)4 Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 25-JUL-2015 Known Affected Releases: 100.14(0.16), 100.14(0.30), 100.14(0.42) Known Fixed Releases: 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) Bug Id: CSCuu88437 Title: ASA5506-X:copy file operations fail with jumbo-frame-reservation config Description: Symptom: Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below: "Error writing disk0:/ (Cannot allocate memory)" It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1. I used asdm-732.bin image for this operation: "copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error. Conditions: Copying file operations to disk0 on a ASA5506-X. Workaround: Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete. Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 25-JUL-2015 Known Affected Releases: 100.14(0.47) Known Fixed Releases: 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.14(0.66), 100.14(16.1), 100.14(5.23), 100.14(5.26), 100.14(7.42), 100.15(0.17), 100.15(1.22) Bug Id: CSCut85724 Title: ASA 5506 : Encrypted keys replaced with charecters 'x' post reload Description: Symptom: Keys and passwords that are normally obfuscated by asterisks (*****) might be replaced with the literal string "*****" post reload Conditions: Observed in ASA 5506 running 9.4(1) version code Workaround: none Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 26-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCun24142 Title: Dynamic Routes missing on standby ASA in Stateful HA Description: Symptom: 1) some dynamic ( EIGRP ) routes missing on the standby 2) the standby ASA is not reachable from some subnets, whereas the Active ASA is reachable from the same subnets Conditions: 1) Act/Stdby stateful failover configured 2) Dynamic routing enabled on the ASA 3) large number of routes and connections on the ASA ( probably ) Workaround: 1) replicate dynamic routes one by one ( by adding them incrementally on the EIGRP neighbor of the ASA ) 2) add static routes on the ASA for the missing EIGRP routes Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 26-JUL-2015 Known Affected Releases: 8.4(7.3) Known Fixed Releases: Bug Id: CSCur06331 Title: ASA Traceback with spin_lock in DATAPATH Description: Symptom: Hardware : ASA5585-SSP-60 Software : 9.1(4)5 Problem Description : ASA Traceback with spin_lock in DATAPATH Conditions: N/A Workaround: N/A Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 26-JUL-2015 Known Affected Releases: 9.1(4.5) Known Fixed Releases: Bug Id: CSCur68866 Title: QEMU virtqueue_map_sg() Function Input Validation Buffer Overflow Vuln Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4535 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-4535 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 26-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: 100.12(0.136), 100.13(0.90) Bug Id: CSCtr63728 Title: SIP Inspection Media Update Denial of Service Vulnerability Description: Symptom: Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Conditions: See PSIRT Security Advisory. Workaround See PSIRT Security Advisory. Further Problem Description: See PSIRT Security Advisory. PSIRT Evaluation: Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 8.2(5), 8.4(2) Known Fixed Releases: 100.7(13.33), 100.7(14.23), 100.7(18.2), 100.7(6.44), 100.7(8.34), 100.8(0.28), 100.8(10.40), 100.8(15.7), 100.8(19.16), 100.8(2.16) Bug Id: CSCut86775 Title: ASA SSLVPN traceback due to memory corruption Description: Symptom: ASA with WebVPN portal crashes Conditions: Not yet fully known Workaround: None Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: Bug Id: CSCus70074 Title: ASA Traceback in Thread Name:DATAPATH-7-2590 Description: Symptom: ASA Traceback in Thread Name:DATAPATH-7-2590 Conditions: ASA running version 9.3(1) Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: Bug Id: CSCum56399 Title: Cisco ASA GTP Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3386 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.10(9.6), 100.7(6.129), 100.8(38.119), 100.8(40.61), 100.8(56.23), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Bug Id: CSCui77398 Title: Cisco ASA Crafted ICMP Packet Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability Crafted ICMP Packet Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Successful exploitation of the Crafted ICMP Packet Denial of Service Vulnerability may result in valid connections passing through or directed to the affected system to be torn down or cause a reload of the system, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:C CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 8.4(7), 9.0(3), 9.0(3.2), 9.1(2.101), 9.1(2.7), 9.1(3.249) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.118), 100.7(6.122), 100.8(38.33), 100.8(40.22), 100.8(41.2), 100.8(45.2) Bug Id: CSCus46895 Title: WebVPN Rewriter: "parse" method returns curly brace instead of semicolon Description: Symptom: - Some functionality doesn't work - Unmangled requests Conditions: Javascript code with a complex expression where a new segment is followed by closing curly bracket. E.g. if(0){ var tmpArray = new Array(); } function (){ eval(g); } Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 100.13(24.3), 100.8(40), 9.3(3), 9.3(3.1), 9.3(3.220) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.57), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.5) Bug Id: CSCup36829 Title: Cisco ASA SSL VPN Portal Customization Integrity Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/7.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:C/A:P/E:F/RL:OF/RC:C CVE ID CVE-2014-3393 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 1 Catastrophic Last Modified: 27-JUL-2015 Known Affected Releases: 8.1(2.7), 9.1(5.231) Known Fixed Releases: 100.11(0.28), 100.11(5.40), 100.11(6.4), 100.12(0.14), 100.12(1.5), 100.12(12.2), 100.12(13.8), 100.12(15.2), 100.12(16.6), 100.12(17.10) Bug Id: CSCuh13899 Title: ASA protocol inspection connection table fill up DOS Vulnerability Description: Symptom: Some connection may not removed even after reaching idle timeout. Conditions: Non inspected flows and flows inspected in CP will be affected. Flows which are inspected in DP such as icmp, icmp-error, simple-dns (udp), simple-http, ip-thru, waas, srtp, ip-options, ipv6 are not affected. Workaround: 1. Clear the connection using the command ''clear conn'' 2. disable specific protocol inspection where possible and open higher port ranges in the ACL. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID CVE-2013-3463 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3463 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 8.3(2), 8.4(5.7), 8.4(6), 9.0(2.3), 9.1(1.5), 9.1(2.1) Known Fixed Releases: 100.10(0.6), 100.7(13.118), 100.7(6.121), 100.8(27.85), 100.8(38.28), 100.8(40.16), 100.8(41.2), 100.8(60.34), 100.9(10.4), 100.9(6.32) Bug Id: CSCuu28858 Title: ASA sends PIM join to both upstream neighbors Description: Symptom: ASA sends PIM join to multiple upstream neighbors when an equal cost route exists for upstream traffic Conditions: ASA configured with an equal cost route upstream Workaround: configure a static route or configure dynamic routing to force one route over the other. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: Bug Id: CSCuu28909 Title: ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel Description: Symptom: In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA. Conditions: +ASA cluster +site to site VPN tunnel configured +ICMP error packets destined to the VPN tunnel Workaround: +deny icmp erros using an access-list on the data interfaces Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 9.1(6.1), 9.4(1) Known Fixed Releases: 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Bug Id: CSCub08310 Title: ASA "write standby" fails with "Failed to initialize interface" error Description: Symptom: "write standby" command may fail to synchronize configuration from active ASA to standby ASA. The following error messages may be printed on the standby unit: Beginning configuration replication from mate. ERROR: open(np/port/ec/40/10/23/24/25/26/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1/-1) failed. ERROR: open(Po11) failed. ERROR: Failed to initialize interface inside ERROR: Add interface failed. if "debug fover fail" is enabled. This causes all "nameif" commands being lost from context configuration and standby configuration becomes unsynchronized with active: Number of interfaces on Active and Standby are not consistent. If the problem persists, you should disable and re-enable failover on the Standby. Conditions: ASA 8.4(3.9). Exact conditions are not known yet. Workaround: Don't use "write standby". Status: Terminated Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 8.4(3.9) Known Fixed Releases: Bug Id: CSCuu04160 Title: snmpwalk causes slow memory leak on ASA Description: Symptom: Free memory declines on ASA slowly over time. Free memory leaks Conditions: ASA configured to allow SNMP polling. NMS is snmp walking the ASA Workaround: Disable SNMP on the ASA Stop SNMP walking the ASA Reboot the ASA to clear up the memory leak Further Problem Description: This may also cause a cpu-hog in qos_metric_daemon after some time. Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 100.13(30.7), 9.4(1) Known Fixed Releases: 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.25), 100.14(7.23), 100.15(0.9), 100.15(1.3), 100.15(2.28) Bug Id: CSCze96017 Title: Active ftp-data is blocked by Firepower on Chivas Beta on 5512 Description: Symptom: The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies. Conditions: Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT). Workaround: 1. Create a policy to allow ftp-data traffic from Server to Client or 2. Use passive FTP Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20) Bug Id: CSCur07061 Title: Traceback on standby ASA during hitless upgrade Description: Regression caused by a fix in CSCuq37448 Symptom:ASA system traceback was observed in data path. Conditions:Cisco ASA running release 9.1.5.16. Workaround:NA More Info:This issue was seen in one case when doing system test with ASAv during hitless upgrade. In another the trace indicated it might be related to using the capture feature on an ASA-SM. However, the issue is not related to failover or packet capture. In the bug fix of CSCuq37448, we added code for detecting and handling IPSec HA packets. That fix failed to handle certain corner cases and could subsequently cause a traceback. The fix removes the special handling. Status: Fixed Severity: 2 Severe Last Modified: 27-JUL-2015 Known Affected Releases: 100.12(0.56), 100.13(11.7) Known Fixed Releases: 100.11(0.50), 100.11(0.57), 100.12(0.118), 100.12(0.70), 100.12(6.20), 100.13(0.58), 100.13(0.6), 100.13(11.10), 100.13(12.16), 100.13(15.7) Bug Id: CSCuv49446 Title: ASA traceback on Standby device in thread DATAPATH Description: Symptom: ASA traceback on Standby device in thread DATAPATH Standby ASA crashes during failover synchronization. There are cases where the ASA crashed multiple times and then got stabilized. Conditions: Workaround: Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Bug Id: CSCuu39615 Title: eglibc 2.18 is missing upstream fix #15073 Description: Symptom: ASA could crash due to heap corruption Conditions: Heavy memory allocation Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: 100.12(0.127), 100.13(0.77), 100.13(21.16), 100.14(0.30), 100.14(16.1), 100.14(5.19), 100.14(7.38), 100.15(0.13), 100.15(1.18), 100.15(2.54) Bug Id: CSCuv06421 Title: ASA cluster-wide commands fail with RPC error Description: Symptom: Cluster-wide commands on an ASA cluster might fail with an RPC related error such as "ERROR: Failed to retrieve cluster-wide statistics because of RPC failure." This has seen to coincide with 9344-byte block depletion: ------------------ show blocks ------------------ 250: 251: SIZE MAX LOW CNT 252: 0 8700 8692 8700 253: 4 1700 1699 1699 254: 80 9000 8498 8992 255: 256 8192 7697 8167 256: 1550 30000 29554 29971 257: 2048 8100 8093 8100 258: 2560 8192 8185 8192 259: 4096 100 89 100 260: 8192 100 90 100 261: 9344 20000 0 85 <<<<<<<<<<< 262: 16384 300 299 300 263: 65536 16 15 16 Conditions: ASA running in clustering setup. Workaround: None. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.1(6.181) Known Fixed Releases: Bug Id: CSCuv43330 Title: ASA:- Traceback in CTM Daemon on ASA device Description: Symptom: ASA device traceback in CTM Daemon Conditions: ASA device traceback in CTM Daemon and we might not see crashinfo generated on the ASA device Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuq77655 Title: Cisco ASA DNS Memory Exhaustion Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to. The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2015-0676 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: 100.11(0.48), 100.12(0.52), 100.12(22.1), 100.12(6.8), 100.13(0.3), 100.13(12.6), 100.13(13.1), 100.13(14.3), 100.13(15.2), 100.13(16.1) Bug Id: CSCum82840 Title: ASA: Traceback in pix_flash_config_thread when upgrading with names Description: Symptom: Under rare conditions, an ASA may get stuck in a reboot loop when upgrading the software version. A traceback in the pix_flash_config_thread will be generated. Conditions: This issue happens when the ASA is being migrated from a pre-8.4 software version to any 8.4 version of software. The startup-config must contain a name, an ACE that references that name, and 2 object-groups with similar names. For example: names name 10.1.0.0 MY_NAME description MY_NAME object-group network MY_NAME_1 description Created during name migration object-group network MY_NAME description Created during name migration access-list 100 extended permit ip MY_NAME 255.255.0.0 any inactive Workaround: Before upgrading to 8.4, remove one or more of the lines to prevent the issue. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 8.4(6.5) Known Fixed Releases: 100.10(2.7), 100.10(7.1), 100.10(9.1), 100.7(6.128), 100.8(40.58), 100.8(56.15), 8.4(7.10), 9.0(4.8), 9.1(4.115), 9.1(4.4) Bug Id: CSCtx03464 Title: Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit Description: Symptom: Under certain conditions, The STANDBY ASA in a failover pair may generate a traceback and reload in the DATAPATH-0-1400 or Dispatch Unit thread. Conditions: The ASA must be part of a failover pair. Only the Standby unit is affected. This was first seen on ASA code 8.2(5.20) on both single and multi-core platforms. Workaround: Downgrading to 8.2(5) seems to stabilize the pair. Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 100.8(31.1), 8.2(5.20), 8.4(3.1) Known Fixed Releases: 100.7(13.54), 100.7(13.65), 100.7(14.48), 100.7(18.6), 100.7(18.9), 100.7(19.8), 100.7(6.60), 100.7(6.62), 100.8(0.56), 100.8(11.7) Bug Id: CSCtr65014 Title: vpn-filter removed incorrectly from ASP table blocks L2L traffic Description: Symptom: Users can ping from the ASA's local LAN across a lan-to-lan tunnel to a remote host but not from the same remote host to the same local host. Traffic is encrypted and decrypted successfully on the ipsec SAs, but after inbound traffic gets decrypted it is dropped by the ASA ASP rule 'acl-drop'. Verify this with an asp-type capture with the trace option and/or packet-tracer. The vpn-filter that the l2l tunnel is associated with only has outbound rules installed - the inbound rules were deleted incorrectly. Verify with 'show asp table filter access-list '. Conditions: Vpn-filter applied to a group-policy and multiple tunnels landing on that vpn-filter. Workaround: Clear all tunnels that are landing on that group-policy using the command: 'vpn-sessiondb logoff ipaddress x.x.x.x' Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 8.2(5), 8.3(2), 8.3(2.13) Known Fixed Releases: 100.7(13.77), 100.7(6.79), 100.8(0.140), 100.8(11.22), 100.8(27.7), 100.8(33.6), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Bug Id: CSCuv10258 Title: ASA5505 permanent base license, temp secplus, failover, vlan count issue Description: Symptom: Show version display 3 VLANs license instead of 20 if base license, timebased for security plus license are combined on ASA5505 platform after failover is enabled Conditions: Three combined condition: 1. Permanent base license 2. Timebased Security Plus License 3. Failover is enabled Workaround: No known workaround Further Problem Description: The problem exhibit itself after a reboot. Looks like a variant of CSCtf91862 Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17), 100.15(4.23) Bug Id: CSCuv30184 Title: AddThis widget is not shown causing Traceback in Unicorn Proxy Thread Description: Symptom: Accessing a URL with the JVM function AddThis widget is not shown, can cause a Traceback in Thread Name Unicorn Proxy Thread Conditions: A user navigate to web page with embedded AddThis widget Workaround: Use SmartTunnel Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 100.8, 9.3(3.2), 9.3(3.220) Known Fixed Releases: 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17), 100.15(4.23) Bug Id: CSCuo58411 Title: ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5) Description: Symptom: -ASA stops passing IKEv2 packets for certain identities. -ASA prints "Duplicate entry in tunnel manager", while "debug menu ike-common 1" shows stale IKEv2 entries. -"debug menu ike-common 1" reveals IKEv2 identities that are very old (stale) Conditions: -ASA is running 9.1.5 or later -ASA is configured for IKEv2 L2L Update: The problem can be observed also on 9.0.x train. Workaround: Issue "debug menu ike-common 10" to remove the stale IKEv2 entries (this will delete all current IKEv2 connections) Further Problem Description: Status: Fixed Severity: 1 Catastrophic Last Modified: 28-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.21), 100.11(6.1), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10), 100.12(8.11), 100.8(40.78), 9.1(5.13), 9.2(2.1) Bug Id: CSCup47885 Title: ASA: Page fault traceback in DATAPATH when DNS inspection is enabled Description: Symptom: An ASA may generate a traceback and reload in the DATAPATH thread while processing DNS traffic when DNS inspection is enabled. Conditions: The ASA must be running 9.1.5.7 or higher. This issue will trigger when we do DNS reverse loop up with DNS inspection enabled. When a customer do reverse look up on IP addresses and receives a PTR Reply with more number of records they will hit this issue. This issue will not be seen without reverse loop up Workaround: There is no known workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.1(5.7), 9.2(2) Known Fixed Releases: 100.11(0.37), 100.11(5.46), 100.11(6.8), 100.12(0.19), 100.12(1.13), 100.12(10.4), 100.12(12.4), 100.12(13.11), 100.12(15.4), 100.12(16.9) Bug Id: CSCuu36639 Title: ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout Description: Symptom: Intermittently ESP packets are dropped on the ASA due to Crypto Accelerator issues. Crypto Hardware accelerator on ASA crashes with the message %ASA-4-402125: CRYPTO: The ASA Crypto hardware accelerator IPsec ring timed out There is traffic loss over the tunnel when the crash happens and the below message is also seen. %ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Unknown Error, code= 0x7F) while executing the command Process IPSec Inbound Packet (0x30) Conditions: ASA 5506-X acting as IKEv1 or IKEv2 IPSec Termination point such as L2L VPN end-point. Workaround: NA Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.3(2.2), 9.3(3), 9.4(1) Known Fixed Releases: 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Bug Id: CSCul18059 Title: Object Group Search may cause ACL to be matched incorrectly Description: Symptom: If object-group search is enabled, an ACL line with an Object-group that has overlapping networks may not be matched appropriately resulting in traffic being denied or permitted as expected. Conditions: This issue only occurs if object-group search is enabled with the command 'object-group-search access-control '. This has been seen on ASA code version 8.4(6) as well as ASA code version 8.4(7). It may exist on other versions as well. Please check the bug details for fixed version. Workaround: There are a few ways to avoid this issue: 1) Disable object-group-search with the command 'no object-group-search access-control' 2) Ensure that object groups used in ACLs do not contain overlapping networks in the same object-group. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 8.4(6), 8.4(7) Known Fixed Releases: 100.10(0.42), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.126), 100.8(38.70), 100.8(40.46), 100.8(46.40), 100.8(51.8) Bug Id: CSCut68792 Title: ASA - Increased CPU temperature after upgrade Description: Symptom: In the show environment output the Processor temperature is going up after upgrade Conditions: Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCus07980 Title: ASA: Traceback in Dispatch Unit possibly due to block corruption Description: Symptom: ASA may traceback in Dispatch Unit due to a possible block or block header corruption. Conditions: Seen on ASA running 8.4(7)23, although other version may be affected as well Workaround: None Further Problem Description: Status: Other Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Bug Id: CSCuu18989 Title: ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit Description: Symptom: It was noticed that when the maximum number of simultaneous connection limit is set, ASA might drop the connection with the error message ' %ASA-3-201011: Connection limit exceeded' even when it is clearly not close to hitting the maximum limit specified. Conditions: ASA 5585 running 9.4(1) version code Workaround: none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: 100.12(0.132), 100.13(0.83), 100.14(0.62), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.28), 100.15(10.3), 100.15(2.59), 100.15(3.13) Bug Id: CSCuu16907 Title: ASA: Watchdog traceback in DATAPATH Description: Symptom: ASA Watchdog traceback after an upgrade in failover environment. Conditions: ASA in failover pair environment, upgraded to 9.1.(5)21. Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 28-JUL-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Bug Id: CSCuu95947 Title: Traceback assert in Thread Name: tcp_thread Description: Symptom: ASA Traceback under tcp_thread Conditions: ASA running 8.2.5.48 Workaround: None Further Problem Description: Status: Terminated Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.2(5.48) Known Fixed Releases: Bug Id: CSCur40249 Title: L2L Test w/ DFP, SFR and debug SFR results in ASA becoming unresponsive Description: Symptom:An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates. 'show process cpu-usage non-zero' shows most of the CPU usage is in the datapath as shown here: uut19-5512# show processes cpu-usage non-zero PC Thread 5Sec 1Min 5Min Process 0x00000000019649eb 0x00007fffee11d560 0.0% 0.2% 0.3% ssh - - 95.4% 34.9% 38.5% DATAPATH-0-1451 Also, 'cpu hog granular-detection 1000 1' and 'show process cpu-hog' contain output similar to this: Process: DATAPATH-0-1451, PROC_PC_TOTAL: 52, MAXHOG: 9284, LASTHOG: 2584 LASTHOG At: 23:41:21 UTC Apr 6 2015 PC: 0x0000000000000000 (suspend) Process: DATAPATH-0-1451, NUMHOG: 51, MAXHOG: 9284, LASTHOG: 2584 LASTHOG At: 23:41:21 UTC Apr 6 2015 PC: 0x0000000000000000 (suspend) Call stack: 0x00000000004381fa 0x000000000071cc3d 0x000000000171170d 0x000000000171aaac 0x000000371c808201 Interrupt based hog entry #1 Hog #1, traceback #1, at: 23:40:28 UTC Apr 6 2015, hog 9 ms PC: 0x000000371c47a9b4 Call stack: Hog #1, traceback #2, at: 23:40:28 UTC Apr 6 2015, hog 19 ms PC: 0x000000371c47a9b0 Call stack: Note there is no Call stack in the "Interrupt based hog entry", and the PC is in the 0x0000003700000000 range. Conditions:Threat-detection is enabled or memory delay-free-poisoner are enabled. This issue affects 9.3.2.x code versions only. 9.3.3 contains the fix for this issue. Workaround:Disable threat detection (it is enabled be default). This can be done by issuing the following commands in global configuration: no threat-detection basic-threat no threat-detection statistics Also make sure the delayed-free-poisoner is not enabled (it is not enabled by default and should be enabled only under TAC supervision): no memory delayed-free-poisoner enable More Info: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 100.10(6.10), 100.12(0.77) Known Fixed Releases: 100.12(0.104), 100.13(0.12), 100.13(1.19), 100.13(16.25), 100.13(19.7), 100.13(20.3), 100.13(21.3), 100.13(23.1), 9.3(2.99), 9.3(3) Bug Id: CSCuh08651 Title: UDP ports 500/4500 not reserved from PAT on multicontext ASA for IKEv1 Description: Symptom: UDP ports 500 and 4500 are not being reserved when IKEv1 is enabled. Conditions: This happens only when the ASA is running in multi-context mode. Workaround: 1) Issue "clear xlate gport 500" and "clear xlate gport 4500". 2) Adjust PAT configuration to use an IP address that differs from the VPN interface IP More Info: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.0(2), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.20), 100.8(40.9), 100.8(41.2), 100.8(60.23), 100.9(0.52), 100.9(10.1), 100.9(6.28), 100.9(7.31) Bug Id: CSCui40122 Title: ASA Crash due to Block Double Free related to SSL VPN Description: Symptom: An ASA may crash and reload unexpectedly. At the end of the crash, there is indication of errors citing "BLOCK DOUBLE FREE" indicating that a memory block was freed by another process after a prior process already freed that memory block. Conditions: This has been seen on multicore platforms (ASA 5500-X, ASA Service Module, and ASA 5580). It is directly related to SSL VPN traffic such as that used for ANyConnect as well as Clientless SSL VPN. Workaround: There is no current workaround at this time. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 8.4(6.210), 8.4(6.212), 8.4(6.213), 8.4(6.214), 8.4(6.215), 8.4(6.216) Bug Id: CSCsd76584 Title: PIX Drops RTSP play message Description: Symptom: PIX drops the RTSP play message originated by Motorola's handsets. V3X Release sw: 25221LD_U_85.83.E1P V1050 Release sw: R26LD_U_83.38.49I V980 Release sw: R24_U_80.2F.63I - R24_U_80.2E.29.01P Conditions: The message drops has been observed on a PIX running 7.0(4)5 and RTSP inspection w/PAT. Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 7.0(4.5) Known Fixed Releases: Bug Id: CSCuo26918 Title: ASA traceback in Thread Name: IKE Receiver due to 'Address not mapped' Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-3383 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Other Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCut65365 Title: Threat Detection Statistics causes a high rate of CPU hogs on DATAPATH Description: Symptom: An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates. Inspecting the output of 'show process cpu-usage' shows that the majority (90% or higher) is used by a processes whose name includes DATAPATH. In addition, looking at the ouptut of 'show process cpu-hog' shows that the DATAPATH process identified above is experiencing a high rate of very short CPU hogs. For example: Process: DATAPATH-0-1749, NUMHOG: 22115786, MAXHOG: 113, LASTHOG: 16 LASTHOG At: 10:12:41 CDT Mar 31 2015 PC: 0x0000000000000000 (suspend) Call stack: 0x00000000004381fa 0x000000000071c19d 0x000000000171061d 0x00000000017199bc 0x000000363b608201 Process: DATAPATH-0-1749, PROC_PC_TOTAL: 390365697, MAXHOG: 129, LASTHOG: 12 LASTHOG At: 10:12:42 CDT Mar 31 2015 PC: 0x0000000000000000 (suspend) Conditions: This is seen on later versions of ASA code, and it seems to be primarily affecting code trains from 9.3.x and onwards with Threat Detection Statistics configured: threat-detection statistics Consult the bug notes for fixed in build information. Workaround: In many instances, disabling threat detection statistics appears to resolve the high-cpu condition. This can be done by issuing the following command in global configuration: no threat-detection statistics Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Other Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Bug Id: CSCus56590 Title: ASA - Traceback in Thread Name: fover_parse Description: Symptom: Standby ASA would enter a boot loop after attempting to replicate the configuration from the Active member, generating a Trace back with the name : fover_parse Standby ASA finishes the bulk sync in failover but never gives "sync config finished " message to active, this is the point where it reloads. Conditions: ASA with failover Versions : 9.3.2 and 9.4.1 Workaround: Go in to version 9.3.1, 9.3.2.104 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Bug Id: CSCuh33570 Title: ASA: Watchdog traceback in SSH thread Description: Symptom: Under rare conditions, an ASA may generate a traceback and reload in the SSH thread. Conditions: The traceback occurs when an active SSH management session is disconnected during rekey. This rekey can be either data or time based. Workaround: There is no known workaround at this time. More Info: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28), 100.9(7.29) Bug Id: CSCus27696 Title: ASA:- SSH un-authenticated connections are not timing out Description: Symptom: ASA device SSH Un-Authenticated connections are not timing out on the ASA device. Conditions: ASA device running version higher than 9.1.1.12 on the ASA 9.1.x code only Workaround: Downgrade to the ASA 9.1.5.12 and before or upgrade to ASA 9.2.x or 9.3.x Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(5.13) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.35), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.4), 100.13(24.3), 100.8(40.94) Bug Id: CSCuu01586 Title: ASA sends ARP when reverse DNS lookup request is sent for BVI subnet Description: Symptom: When ASA operates in transparent mode, it generates an ARP request for any reverse DNS lookup IP which is in the same subnet as of BVI. This happens only when DNS inspection is enabled. Conditions: - Transparent firewall - DNS inspect enabled - Reverse DNS query for any IP in BVI subnet. Workaround: - Disable the DNS inspect - Static arp binding to avoid the ARP requests. Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Bug Id: CSCuv12884 Title: Unable to authenticate with remove aaa-server from different context Description: Symptom: Authentication error on a context when he removed aaa-server config from different context. Conditions: -Some contexts is using same LDAP server. Workaround: ASA reload Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.6(1), 9.1(5), 9.2(3) Known Fixed Releases: 100.12(0.136), 100.13(0.89), 100.14(0.67), 100.15(0.21), 100.15(1.38), 100.15(10.4), 100.15(15.2), 100.15(2.70), 100.15(4.23), 100.15(5.27) Bug Id: CSCus62863 Title: Kenton 5516: Interface dropping ARPs after flapping under traffic load Description: Symptom: 5506 drops packets under load. Conditions: 5506 running 9.4.1 may experience interface flaps under load, resulting in packet loss. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 100.13(0.16), 9.4(0.53), 9.4(1) Known Fixed Releases: 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30), 100.15(0.11), 100.15(1.5) Bug Id: CSCuh69931 Title: ASA 5512 - 9.1.2 Traceback in Thread Name: ssh Description: Symptom: ASA SSHv2 rekey causes traceback. Conditions: ASA SSHv2 rekey occurs after data or time (55 minutes) trigger. If the connection is closing while this is ongoing, a traceback will occur. Workaround: none at this time. More Info: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: 100.8(27.84), 100.8(38.21), 100.8(40.10), 100.8(41.2), 100.8(60.26), 100.9(0.53), 100.9(10.1), 100.9(6.28), 100.9(7.33), 9.1(2.5) Bug Id: CSCsd81294 Title: 'crypto ca import' of SSL cert may traceback in Thread Name: accept/http Description: Import a certificate exported for a 3K from an entrust CA. From ASDM; Configuration/Device Administration/Certificate/Trustpoint/Import Give any trustpoint name, any password (password was not provided with the attached cert), Import from a file (cut and paste may work as well). Workaround: None. Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 7.0, 7.1 Known Fixed Releases: 7.0(6.8), 7.1(2.28), 7.2(1.24), 7.2(2), 8.0(0.99) Bug Id: CSCuu84697 Title: ASA Traceback in Thread Name ssh/client Description: Symptom: ASA Traceback in Thread Name: ssh/client Conditions: There are two known crashes: The first one is ASA using "copy scp://" CLI to communicate with an external SSH v1 server. SSH v1 is not a supported protocol when using scp on the ASA. The second one is when multiple simultaneous "copy scp://" CLI are issued on the ASA. There is a timing factor here. The crash can only be seen if two "copy scp://" CLI are issued on the ASA more or less at the same time. This can only be done through an automated script. Workaround: For the first crash, make sure that the external SSH server is running SSH v2. For the second crash, it can be avoided if the automated script used does not start multiple concurrent "copy scp://" CLI on the ASA at the same tme. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(6), 9.1(6.1) Known Fixed Releases: 100.12(0.134), 100.13(0.87), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(10.4), 100.15(2.73), 100.15(4.23) Bug Id: CSCty16864 Title: ASA doesn't start quick mode negotiation - stuck tunnel manager entries Description: Symptom: This bug is specific to IKEv1. 1) ASA 5505 as hardware vpn client in NEM is failing to negotiate the NEM tunnel, when using mac-address bypass option. This leads as well the reverse route not being created on the headend 2) This bug has been duplicated by CSCtq92619 which is a more generic issue with IPsec tunnels failing to come up under IKEv1 when multiple IPsec tunnels are configured for a single peer. This bug resolves both issues based on the root cause. Use "debug menu ike-common 1" to find stale entries (large Entry ages). Conditions: Has been observed with 8.4(3) Also, see CSCtq92619 for additional notes. Initially found in scenario where: 5505 HW vpnclient in NEM + mac-bypass fails negotiating the NEM tunnel. Workaround: Use 8.2 code base if possible, or disable the vpnclient mac-address bypass. Also, see CSCtq92619 for additional notes. Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.3(2), 8.4(1.10), 8.4(2), 8.4(3), 8.6(1) Known Fixed Releases: 100.7(13.66), 100.7(20.4), 100.7(21.3), 100.7(6.71), 100.8(0.105), 100.8(11.16), 100.8(27.2), 100.8(33.2), 100.9(0.1), 100.9(2.1) Bug Id: CSCus08101 Title: ASA: evaluation of Poodle Bites in TLSv1 Description: Symptom: Cisco ASA includes a version of TLS that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8730 This vulnerability is hardware dependent. ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability. ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue. The first fixed ASA software releases for this vulnerability are as follows 8.2 Train: 8.2.5.55 8.4 Train: 8.4.7.26 9.0 Train: 9.0.4.29 9.1 Train: 9.1.6 9.2 Train: 9.2.3.3 9.3 Train: 9.3.2.2 Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There is no workaround that mitigates this issue More Info: Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html Cisco has published the following Security Notice and IntelliShield Alert: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 http://tools.cisco.com/security/center/viewAlert.x?alertId=36740 The Sourcefire Snort SIDs for this vulnerability is: 32758 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2014-8730 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 9.0, 9.1, 9.2 Known Fixed Releases: 100.11(0.55), 100.12(0.110), 100.13(0.15), 100.13(1.34), 100.13(1.37), 100.13(19.9), 100.13(20.5), 100.13(21.5), 100.13(23.3), 100.13(24.3) Bug Id: CSCuj51075 Title: Unable to launch ASDM with no username/password or with enable password Description: Symptom: After upgrading to 9.1.3, the use can no longer launch ASDM with no username/password or with the enable password alone (the factory default configuration). Either one or both of the following need to be configured on the ASA in order for an ASDM user to login: 1. http authentication-certificate outside 2. aaa authentication http console LOCAL ASDM versions 7.1.3 and below can still be launched through the ASDM Launcher, but not ASDM 7.1.4. From the browser, ASDM cannot be launched without proper authentication configured, regardless of the ASDM version. Conditions: ASA 9.1.3 with ASDM 7.1.4 Workaround: 1) Configure user authentication on the ASA by creating a user and configuring one or both of the following: 1. http authentication-certificate outside 2. aaa authentication http console LOCAL 2) Downgrade to ASA verion 9.1.2 Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.4(7), 9.1(2.7), 9.1(3) Known Fixed Releases: 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.55), 100.8(40.33), 100.8(45.7), 100.8(46.28), 100.8(52.2), 100.9(10.12) Bug Id: CSCuu40697 Title: Inline SGT- 94% tput performance degradation with tagging enabled on SSP Description: Symptom: 94% tput performance degradation Conditions: Enable inline tagging Workaround: None Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 1.1(1.37), 99.1(2.160) Known Fixed Releases: Bug Id: CSCus27650 Title: TLS Proxy + Cut Through proxy not working correctly with TLS1.2 Description: Symptom: Cut Through Proxy and TLS Proxy may fail to function when using TLS1.2. Conditions: Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 100.13(1.32), 9.3(2) Known Fixed Releases: 100.12(0.130), 100.13(0.80), 100.14(0.43), 100.14(16.1), 100.14(5.20), 100.14(7.40), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Bug Id: CSCsd62875 Title: Traceback in tmatch compile thread Description: Symptom: ASA/PIX crash. Traceback shows crash in thread name: tmatch compile thread Conditions: Running version 7.1.1. Other conditions unknown at this time. Workaround: No known workaround. Status: Terminated Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 7.1(1) Known Fixed Releases: Bug Id: CSCud37992 Title: HTTP Deep Packet Inspection Denial of Service Vulnerability Description: Summary Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability Digital Certificate Authentication Bypass Vulnerability Remote Access VPN Authentication Bypass Vulnerability Digital Certificate HTTP Authentication Bypass Vulnerability HTTP Deep Packet Inspection Denial of Service Vulnerability DNS Inspection Denial of Service Vulnerability AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Clientless SSL VPN Denial of Service Vulnerability These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2013-5512 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Symptom: Conditions: Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 8.4(4.1) Known Fixed Releases: 100.10(0.6), 100.7(13.111), 100.7(13.116), 100.7(6.105), 100.7(6.121), 100.8(27.30), 100.8(27.85), 100.8(34.1), 100.8(38.28), 100.8(38.4) Bug Id: CSCuo68327 Title: Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/6.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVE ID CVE-2014-3388 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be fou Status: Fixed Severity: 2 Severe Last Modified: 29-JUL-2015 Known Affected Releases: 9.1(5.2), 9.1(5.6) Known Fixed Releases: 100.10(17.2), 100.10(2.25), 100.10(7.13), 100.11(0.10), 100.11(5.17), 100.11(6.1), 100.12(18.1), 100.8(40.75), 9.0(4.12), 9.1(5.7) Bug Id: CSCuv49074 Title: Cluster - High traffic & capture causes traceback in ThreadName Datapath Description: Symptom: ASA crashes in Datapath ThreadName Conditions: Packet capture enabled on the ASA cluster Unit rejoins the Cluster High amount of traffic through the cluster Workaround: Clear the captures or the connections through the Cluster Further Problem Description: With high amount of traffic is flowing through the ASA cluster, when a unit tries to rejoin the cluster when cluster packet captures are enabled, the ASA may crash generating a crashinfo Status: Open Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Bug Id: CSCtx33347 Title: Standby ASA traceback while trying to replicate xlates Description: Symptom: The standby ASA may generate a traceback and reload while it is trying to replicate the translation entries Conditions: Observed on ASA 5580 and 5585 platforms in failover environment Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 8.4(2), 8.4(3) Known Fixed Releases: 100.7(13.57), 100.7(13.87), 100.7(18.10), 100.7(19.8), 100.7(6.63), 100.7(6.85), 100.8(0.181), 100.8(0.63), 100.8(11.10), 100.8(11.28) Bug Id: CSCsd28581 Title: Failover: Standby device may traceback in Thread Name: IKE Daemon Description: Symptom: PIX or ASA running software release 7.0.4 in Active/Standby failover configuration. The Standby device may traceback in Thread Name: IKE Daemon. Conditions: The Standby unit could traceback while processing Phase 1 rekey when 1. Certificate is used for group authentication. 2. XAUTH is not used. Workaround: Upgrade to PIX or ASA software release 7.0.4.11 or later. Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 7.0.4 Known Fixed Releases: 7.0(4.11), 7.0(5), 7.1(1.7), 7.1(2), 7.2(0.33), 7.2(1) Bug Id: CSCus14009 Title: ASA WebVPN Citrix SSO: Chrome does not skip to login on external page Description: Symptom: With Chrome Browser, we get stuck on Client Detection Page, and we need to get past this stage to actually land on the login page to perform SSO. This is a well-known issue with chrome, albeit to get around it, we have already configured the Control ID of "skipWzardLink" in the Prelogin Control ID section, so we can skip over to the login page to perform the SSO. And this is failing. PS: The same setup works well on chrome [and other browsers] if the citrix page is configured as a bookmark Conditions: ASA 9.1(5)19 acting as Clientless SSLVPN Server. Here, we have the Citrix XenApp/XenDesktop server that the user will need to be logged into once logging into the Cisco SSLVPN Portal. To avoid all the confusion with the bookmarks, etc [and since POST Parameter Substitution does not work with Home-Page], we are using the Citrix URL as the External Page. Workaround: Configure the Citrix Server as a bookmark instead of configuring it as the external page Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: 100.8(40.94), 9.0(4.27), 9.1(5.104) Bug Id: CSCuu83280 Title: Evaluation of OpenSSL June 2015 Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176 This bug has been opened to address the potential impact on this product. Conditions: Device configured to use SSL services (VPN, ASDM etc). CVE-2015-1788 Malformed ECParameters causes infinite loop Not affected in ASA versions before 9.4.1 where EC key support was added. CVE-2015-1790 PKCS7 crash with missing EnvelopedContent Not affected in any ASA versions. OpenSSL clients and servers are not affected. Rest of the vulnerabilities affect ASA. Workaround: Not available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.8/6.4 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 7.2(1), 8.2(1), 8.2(5), 9.0(1), 9.2(1), 9.3(2) Known Fixed Releases: 100.12(0.131), 100.13(0.81), 100.13(0.82), 100.14(0.51), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.17), 100.15(0.18) Bug Id: CSCsd54293 Title: ARP fails when PC moved from outside to inside of transparent FW Description: Symptom: Under rare circumstances, when a PC is moved from the outside Ethernet segment of a transparent firewall to the inside, ARP packets may fail to traverse the security device, causing connectivity issues. Conditions: Cisco PIX/ASA running release 7.0.4. The firewall must be in transparent mode. Workaround: Enable a capture on the interface on which the new ARP request is seen. For example, if the PC is moved from the outside to the inside of the firewall use the capture command on the inside: capture capin interface inside Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 7.0.4 Known Fixed Releases: 7.0(4.11), 7.1(2.1), 7.2(0.37), 7.2(0.39), 7.2(1), 8.0(0.1) Bug Id: CSCuv11566 Title: ASA LDAP CRL query baseObject DN string is malformed Description: Symptom: In the following example configuration, notice that the LDAP DN String for CRL query is: CN=TAC CA KRK 10,o=VPN TAC,c=Pl Instead the ASA sends: CN=TAC CA KRK 10,o 20TAC,c,c=Pl Since the LDAP Query is malformed, the CRL check will fail Conditions: ASA 9.3 and above configured to perform CRL validation of Peer certificates using LDAP. Example: crypto ca trustpoint Praveen revocation-check crl policy static url 1 ldap://10.48.62.208:389/CN=TAC%20CA%20KRK%2010,o=VPN%20TAC,c=Pl Workaround: None. CRL check using HTTP continues to work Further Problem Description: This issue occurs when the LDAP query url contains white-spaces encoded as %20 PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: 100.13(0.91), 100.15(1.42), 100.15(10.4), 100.15(2.75), 100.15(3.20), 100.15(4.25), 99.1(2.203), 99.1(3.146) Bug Id: CSCut15570 Title: Anyconnect SSL VPN certificate authentication fails o ASA Description: Symptom: Anyconnect SSL VPN certifcate authentication fails o ASA Conditions: -- certificate authentication -- in debug crypto ca the following error is observed: CERT-C: I pkixpath.c(1170) : Error #72 Workaround: Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.11(0.57), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.22) Bug Id: CSCuv42413 Title: Dynamic Route Not Installed After Failover Description: Symptom: Dynamically learned routes that are not directly connected to the ASA are not installed in the routing table after failover to the standby ASA. Conditions: - ASAs configured in failover pair - ASA configured for dynamic routing using OSPF - Network statements configured under the OSPF process for networks that are not directly connected Workaround: Removing the network statements under the OSPF process for non-directly connected networks prevents this issue. The issue is also resolved by manually clearing the OSPF process on the ASA (using the command: clear ospf process) after failover. Further Problem Description: This issue was also observed using EIGRP as the dynamic routing protocol. Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(2.75), 100.15(4.24), 9.3(3.210), 99.1(2.201) Bug Id: CSCut95793 Title: ASA: Anyconnect IPv6 Traceroute does not work as expected Description: Symptom: Traceroute does not work as expected while connected with anyconnect vpn client to ASA running software version 9.0(4)30. Traceroute completes but does not show intermediate hops, rather we see aestrick "*" for intermediate hops. Conditions: Anyconnect 3.1.05170 ASA 9.0.4(30), 9.1(4) Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.0(4.30) Known Fixed Releases: Bug Id: CSCua92694 Title: Traceback on Configuration Manipulation over Telnet/SSH Sessions Description: Symptom: Adaptive Security Appliance (ASA) or Services Module (ASASM) unexpectedly reloads during configuration file manipulation in the multiple-context mode. Conditions: Manipulating ASA configuration in the mulitple-context mode over an SSH or Telnet session. Workaround: None Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 100.8(0.185), 100.8(0.217), 8.4(1), 8.4(6.243), 8.4(6.5), 9.0(0.10), 9.0(1), 9.0(2), 9.1(2) Known Fixed Releases: 100.10(0.38), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.7(6.125), 100.8(38.68), 100.8(40.43), 100.8(46.37), 100.8(51.7) Bug Id: CSCuv05386 Title: Clientless webvpn on ASA does not display asmx files Description: Symptom: Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text Conditions: -Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site. -The user see's garbled or incomplete text returned from the ASA. Workaround: Smart Tunnel resolves the issue. Using the stand alone AC client resolves the issue. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: 100.12(0.136), 100.13(0.90), 100.15(1.42), 100.15(10.4), 100.15(2.75), 100.15(3.20), 100.15(4.25), 99.1(2.201), 99.1(3.145) Bug Id: CSCuv49675 Title: ASA5506W-X Missing default-gateway On AP Description: Symptom: Can't connect to http://192.168.1.2 to configure wireless access point in ASA5506W-X as described in the Quick Start Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html Conditions: The default configuration of the AP in the ASA5506W-X is missing the default-gateway. Workaround: Run the following from the ASA: session wlan console configure terminal ip default-gateway 192.168.10.1 Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Bug Id: CSCuv38654 Title: rewriter returns 302 for a file download Description: Symptom: CLientless rewriter returns 302 error code erronously Conditions: Downloading a file from a rewritten page Workaround: Unknown, none Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.4(1.4) Known Fixed Releases: 100.13(0.91), 100.15(1.42), 100.15(10.4), 100.15(2.75), 100.15(3.20), 100.15(4.25), 9.4(1.5), 9.5(0.111), 99.1(2.203), 99.1(3.146) Bug Id: CSCsb77332 Title: traceback in fover_parse on standby unit if config contains webtype acl Description: Symptom: Standby device in a failover pair gets traceback after config replication when config contains webvpn type access-list. Conditions: When the configuration contains a webvpn type access-list with logging enabled. Workaround: Remove the webvpn type access-list. Further Problem Description: Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 7.0(3.14) Known Fixed Releases: 7.0(3.16) Bug Id: CSCup37416 Title: Stale VPN Context entries cause ASA to stop encrypting traffic Description: Symptom:ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic. Conditions:ASA5500 running 9.1 or later code with IKEv2 L2L tunnels configured with default IVEv2 rekey configuration supporting both time and data-based rekeys. Workaround:Disable data-based rekeying. More Info: Status: Open Severity: 1 Catastrophic Last Modified: 30-JUL-2015 Known Affected Releases: 8.4(5), 9.1(2.8), 9.1(3), 9.1(5.12), 9.1(6), 9.2(3) Known Fixed Releases: Bug Id: CSCuv43902 Title: ASA: Watchdog Traceback with Thread Name:- SXP CORE Description: Symptom: ASA device traceback in thread name:- SXP CORE Conditions: ASA device configured with the trust sec configuration. Workaround: No workaround as of now Further Problem Description: Status: Open Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Bug Id: CSCus89286 Title: ASA Traceback in SSL library due to DMA memory exhaustion Description: Symptom: Cisco ASA may crash in DATAPATH thread when AnyConnect client connects or CSM connects via HTTPS. It's highly likely that ASDM can cause the same crash under certain conditions. The crash occurs in SSL library. Conditions: This issue was seen in 9.3.3.2 version after upgrade from 9.1.6. Other versions can be affected as well. The crash happens if the ASA runs out of DMA memory due to SSL activity and after some time the memory is freed. The DMA memory can be exhausted on low-end ASA models if many features are configured, such as two or more syslog servers, HTTP server for ASDM or WebVPN, DHCP server on several interfaces, etc. Refer to CSCub58958 for details. Workaround: Do not use WebVPN, CSM and ASDM. Further Problem Description: Console can contain: Intercepted call of type abort Thread Name: DATAPATH-0-1648 Abort: Unknown ... Status: Fixed Severity: 2 Severe Last Modified: 30-JUL-2015 Known Affected Releases: 9.3(3.2) Known Fixed Releases: 100.13(0.38), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.5), 100.14(11.5), 100.14(2.5), 100.14(26.2), 100.14(3.2) Find additional information in Bug Search index.   2013 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks