Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Sep-2015 16:53 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Next-Generation Firewalls Title: OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products Description: On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication. Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl Date: 29-AUG-2015 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:     Previously Suggested: 8.4.7 Interim ; 8.2.5 Interim ; 9.1.6 Interim   Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.4.1 Interim ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 03-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Alert Type: New File File Name: asa951-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 12-AUG-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.2.4.SMP ; 9.1.6 Interim Previously Suggested: 9.2.3 Interim Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.1 Alert Type: New File File Name: asa-restapi-121-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1 Alert Type: New File File Name: asdm-751.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 12-AUG-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-8-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 07-AUG-2015 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Next-Generation Firewalls Alert Type: Updated * Bug Id: CSCuf31658 Title: Linux Kernel nfs_readdata_release() and nfs_writedata_release() Functi Status: Fixed Severity: 1 Catastrophic Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-4325 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-4325 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 02-AUG-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: * 100.11(0.61), 100.8(40.100) Alert Type: Updated * Bug Id: CSCtq58884 Title: AC 3.0x - LDAP Secondary Auth successfully connects with blank password Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Users successfully authenticate if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. Conditions: User connects to a profile with Double Authentication. Primary credentials are entered successfully and secondary password is left blank. LDAP is used for Secondary Authentication Workaround: Do not use LDAP for Secondary Authentication PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-2054 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.40), 100.8(0.10), 100.8(0.31), 100.8(10.10), 100.8(12.8) Alert Type: Updated * Bug Id: CSCtn90643 Title: Traceback while replicating xlates on standby Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Standy ASA has problem replicating nat pool xlates and then tracebacks. Conditions: Cisco ASA 5585 running release 8.4.1. Large number of nat translations and heavy load of TCP and UDP data connections on active unit. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-5420 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.1), 100.7(13.3), 100.7(14.1), 100.7(15.1), 100.7(15.3), 100.7(6.33), 100.7(6.38), 100.7(8.26), 100.7(8.34), 100.7(9.18) Alert Type: Updated * Bug Id: CSCub37882 Title: Standby ASA allows L2 broadcast packets with asr-group command Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Standby ASA allows a directed L3 broadcast packet to loop until TTL expires with asr-group command Conditions: This was first identified on an ASA running 8.4.4(1) multiple context active/active failover where asr-group with the same group ID is enabled on inside and outside interface Workaround: The following workarounds are possible (in order of preference): 1. Do not apply both inside and outside interfaces to the same asr-group. 2. Configure interface ACL to drop directed broadcast traffic PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2012-3916 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(1), 8.2(5), 8.4(0.2), 8.4(4), 8.4(4.1) Known Fixed Releases: 100.7(13.96), 100.7(6.92), 100.8(0.226), 100.8(11.35), 100.8(27.19), 100.8(33.18), 100.8(34.1), 100.8(36.4), 100.9(0.1), 8.2(5.32) Alert Type: Updated * Bug Id: CSCut48009 Title: Traceback in thread CP Processing Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA Crashes in CP Processing Thread Conditions: -- Skinny inspection enabled. -- Skinny traffic contains StopMediaTransmission messages that are carried in the same packet as a StartMediaTransmission, StarMediaTransmissionACK, or a StartMediaAnnouncement. -- Depending on the how many of the above messages are seen the issue can take some time to happen (the more messages seen the faster the issue can happen). Workaround: Disable Skinny Inspection Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.13), 100.14(26.10), 100.14(5.14), 100.14(6.12) Alert Type: Updated * Bug Id: CSCui51199 Title: Cisco ASA Clientless SSL VPN Rewriter Denial of Service Status: Fixed Severity: 1 Catastrophic Description: * Symptom: ASA reload with traceback in Unicorn Proxy Conditions: - Webvpn is enabled on more then one interface - same-security-traffic permit intra-interface and management-access commands are configured This is affecting on 9.0 and 9.1 trains Workaround: There is a workaround using a webvpn filter to block the clientless users from accessing https on the inside interface: Here's an example that QA tested: Using this ACL: access-list deny_pub_priv webtype deny url https://93.124.22.2 (where 93.124.22.2 is the asa private ip address) And this in the group policy: group-policy WebVPN1 attributes webvpn filter value deny_pub_priv Now when you browse to that address you get a message that states ?access to this recourse has been denied? and NO crash! The we can see the acl is working be looking at the hit count as seen here (show access-list): access-list deny_pub_priv line 1 webtype deny url https://93.124.22.2 (hitcnt=3) Further Problem Description: A vulnerability in Clientless SSL VPN feature of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of an affected system. The vulnerability is due to a stack overflow while browsing internal resources via the Clientless SSL VPN portal when the same-security-traffic permit intra-interface and management-access commands are configured. An attacker could exploit this vulnerability by accessing crafted URL through the SSL VPN portal. An exploit could allow the attacker to reload the affected system and create a denial of service condition. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2013-5551 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5551 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 9.0(2), 9.0(3), 9.1(2), 9.1(3) Known Fixed Releases: 100.10(0.24), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.8(38.47), 100.8(40.32), 100.8(45.6), 100.8(46.11), 100.8(51.1), 100.9(10.12) Alert Type: Updated * Bug Id: CSCun45520 Title: Cisco ASA DHCPv6 Denial of Service Vulnerability Status: Fixed Severity: 1 Catastrophic Description: * Symptom: ASA crash in Thread Name: DHCPv6 Relay when processing a DHCPv6 packet Conditions: DHCPv6 relay should be enabled. To verify if this feature is enabled use the show run ipv6 dhcprelay and verify that it is enabled at least on one interface ipv6 dhcprelay enable DHCPv4 relay is not affected by this issue. Workaround: There is no workaround other then disabling the DHCPv6 relay feature Further Problem Description: A vulnerability in DHCP code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of an affected system. The vulnerability is due to insufficient validation of crafted or malformed DHCP version 6 (v6) packets. An attacker could exploit this vulnerability by sending a crafted DHCPv6 packet to the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2014-2182 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2182 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: 100.10(0.95), 100.10(12.8), 100.10(17.1), 100.10(2.18), 100.10(6.0.40), 100.10(7.8), 100.11(0.7), 100.11(3.1), 100.11(4.3), 100.11(5.2) Alert Type: Updated * Bug Id: CSCuq41510 Title: Cisco ASA VNMC Input Validation Vulnerability Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 6.5/6.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:M/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3390 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:< Last Modified: 11-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.44), 100.12(0.38), 100.12(10.37), 100.12(15.10), 100.12(21.3), 100.12(6.4), 9.2(2.7), 9.3(1.1), 9.3(1.99), 9.3(2) Alert Type: Updated * Bug Id: CSCuu84085 Title: DHCP-DHCP Proxy thread traceback shortly after failover and reload Status: Fixed Severity: 1 Catastrophic Description: Symptom: Crash as soon as the standby unit becomes primary Conditions: DHCP configured on ASA running 9.1(6)5 or 9.1(6)6. Workaround: Downgrade to 9.1(6)4 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(0.16), 100.14(0.30), 100.14(0.42) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCut67965 Title: CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA running 9.4.1 stops accepting IKEv2 connections. Conditions: ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached". Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.28), 100.14(10.23), 100.14(5.17), 100.14(7.33), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCut03981 Title: ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig Status: Fixed Severity: 2 Severe Description: Symptom: Intermittently, some of the AnyConnect clients fail to establish the SSL session with the hub due to ASA failing to validate the Client Certificate, and the error that shows up in the syslog is: %ASA-7-725014: SSL lib error. Function: SSL3_GET_CERT_VERIFY Reason: bad rsa signature The clients may end up establishing SSL sessions successfully after a couple of retries Conditions: ASA on 9.3(2) acting as SSLVPN Server for AnyConnect Clients. These clients authenticate using Certificates. Workaround: None. The issue is not observed in ASA 9.2(1) Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.21), 100.15(8.12), 9.3(2.230), 9.4(1.105) Alert Type: Updated * Bug Id: CSCus84220 Title: ASA crashes for the OSPFv2 packets from codenomicon Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco ASA crashes in thread name OSPF-3 Conditions: OSPFv2 configured and crafted packets are sent to the ospf interface Workaround: none Further Problem Description: A vulnerability in OSPFv2 code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of the affected system. The vulnerability is due to improper handling of OSPFv2 packets . An attacker could exploit this vulnerability by sending crafted packets to the affected system PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4239 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.21), 9.3(2.243) Known Fixed Releases: * 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3), 100.14(3.4) Alert Type: Updated * Bug Id: CSCuu67411 Title: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Status: Fixed Severity: 2 Severe Description: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Symptom: Configure "timeout floating-conn 0:01:00"(any valid range 0:0:30-1193:0:0),it is configured in ASA and checking TELNET to ASA and HTTP connection of ASA is lost. Conditions: Issue on : 1.Saleen -5512,5525 2.Kenton--5506 3.vASA Workaround: Set the "timeout floating-conn 0:00:00" Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(0.27), 100.14(0.30), 100.14(6.38) Known Fixed Releases: * 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12), 100.15(5.15) Alert Type: Updated * Bug Id: CSCuv10938 Title: 'redistribute' cmds under 'router eigrp' removed on deleting any context Status: Fixed Severity: 2 Severe Description: Symptom: 'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console: ERROR: unable to locate route-map Conditions: 1. ASA is multiple context mode. 2. More than one context on the ASA has EIGRP enabled with redistribution configured. 3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ". Workaround: None apart from re-adding all those commands back manually. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuv07106 Title: ASATraceback in ssh whilst adding new line to extended ACL Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ssh whilst adding an extended ACL Conditions: Making a change to an ACL that is part of class-map which is then applied under policy-map Workaround: 1. Remove any ethertype ACL if any configured. e.g. no access-list bpdu-deny ethertype deny bpdu 2. Do modification/add new ACE to ACL associated with class-map 3. Reapply ethertype removed and with its relevant configuration Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7.22), 8.4(7.27), 8.4(7.28) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCut28210 Title: AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue Status: Fixed Severity: 2 Severe Description: Symptom: Unable to authenticate with SDI authentication server(RSA Authentication Manager) Ex. "no response from authentication server" with [Test] in AAAServer Group on ASDM. Conditions: -Using RSA Authentication Manager 8.1 or 6.1 as AAA server with ASA 9.3(2) -The issue does NOT appear on ASA 9.2(2)8 or ASA 9.3(1) Workaround: -Using ASA 9.2(2)8. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4), 100.14(3.4) Alert Type: Updated * Bug Id: CSCuu94945 Title: ASA: Traceback while copying file using SCP on ASA Status: Fixed Severity: 2 Severe Description: Symptom: ASA device trace back while copying files using SCP Conditions: Copying files on the ASA device using SCP Workaround: Don't use SCP to transfer files on ASA Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(0.43) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.46), 100.14(16.1), 100.14(5.23), 100.14(7.41), 100.15(0.17), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCut15570 Title: Anyconnect SSL VPN certificate authentication fails o ASA Status: Fixed Severity: 2 Severe Description: Symptom: Anyconnect SSL VPN certifcate authentication fails o ASA Conditions: -- certificate authentication -- in debug crypto ca the following error is observed: CERT-C: I pkixpath.c(1170) : Error #72 Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuu04160 Title: snmpwalk causes slow memory leak on ASA Status: Fixed Severity: 2 Severe Description: Symptom: Free memory declines on ASA slowly over time. Free memory leaks Conditions: ASA configured to allow SNMP polling. NMS is snmp walking the ASA Workaround: Disable SNMP on the ASA Stop SNMP walking the ASA Reboot the ASA to clear up the memory leak Further Problem Description: This may also cause a cpu-hog in qos_metric_daemon after some time. Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(30.7), 9.4(1) Known Fixed Releases: * 100.13(0.72), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.25), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Status: Fixed Severity: 2 Severe Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 108.2(0.7) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCus27650 Title: TLS Proxy + Cut Through proxy not working correctly with TLS1.2 Status: Fixed Severity: 2 Severe Description: Symptom: Cut Through Proxy and TLS Proxy may fail to function when using TLS1.2. Conditions: Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(1.32), 9.3(2) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.43), 100.14(16.1), 100.14(5.20), 100.14(7.40), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: New Bug Id: CSCuw02001 Title: ASA 9.5.1 self-signed cert is applied instead of ssl trust-point defined Status: Open Severity: 2 Severe Description: Symptom: --- ASA ssl certificate is not applied correctly, when accessing ASA via https self-signed certificate is presented Conditions: --- ASA 9.5.1; --- identity + ca certificates are installed and applied via ssl trust-point command; --- show ssl shows self-signed certs instead: BSNS-ASA5515-11# sh ssl Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater Start connections using TLSv1 and negotiate to TLSv1 or greater SSL DH Group: group2 (1024-bit modulus) SSL ECDH Group: group19 (256-bit EC) SSL trust-points: Self-signed (RSA 2048 bits RSA-SHA256) certificate available Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available Interface outside: EXAMPLE (RSA 1024 bits RSA-SHA1) VPNLB interface outside: EXAMPLE (RSA 1024 bits RSA-SHA1) Certificate authentication is not enabled Workaround: --- Downgrade, ASA 9.2.4 works fine. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu86195 Title: conn-max counter is not decreased accordingly Status: Fixed Severity: 2 Severe Description: Symptom: Problem description: - after the maximum number of TCP connections for a class-map are exceeded the counter for the active connections("current conns") starts to decrease into negative values - all the new connections that are matching our configured policy are dropped even if we are not exceeding the number of configured connections %ASA-3-201011: Connection limit exceeded -36/30 for input packet from 10.100.48.4/54675 to 172.29.41.10/8443 on interface in Similar scenarios: - legitimate connections are dropped when the counter: - "current conns" is decreased into negative values; Ex: -36/30 - "current conns" is not dropping to zero(after all the connections are closed) and is stuck to a random value; Ex: 26/30 --> just 4 new connectios are allowed - "current conns" is going over the maximum value and is not dropping to zero(after all the connections are closed); Ex: 32/30 Conditions: issue observed in ASA software version 9.2.2 and 9.2.24(tested versions) just for TCP traffic Workaround: N/A Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(2), 9.2(2.4) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuw02009 Title: * ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST Status: Open Severity: 2 Severe Description: * Symptom: The ASA may not properly terminate SSH processes in some situations which can cause the ASA to come into a state where it believes that all 5 sessions for a given context are already in use. This will result in failed SSH management sessions to that context as the ASA will send a RST packet to the client. Conditions: This problem can occur when network monitoring tools remotely connect to the ASA via SSH to gather output but do not properly close out the socket when the session is finished. Workaround: Currently, the only known workaround is to either remove and re-add the context config-url in the system context (to essentially restart the context) or reload the entire ASA device. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut44082 Title: EIGRP configuration not being correctly replicated between failover ASAs Status: Fixed Severity: 2 Severe Description: Symptom: We have found that the 'no passive-interface (interface-name)' and the 'distribute-list (distr-list-name) out interface (interface-name)' commands are not being correctly replicated between a pair of ASA firewalls configured in failover. Conditions: This issue occurs just when the active FW is replicating the configuration to the standby unit in the following two scenarios: 1.- When issuing the 'write standby' in the active FW. OR 2.- When after rebooting the standby unit, the active unit automatically replicates the configuration to the standby unit. (ASA-1/pri/act# Beginning configuration replication: Sending to mate. End Configuration Replication to mate) NOTE: In the recreation lab just disappears the distribution list but in the production environment one of the 'no passive-interface' commands disappears too. Workaround: While running ASA codes 9.2(2)4, 9.2(3) and 9.3(2): 1.- Avoid using the 'write standby' command in the active ASA and just use the 'write memory' or the 'copy running-config startup-config'. 2.- If for whatever reason the standby unit is being rebooted, then you will need to manually add the EIGRP missing configuration lines in the active unit in order to allow the standby unit to receive the whole needed EIGRP configuration. I already confirmed this EIGRP replication issue is not happening when running codes 8.6(1), 9.1(1) and 9.1(5), then downgrading to these ASA codes is another workaround. Further Problem Description: Here the detail EIGRP configuration for our testing: ASA-1/pri/act(config)# router eigrp 7 ASA-1/pri/act(config-router)# no auto-summary ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# network 10.1.4.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.50.16 255.255.255.248 ASA-1/pri/act(config-router)# network 10.1.94.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.97.0 255.255.255.128 ASA-1/pri/act(config-router)# network 10.6.254.128 255.255.255.128 ASA-1/pri/act(config-router)# network 198.209.254.0 255.255.255.0 ASA-1/pri/act(config-router)# network 198.209.255.0 255.255.255.0 ASA-1/pri/act(config-router)# passive-interface default ASA-1/pri/act(config-router)# no passive-interface outside ASA-1/pri/act(config-router)# no passive-interface inside ASA-1/pri/act(config-router)# no passive-interface dmvpndmz ASA-1/pri/act(config-router)# no passive-interface stldcdmz ASA-1/pri/act# sh run router router eigrp 7 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stldcdmz network 10.1.4.0 255.255.254.0 network 10.1.94.0 255.255.254.0 network 10.1.97.0 255.255.255.128 network 198.209.254.0 255.255.255.0 network 198.209.255.0 255.255.255.0 network 10.1.50.16 255.255.255.248 network 10.6.254.128 255.255.255.128 passive-interface default no passive-interface inside no passive-interface dmvpndmz no passive-interface stldcdmz no passive-interface outside ASA-1/pri/act# sh run all router router eigrp 7 no auto-summary distance eigrp 90 170 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stl Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(2.4), 9.2(3), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) Alert Type: Updated * Bug Id: CSCut28217 Title: Active ASA in failover setup reboots on its own Status: Fixed Severity: 2 Severe Description: Symptom: Active ASA in failover setup reboots on its own. Conditions: Active ASA in failover setup reboots on its own. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuu84697 Title: ASA Traceback in Thread Name ssh/client Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: ssh/client Conditions: There are two known crashes: The first one is ASA using "copy scp://" CLI to communicate with an external SSH v1 server. SSH v1 is not a supported protocol when using scp on the ASA. The second one is when multiple simultaneous "copy scp://" CLI are issued on the ASA. There is a timing factor here. The crash can only be seen if two "copy scp://" CLI are issued on the ASA more or less at the same time. This can only be done through an automated script. Workaround: For the first crash, make sure that the external SSH server is running SSH v2. For the second crash, it can be avoided if the automated script used does not start multiple concurrent "copy scp://" CLI on the ASA at the same tme. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6), 9.1(6.1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(10.4), 100.15(2.73) Alert Type: Updated * Bug Id: CSCuu28909 Title: ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel Status: Fixed Severity: 2 Severe Description: Symptom: In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA. Conditions: +ASA cluster +site to site VPN tunnel configured +ICMP error packets destined to the VPN tunnel Workaround: +deny icmp erros using an access-list on the data interfaces Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6.1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCus47259 Title: Cisco ASA XAUTH Bypass Vulnerability Status: Fixed Severity: 2 Severe Description: Symptoms: Due to a vulnerability in the IKEv1 code is it possible to bypass XAUTH authentication by sending crafted IKE messages Conditions: This applies only to deployment configured with Remote VPN and IKEv1. The knowledge of the PSK or a valid certificate is needed to perform the attack. This vulnerabilities affects only the following trains: - 7.x - 8.0 - 8.1 - 8.2 prior to 8.2.2.13 This issue has been fixed as part of another bug: CSCtg28821 Workaround: none Further Problem Description: A vulnerability in IKE version 1 code of Cisco ASA Software could allow an authenticated, remote attacker to bypass x-auth authentication and successfully login via IPsec remote VPN. The vulnerability is due to improper implementation of the logic of the x-auth code . An attacker could exploit this vulnerability by sending crafted IKEv1 packets to the affected system. The attacker would need to know the tunnel group pre-shared-key or have a valid certificate in order to exploit this vulnerability. This vulnerability affects only Cisco ASA Software configured for IKEv1 IPSec remote access and IKEv1 IPSec Lan-to-Lan. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-0760 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.0(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.13(29.28), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.14) Alert Type: Updated * Bug Id: CSCuw01562 Title: * ASA : Traceback with Thread Name- ssh_init with jumbo frame enabled Status: Open Severity: 2 Severe Description: * Symptom: ASA device traceback with Thread Name:- ssh_init on a 5506 with jumbo frame enabled Conditions: No Specific conditions have been found Workaround: disabling jumbo frame on the 5506 appears to be one resolution Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut11895 Title: Failover assembly remained in active-active state permanantly Status: Fixed Severity: 2 Severe Description: Symptom: Both the primary and secondary ASA assume the active role simultaneously until a manual reload is executed Conditions: The problem was encountered while applying a test load of 750 vpn sessions using tls1.2 with ECDHE-ECDSA-AES256-SHA384. Another test scenario was when the Primary ASA was power-cycled. Workaround: Disable and enable failover again on the secondary unit or reload secondary unit. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.32), 9.4(0.113) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.9), 100.14(0.4), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.9), 100.14(26.4) Alert Type: Updated * Bug Id: CSCuv38654 Title: rewriter returns 302 for a file download Status: Fixed Severity: 2 Severe Description: Symptom: CLientless rewriter returns 302 error code erronously Conditions: Downloading a file from a rewritten page Workaround: Unknown, none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1.4) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.91), 100.13(29.28), 100.14(0.68), 100.14(16.4), 100.14(5.27), 100.15(0.22), 100.15(1.42), 100.15(10.4) Alert Type: Updated * Bug Id: CSCus91636 Title: Adding subnet(s) to the object group for NAT causes high CPU Status: Fixed Severity: 2 Severe Description: Symptom: The CPU spikes on an ASA when we add an object to an object group that is being used in NAT command. Conditions: ASA 5585 running 8.4 and above code with a huge number of object groups configured and passing heavy traffic. Workaround: None known yet. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.40), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.5), 100.14(11.5) Alert Type: Updated * Bug Id: CSCuu63656 Title: ASA not generating PIM register packet for directly connected sources Status: Fixed Severity: 2 Severe Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(1), 9.3(2), 9.4 Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) Alert Type: Updated * Bug Id: CSCuu46569 Title: ASA CA certificate import fails with different types of Name Constraints Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu18989 Title: ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit Status: Fixed Severity: 2 Severe Description: Symptom: It was noticed that when the maximum number of simultaneous connection limit is set, ASA might drop the connection with the error message ' %ASA-3-201011: Connection limit exceeded' even when it is clearly not close to hitting the maximum limit specified. Conditions: ASA 5585 running 9.4(1) version code Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.83), 100.14(0.62), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.28), 100.15(10.3), 100.15(2.59) Alert Type: Updated * Bug Id: CSCut52679 Title: Cisco ASA OSPFv2 Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: Symptoms: ASA crash in thread name OSPF-3 Router Conditions: OSPF is enabled on the interface Workaround: none Further Problem Description: A vulnerability in OSPFv2 code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of the affected system. The vulnerability is due to improper handling of OSPFv2 packets . An attacker could exploit this vulnerability by sending crafted packets to the affected system PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4241 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.15), 100.14(5.15), 100.14(6.20), 100.14(7.19), 100.15(0.9) Alert Type: Updated * Bug Id: CSCus56590 Title: ASA - Traceback in Thread Name: fover_parse Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA would enter a boot loop after attempting to replicate the configuration from the Active member, generating a Trace back with the name : fover_parse Standby ASA finishes the bulk sync in failover but never gives "sync config finished " message to active, this is the point where it reloads. Conditions: ASA with failover Versions : 9.3.2 and 9.4.1 Workaround: Go in to version 9.3.1, 9.3.2.104 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.4(1), 9.4(1.170), 9.4(1.175) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.13(29.28), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13) Alert Type: Updated * Bug Id: CSCus32005 Title: ASA - Traceback in thread name SSH while applying BGP show commands Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in thread name SSH during performing BGP show commands. Conditions: ASA running 9.2.2.4 Workaround: not known Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.13(29.28), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12) Alert Type: Updated * Bug Id: CSCuu48626 Title: ASA - access list address argument changed from host 0.0.0.0 to host :: Status: Fixed Severity: 2 Severe Description: Symptom: ASA changes the configured access-list address argument from "host 0.0.0.0" to "host ::" Conditions: ASA version 9.3.2 and 9.3.3 Workaround: The check can be bypassed by using an object in the ACL: 1. Create a network object for host 0/0 object network HOST-0 host 0.0.0.0 2. Use this network-object in an extended access-list: access-list NAME extended permit ip object HOST-0 any Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.3(3) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCus78450 Title: Certificate Validation Failure after upgrade post 9.1.5(12) Status: Fixed Severity: 2 Severe Description: Symptom: --Certificate Validation Failure message on user PC after upgrading the ASA to any version in 9.1.5(x) post 9.1.5(12) --The debug crypto ca 255 shows the following message: CRYPTO_PKI: Certificate validation: Failed, status: 530CRYPTO_PKI: PKI Verify Cetificate Check Cert Revocation unknown error 530 CRYPTO_PKI: PKI Verify Certificate error. No trust point found Conditions: ASA running any version above 9.1.5(12) using server-side certificate authentication with ID certificate issued by a third party CA. Workaround: --Remove all the configured trustpoints and re-build them by importing the chain. --Use a self-signed certificate Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.16) Known Fixed Releases: * 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuu83280 Title: Evaluation of OpenSSL June 2015 Status: Fixed Severity: 2 Severe Description: * Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176 This bug has been opened to address the potential impact on this product. Conditions: Device configured to use SSL services (VPN, ASDM etc). CVE-2015-1788 Malformed ECParameters causes infinite loop Not affected in ASA versions before 9.4.1 where EC key support was added. CVE-2015-1790 PKCS7 crash with missing EnvelopedContent Not affected in any ASA versions. OpenSSL clients and servers are not affected. Rest of the vulnerabilities affect ASA. Workaround: Not available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.8/6.4 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 7.2(1), 8.2(1), 8.2(5), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 99.1 Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.13(0.82), 100.14(0.51), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.17), 100.15(0.18) Alert Type: Updated * Bug Id: CSCuu39615 Title: eglibc 2.18 is missing upstream fix #15073 Status: Fixed Severity: 2 Severe Description: Symptom: ASA could crash due to heap corruption Conditions: Heavy memory allocation Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.16), 100.13(29.28), 100.14(0.30), 100.14(16.1), 100.14(5.19), 100.14(7.38), 100.15(0.13), 100.15(1.18) Alert Type: Updated * Bug Id: CSCut92194 Title: ASA traceback in Thread Name: CP Processing Status: Fixed Severity: 2 Severe Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCus23416 Title: ASA traceback in DATAPATH-1-2414 after software upgrade Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash in DATAPATH-1-2414 after software upgrade Conditions: huge ACL size Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(4.13) Known Fixed Releases: * 100.11(0.56), 100.12(0.112), 100.13(0.26), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3) Alert Type: Updated * Bug Id: CSCug91577 Title: ASA 9.1.1.7 crash Thread Name: Unicorn Proxy Thread Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability in the WebVPN functionality of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to cause an affected device to crash. The vulnerability is due to a fault in the Proxy Bypass Content Rewriter implementation. An attacker could exploit this vulnerability by performing an HTTP request that triggers content rewriting. Depending on the configuration, a successful exploit could allow the attacker to cause the appliance to crash or trigger an error recovery event. When the ASA crashes it will be on Thread Name: Unicorn Proxy Thread Conditions: Using webvpn with content rewrite configuration Workaround: If WebVPN event recovery is enabled, the ASA do not crash but logs a webvpn recovery event instead. Workaround configuration: webvpn no error-recovery disable Further Problem Description: This vulnerability does not affect 8.x software versions. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&&version=2.0 CVE ID CVE-2013-5557 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 20-AUG-2015 Known Affected Releases: 9.1(1.7) Known Fixed Releases: 100.10(0.6), 100.8(27.84), 100.8(38.18), 100.8(40.8), 100.8(41.2), 100.8(60.18), 100.9(0.48), 100.9(10.1), 100.9(6.28), 100.9(7.26) Alert Type: Updated * Bug Id: CSCuv66248 Title: ASA Traceback in DATAPATH under high connection rate Status: Terminated Severity: 2 Severe Description: Symptom: 1) ASA console session hangs 2) high CPU on the ASA followed by a reload with Traceback in DATAPATH Thread 3) the ASA might go into a reboot loop Conditions: The reload happens whenever there is a config change on the ASA just after the ASA booted up or while it is joining the failover pair. Also it contains a large of access rules such as NAT / ACL along with high rate of connections Workaround: 1) Wait for the ASA to complete any pending any rule compilations and then make incremental config changes. OR 2) asp rule-engine transactional-commit access-group and asp rule-engine transactional-commit nat followed by a manual reboot , seem to stabilize the ASA Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: * 9.1(5.21), 9.2(1), 9.3(2), 9.4(1.100), 9.4(1.101), 9.4(1.5) Known Fixed Releases: Alert Type: New Bug Id: CSCuq97035 Title: WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7 Status: Fixed Severity: 2 Severe Description: Symptom: Citrix 5/6 application doesn't launch with IE10 Conditions: Windows 7 SP1, IE10, Citrix ICA client 14.1.0 32-bit Workaround: Use IE11 or FF 28+ Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.67), 100.15(0.20), 100.15(1.35), 100.15(10.4), 100.15(2.66), 100.15(4.23), 100.15(5.27) Alert Type: New Bug Id: CSCuv87744 Title: traceback in Thread Name: fover_parse Status: Other Severity: 2 Severe Description: Symptom: ASA reloads in Thread Name: fover_parse Conditions: ASA running 9.4.1.5 code. Workaround: None Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.4(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur09141 Title: RRI static routing changes not updated in routing table Status: Fixed Severity: 2 Severe Description: Symptom: Clearing the crypto config for a S2S tunnel does not remove the static reverse route from the routing table. We can see stuck route in the routing table. Conditions: RRI being used with static crypto map for a S2S tunnel. The crypto map config is removed using the clear config command. Workaround: None. Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.53), 100.15(3.9) Alert Type: Updated * Bug Id: CSCuv70576 Title: ASA: 1550 block depletion to due to L2L VPN traffic Status: Fixed Severity: 2 Severe Description: Symptom: ASA device 1550 Block depletion due to the L2L VPN Traffic Conditions: ASA device configured with L2L VPN configuration Workaround: NONE Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(1.60), 100.15(16.1), 100.15(3.32), 100.15(6.19), 100.15(6.20), 100.15(8.11), 9.4(1.104) Alert Type: Updated * Bug Id: CSCus08239 Title: ASDM Upload file may crash ASA,OCTEON_CRYPTO: SG buffers exceeds limit Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes on thread name DATAPATH-0-1570 Conditions: Seen in 9.4.1 and 9.4.1.1 Workaround: None Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 100.12(0.106), 9.4(1.3) Known Fixed Releases: * 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.54), 100.15(15.15), 100.15(16.1), 100.15(2.85), 100.15(3.29), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuu27334 Title: ASA: Traceback with Thread Name - AAA Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback with Thread Name:- AAA Conditions: ASA device running ASA 9.1(4) version Workaround: Upgrade to 9.1.6.4 or later. Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuv43902 Title: ASA: Watchdog Traceback with Thread Name:- SXP CORE Status: Fixed Severity: 2 Severe Description: Symptom: ASA device traceback in thread name:- SXP CORE Conditions: ASA device configured with the trust sec configuration. Workaround: No workaround as of now Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83), 100.15(3.30), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuv45756 Title: ASA may tracebeck when displaying packet capture with trace option Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback. Conditions: ASA running 9.4(1) displaying captures with trace detail option. Workaround: Avoid using trace detail option in captures. Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuu77207 Title: ASA - URL filter - crash on thread name uauth_urlb clean Status: Fixed Severity: 2 Severe Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFr module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4.1 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFr module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFr module - Disable URL filtering (websense) Further Problem Description: Last Modified: 22-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.21), 100.15(8.12), 99.1(2.222), 99.1(3.156) Alert Type: Updated * Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Status: Fixed Severity: 2 Severe Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(3.37), 100.15(6.21), 100.15(8.12), 9.4(1.106), 99.1(2.223) Alert Type: Updated * Bug Id: CSCtl74435 Title: VPN ports not removed from PAT pool Status: Fixed Severity: 2 Severe Description: * Symptom: New VPN connections will fail if the VPN port is allocated from PAT pool on the same interface. We should not allow the VPN port to be used in the PAT pool. Conditions: Problem observed on 8.3.1. PAT configured for same interface that terminates the VPN. Problem is intermittent. VPN will work fine until this xlate using the VPN is created. Clearing this xlate will restore VPN connectivity. For example: ###PAT configuration uses outside interface for translations object network obj_any nat (inside,outside) dynamic interface ###Crypto map terminates on outside interface of ASA on port 10000 crypto map interface outside crypto isakmp ipsec-over-tcp port 10000 ##Show xlate during the problem shows port 10000 translation in use for an inside host (VPN will not be able to connect on TCP 10000): show xlate | include 10000 TCP PAT from inside:/12345 to outside:/10000 flags ri idle 0:10:04 timeout 0:00:30 Workaround: Issue "clear xlate" to clear the translation that is using the VPN port Adjust PAT configuration to use an IP address that differs from the VPN interface IP Last Modified: 25-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.30), 100.7(8.23), 100.7(9.12), 100.8(0.2), 100.8(10.1), 100.8(12.1), 8.2(4.103) Alert Type: Updated * Bug Id: CSCut49034 Title: ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal Status: Fixed Severity: 2 Severe Description: Symptom: CPU on standby ASA spikes to 100% Conditions: Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN. Stateful failover configured on an active-standby failover pair. Workaround: None Further Problem Description: High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled. Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN. When this particular connection goes through the ASA, we find that the active ASA builds a single connection. standby ASA builds numerous connections with same source and destination ports. Connection on the primary/active: act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO Connections on secondary:(close to 2500) stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO We see a lot of connection teardown on the standby for this connection. Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O We also see a lot of reset packets in asp drops in the standby ASA. 1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54 66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738) Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop. We see overruns on the failover interface of the standby unit. stby/sec/alan3usv01# show int gig0/3 Interface GigabitEthernet0/3 "failover1", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 5475.d091.518f, MTU 1500 IP address 10.99.101.114, subnet mask 255.255.255.248 432217782 packets input, 556229026142 bytes, 0 no buffer Received 556 broadcasts, 0 runts, 0 giants 204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort And we see a lot of packets being transferred from active to standby ASA. In the failover debugs we only find the following messages in the debugs of fover rx. lu_rx: HA TRANS: receive message for client vpnfo, length 48 lu_rx: HA TRANS: receive message for client vpnfo, length 72 lu_rx: HA TRANS: receive message for client vpnfo, length 72 The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA. Last Modified: 25-AUG-2015 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.21), 100.15(8.12), 9.4(1.106) Alert Type: Updated * Bug Id: CSCut46019 Title: MARCH 2015 OpenSSL Vulnerabilities Status: Fixed Severity: 2 Severe Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0286, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. First Fixed Information: 8.2.5.58 (April 2015) 8.3.2.45 (April 2015) 8.4.7.29 (April 2015) 8.5.1.25 (April 2015) 8.6.1.18 (April 2015) 8.7.1.17 (April 2015) 9.0.4.34 (April 2015) 9.1.6.2 (24-Apr-2015) 9.2.3.5 (April 2015) 9.3.3.1 (8-May-2015) 9.4.1.1 (8-May-2015) Published advisory is at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl Workaround: Not available. More Info: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 26-AUG-2015 Known Affected Releases: * 8.2(5), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2) Known Fixed Releases: 100.11(0.58), 100.12(0.123), 100.13(0.73), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28) Alert Type: New Bug Id: CSCuv93774 Title: ASA: Traceback in netfs_thread_init Status: Other Severity: 2 Severe Description: Symptom: ASA device Traceback with Thread Name:- netfs_thread_init Conditions: ASA device configured with Webvpn configuration Workaround: None at this time Further Problem Description: Last Modified: 26-AUG-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Alert Type: New Bug Id: CSCuv96011 Title: OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards Status: Open Severity: 2 Severe Description: Symptom: OSPF over IKEv2 L2L tunnel is broken on ASA in 9.2(1) onwards. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: -IKEv2 L2L configured to propagate routes over OSPF on ASA running 9.2.1 or above. Workaround: -Downgrade the ASA to 9.1(5), if an option. -Use IKEv1 tunnel Further Problem Description: None Last Modified: 27-AUG-2015 Known Affected Releases: 9.2(1), 9.3(3), 9.4(1), 9.5(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuu45858 Title: ASA Traceback in cp_syslog Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash in Datapath thread Conditions: ASA running on 9.4.1, with syslogs configured. Workaround: N/A Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15), 100.15(2.47) Alert Type: New Bug Id: CSCuv87150 Title: ASA crash in Thread Name: fover_parse (ak47/ramfs) Status: Open Severity: 2 Severe Description: Symptom: ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs) Conditions: ASA is in failover pair. Workaround: No workaround Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.4(1.5), 9.5(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv61100 Title: Traceback in ramfs Status: Other Severity: 2 Severe Description: Symptom:ASAv specific running Anyconnect and Webvpn sessions causing a Traceback in ramfs Conditions:Workaround:none Last Modified: 27-AUG-2015 Known Affected Releases: 9.4(1.170) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuh45824 Title: ASA should not allow to traffic forwarding to CX on multiple interfaces Status: Terminated Severity: 2 Severe Description: * Symptom: ASA allows to configure traffic forwarding to CX module on multiple interfaces at a time. This is incorrect behavior. ASA should allow to configure traffic forwarding to CX on only one interface at a time. Conditions: When ASA is in transparent mode with CX module Workaround: No Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.1(2.1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv95437 Title: MGCP conn appears on different ifs Status: Open Severity: 2 Severe Description: Symptom: MGCP conn appears on different ifs Conditions: ASA running 9.4.1 with MGCP connection Workaround: None Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv87760 Title: Unicorn proxy thread traceback with RAMFS processing Status: Open Severity: 2 Severe Description: Symptom: Traceback in Unicorn Proxy Thread while using WebVPN. Conditions: Cisco ASA running release 9.3.3.223 with WebVPN enabled. Workaround: None. Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.3(3), 9.3(3.223) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu06081 Title: ASAv licesing enforcement should not be CLI parser based Status: Open Severity: * 2 Severe Description: Symptom: ASAv doesn't accept CLI commands without proper license in place. Conditions: NA Workaround: Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuv91730 Title: Request allow packets to pass when snort is down for ASA configurations Status: Fixed Severity: 2 Severe Description: Symptom: Traffic doesn't pass on ASA platforms when snort is down. Conditions: ASA running 9.3 or later code with a service-policy enabled that sends traffic to the Sourcefire module. When policy changes are applied to Snort on the Sourcefire module, packets may be dropped by the ASA. Workaround: NA Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: 9.2(4.210) Alert Type: New Bug Id: CSCuv94338 Title: ASA traceback in Thread Name: CP Crypto Result Processing. Status: Open Severity: 2 Severe Description: Symptom: ASA crashing in Thread Name: CP Crypto Result Processing. Conditions: N/A Workaround: No workaround Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtg74172 Title: Can get around dynamic-filter by using caps in domain name Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names. Conditions: Configuring whilte and black lists for BTF Workaround: Not known PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 8.2(2.12) Known Fixed Releases: * 100.12(0.145), 100.13(0.97), 100.15(1.77), 100.15(3.45), 9.4(1.107), 99.1(2.229) Alert Type: Updated * Bug Id: CSCuv79552 Title: ASA:Standby crash during config replication with customization export Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA crashes while exporting webvpn customization and replicating configuration from active device simulatenously Conditions: This only occurs in the following sequence of events: 1. On the standby ASA, execute "export webvpn customization dfltCustomization stdout" from the CLI (for any customization) but do not let the command finish, i.e. leave it waiting at the --more-- prompt. 2. Execute "write standby" on active device 3. While configuration is getting replicated, on standby cli,hit any key to continue the "export" command - this will cause the standby ASA to crash Workaround: Do not execute any command on standby CLI until the configuration is fully replicated Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 8.4(7.15), 9.1(6) Known Fixed Releases: * 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(3.45), 9.4(1.107), 99.1(2.229) Alert Type: Updated * Bug Id: CSCut46789 Title: Crash at steady state with HTTP traffic Status: * Other Severity: * 2 Severe Description: Symptom:An ASA may crash in very rare situations when running a capture on an interface. Conditions:The initial investigation indicates that it is related to capturing packets with the built in capture functionality. Workaround:None at this time. Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Status: Fixed Severity: 2 Severe Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.143), 100.13(0.95), 100.13(29.28), 100.14(0.71), 100.14(16.5), 100.14(5.30), 100.15(0.24), 100.15(1.68), 100.15(3.37) Alert Type: Updated * Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Status: Fixed Severity: 2 Severe Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCus95290 Title: Cisco ASA VPN XML Parser Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA Failover Command Injection Vulnerability Cisco ASA DNS Memory Exhaustion Vulnerability Cisco ASA VPN XML Parser Denial of Service Vulnerability Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic. Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to. The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-0677 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(4.20) Known Fixed Releases: * 100.11(0.56), 100.12(0.113), 100.13(0.35), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Alert Type: Updated * Bug Id: CSCus92856 Title: ASA traceback in DATAPATH Thread due to Double Block Free Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads and generates crashinfo inThread DATAPATH Issue is specific to cluster with multi-context and interface sharing. Issue was exposed by fragmentation happening in shared interface Conditions: Clustering is enabled on ASA Workaround: Avoid using loopback/shared interface Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23) Alert Type: Updated * Bug Id: CSCut49111 Title: ASA traceback because of TD tcp-intercept feature Status: Fixed Severity: 2 Severe Description: Symptom: Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled Conditions: When threat-detection statistics tcp-intercept is enabled Workaround: Disabling TD for tcp intercept statistics stops crash. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26) Alert Type: Updated * Bug Id: CSCut88287 Title: ASA Traceback in vpnfol_thread_msg Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback in vpnfol_thread_msg Conditions: ASA device running in Active/Standby HA Pair. Workaround: NONE Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.79), 100.13(29.28), 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCus91407 Title: Network Object NAT is not working when config-register == 0x41 Status: Fixed Severity: 2 Severe Description: Symptom: NAT rule configured under the network object is not processed Conditions: config-register configured to 0x41 Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7), 9.0(4), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3) Alert Type: Updated * Bug Id: CSCuu88437 Title: ASA5506-X:copy file operations fail with jumbo-frame-reservation config Status: Other Severity: 2 Severe Description: Symptom: Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below: "Error writing disk0:/ (Cannot allocate memory)" It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1. I used asdm-732.bin image for this operation: "copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error. Conditions: Copying file operations to disk0 on a ASA5506-X. Workaround: Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(0.47) Known Fixed Releases: * 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.14(0.66), 100.14(16.1), 100.14(16.3), 100.14(5.23), 100.14(5.26), 100.14(7.42), 100.15(0.17) Alert Type: Updated * Bug Id: CSCus11465 Title: ASA teardown connection after receiving same direction fins Status: Fixed Severity: 2 Severe Description: Symptom: ASA version 9.2.2.4 or 9.3.1 will teardown tcp connection after it receiving fin ack fin ack of the same direction Conditions: ASA version 9.2.2.4 or 9.3.1 receiving fin ack fin ack of the same direction Workaround: using tcp bypass Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(2), 9.3(1) Known Fixed Releases: * 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Alert Type: Updated * Bug Id: CSCus24519 Title: ASA Cluster: Default OSPF route gone on Master unit Status: Fixed Severity: 2 Severe Description: Symptom: In cluster deployment when a default route obtained via OSPF, under certain conditions the default route/routes disappear from routing table of Master unit. Default routes do not disappear from OSPF DB Conditions: - Cluster with Spanned EtherChannel - Default route obtained dynamically - Multiple context mode - Manually changing roles from Slave to Master - After cluster failover Workaround: Manually clear OSPF process on Master unit Temporarily use static default route Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Alert Type: Updated * Bug Id: CSCuv12564 Title: Memory leak @regcomp_unicorn with APCF configured Status: Fixed Severity: 2 Severe Description: Symptom: WebVPN portal page access is denied because of low availability of the memory due to memory leak. Conditions: APCF should be configured and it should be executed very frequently. One example is to configure APCF to block the portal navigation toolbar. Workaround: Remove APCF from the configuration. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(2.58), 100.15(3.13) Alert Type: Updated * Bug Id: CSCut44075 Title: Traceback in snp_cluster_get_buffer Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in snp_cluster_get_buffer Conditions: Single or two node cluster Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0, 9.3(2.101), 9.4(0.117) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCut45114 Title: 2048-byte block leak if DNS server replies with "No such name" Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may become responsive due to excessive loss of 2048-byte memory blocks. Conditions: Many DNS lookups for bad hostnames are done from the ASA, so that the DNS server replies "no such name". Workaround: A reboot is required to recover the lost memory blocks. Further Problem Description: To monitor block utilization, use the CLI command "show blocks". Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2.101) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCus89139 Title: Exception on asdm_handler stream line: </threat-detection> Status: Fixed Severity: 2 Severe Description: Symptom: Threat detection stats graphs on ASDM in ASA cluster setup show "Lost Connection to Firewall" message. Conditions: Following errors are observed in the Joava Console Debugs - 813 [Poller] ERROR com.cisco.dmcommon.util.DMCommonEnv - (Poller) Exception on asdm_handler stream line: 2015-02-11 11:05:52,718 [ERROR] Exception : Error on line 62: An invalid XML character (Unicode: 0x5) was found in the element content of the document. Workaround: Disable threat detection statistics under Device Management until you can upgrade to the ASA code where this defect is fixed. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.30) Known Fixed Releases: * 100.13(0.36), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5), 100.14(26.2) Alert Type: Updated * Bug Id: CSCut12513 Title: ASA allows citrix ICA connection without authentication Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA Clientless SSL VPN integration with Citrix includes the download of a .ica file from the Citrix server and serving this to the client. The .ica file includes a session token to connect to the Citrix server. This file is stored on the client pc and deleted by the Citrix client once the session with Citrix is terminated. If this file is copied on a different machine, it is possible to reuse this file to connect to the Citrix server via the Clientless SSL VPN feature without requiring authentication as far as the session of the user that initially authenticated to the Clientless SSL VPN Portal is still active. Conditions: The file needs to be copied from the initial pc and the authenticated user session should still be active. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.13(29.28), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15) Alert Type: Updated * Bug Id: CSCze96017 Title: Active ftp-data is blocked by Firepower on Chivas Beta on 5512 Status: Fixed Severity: 2 Severe Description: Symptom: The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies. Conditions: Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT). Workaround: 1. Create a policy to allow ftp-data traffic from Server to Client or 2. Use passive FTP Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20) Alert Type: Updated * Bug Id: CSCuu32905 Title: ASA WebVPN: Javascript fails to execute when accessing internal portal Status: Fixed Severity: 2 Severe Description: Symptom: On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js. Conditions: Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6). Workaround: None. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.8(40.67), 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuq27342 Title: Traceback and reload triggered by failover configuration Status: Fixed Severity: 2 Severe Description: Symptom: When configuring a failover interface using the command "failover lan interface " on ASA5585, the ASA might crash with a traceback and reload. The crash would occur righter after the software responds and executes the code for setting up the failover interface. If a crash occurs during normal system operation then it is not due to this bug. Conditions: Configure a failover interface using the "failover lan interface " command. The chances of a crash are statistically very low, but may increase if traffic into the CPU from network interfaces is high. In lab testing it was only reproducible on a single instance of 5585 and using ASDM with an HTTP interface to the device to send over the configuration commands. In theory though it could occur through console CLI configuration as well. Workaround: The problem is only triggered when configuring a failover interface with the above given command. Once the failover interface configuration is complete, if no crash occurs then the problem will not present itself. Further Problem Description: If a coredump is captured, then it can be compared to information in this DDTS to determine with high likelihood whether or not it was due to failover interface configuration. Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(3), 9.1(4.5), 9.2(2.8) Known Fixed Releases: * 100.11(0.56), 100.11(0.57), 100.12(0.113), 100.12(0.115), 100.13(0.34), 100.13(0.49), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.13(21.8) Alert Type: Updated * Bug Id: CSCuu53928 Title: ASA does not set forward address or p-bit in OSPF redistrubution in NSSA Status: Fixed Severity: 2 Severe Description: Symptom: ASA can advertise OSPF routes to a peer with the p-bit disabled, and with a null forward address when in a Not so Stubby Area. This can cause the peer device to be unable to translate this LSA and forward it on to the rest of the topology. OSPF Router with ID (10.0.0.50) (Process ID 1) Type-7 AS External Link States (Area 100) LS age: 23 Options: (No TOS-capability, No Type 7/5 translation, DC) <--- LS Type: AS External Link Link State ID: 192.168.0.0 (External Network Number ) Advertising Router: 10.0.0.50 LS Seq Number: 80000001 Checksum: 0x791e Length: 36 Network Mask:255.255.0.0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 <--- External Route Tag: This condition occurs if the route that is advertised is directly connected, and that link comes up before the link that contains the OSPF neighborship. Conditions: - ASA in an OSPF Not So Stubby Area - Redistributing Connected Routes - Observed in single and multiple context - Observed in failover mode or standalone mode Workaround: - Clear OSPF Process on ASA with command "clear ospf process" - Bounce link of connected route that is being advertised incorrectly Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(1), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCus53692 Title: ASA traceback in Thread Name: fover_parse Status: Fixed Severity: 2 Severe Description: Symptom: ASA may generate a traceback during failover synchronization in thread name fover_parse. Conditions: This issue has been seen on ASA 5500x running 9.1(3), other versions may also be affected. WCCP ACL configured with either users, user group, or a fully qualified domain name object which is not supported. Workaround: Remove ACL with users, user group, or a fully qualified domain name object from WCCP configuration. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8) Alert Type: Updated * Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuv01177 Title: ASA: traceback in IDFW AD agent Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585 in failover pair may traceback in IDFW process. Conditions: ASA running IDFW features. Workaround: Disable IDFW. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCut71095 Title: ASA WebVPN clientless cookie authentication bypass Status: Open Severity: 2 Severe Description: Symptom: In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over secure channels. Conditions: -- WebVPN Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.1, 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCut75983 Title: ASA Traceback in PPP Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuv30184 Title: AddThis widget is not shown causing Traceback in Unicorn Proxy Thread Status: Fixed Severity: 2 Severe Description: Symptom: Accessing a URL with the JVM function AddThis widget is not shown, can cause a Traceback in Thread Name Unicorn Proxy Thread Conditions: A user navigate to web page with embedded AddThis widget Workaround: Use SmartTunnel Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: * 100.8, 9.3(3), 9.3(3.2), 9.3(3.220) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.13(29.28), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(2.73) Alert Type: Updated * Bug Id: CSCus89286 Title: ASA Traceback in SSL library due to DMA memory exhaustion Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA may crash in DATAPATH thread when AnyConnect client connects or CSM connects via HTTPS. It's highly likely that ASDM can cause the same crash under certain conditions. The crash occurs in SSL library. Conditions: This issue was seen in 9.3.3.2 version after upgrade from 9.1.6. Other versions can be affected as well. The crash happens if the ASA runs out of DMA memory due to SSL activity and after some time the memory is freed. The DMA memory can be exhausted on low-end ASA models if many features are configured, such as two or more syslog servers, HTTP server for ASDM or WebVPN, DHCP server on several interfaces, etc. Refer to CSCub58958 for details. Workaround: Do not use WebVPN, CSM and ASDM. Further Problem Description: Console can contain: Intercepted call of type abort Thread Name: DATAPATH-0-1648 Abort: Unknown ... Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.13(0.38), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.5), 100.14(11.5), 100.14(2.5), 100.14(26.2), 100.14(3.2) Alert Type: Updated * Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Status: Fixed Severity: 2 Severe Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Last Modified: 31-AUG-2015 Known Affected Releases: 100.7(22.1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCti05769 Title: Migration of max_conn/em_limit to MPF is completely wrong in 8.3 Status: Fixed Severity: 2 Severe Description: Symptom: Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside. Conditions: Workaround: Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: New Bug Id: CSCuv75940 Title: ASA5580 Traceback in CP Processing on upgrade from 9.1.5.21 to 9.1.6.6 Status: Terminated Severity: 2 Severe Description: Symptom: ASA5580 Traceback in CP Processing thread after upgrade from 9.1.5.21 to 9.1.6.6. Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus57241 Title: ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions Status: Fixed Severity: 2 Severe Description: Symptom: After upgrade from 9.2.(2.4) to 9.3(2) , VPN remote access connections are intermittently matching the DfltAccessPolicy instead of matching the appropriate policy. If the DfltAccessPolicy policy's action is to terminate, the VPN RA sessions will not establish. Conditions: - DAP is configured - ASA upgraded from 9.2(2.4) to 9.3(2) Workaround: - allow permit in the default policy (action=continue), if your security policy allows for this. -Downgrade to ASA pre-9.3.2 release, if at all possible. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.112), 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2), 100.14(12.1) Alert Type: Updated * Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13) Alert Type: Updated * Bug Id: CSCur07061 Title: Traceback on standby ASA during hitless upgrade Status: Fixed Severity: 2 Severe Description: Regression caused by a fix in CSCuq37448 Symptom:ASA system traceback was observed in data path. Conditions:Cisco ASA running release 9.1.5.16. Workaround:NA More Info:This issue was seen in one case when doing system test with ASAv during hitless upgrade. In another the trace indicated it might be related to using the capture feature on an ASA-SM. However, the issue is not related to failover or packet capture. In the bug fix of CSCuq37448, we added code for detecting and handling IPSec HA packets. That fix failed to handle certain corner cases and could subsequently cause a traceback. The fix removes the special handling. Last Modified: 31-AUG-2015 Known Affected Releases: 100.12(0.56), 100.13(11.7) Known Fixed Releases: * 100.11(0.50), 100.11(0.57), 100.12(0.118), 100.12(0.70), 100.12(6.20), 100.13(0.58), 100.13(0.6), 100.13(11.10), 100.13(12.16), 100.13(15.7) Alert Type: Updated * Bug Id: CSCut30741 Title: ASA redirection to Scansafe tower fails with log id "775002" in syslog Status: Fixed Severity: 2 Severe Description: Symptom: ASA redirection to Scansafe tower fails with log id "775002" in syslog even when the platform limit for connections was not reached. Conditions: Was noticed in version 9.0(2) but could affect any release. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.52), 100.13(21.9), 100.13(29.28), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.9) Alert Type: Updated * Bug Id: CSCus79129 Title: ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes when debug call-home detail is enabled. Conditions: Normal Smart Call Home operation with debug call-home detail active. Workaround: Do not enable debug call-home detail. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.112), 100.13(0.33), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5) Alert Type: Updated * Bug Id: CSCuv10258 Title: ASA5505 permanent base license, temp secplus, failover, vlan count issue Status: Fixed Severity: 2 Severe Description: Symptom: Show version display 3 VLANs license instead of 20 if base license, timebased for security plus license are combined on ASA5505 platform after failover is enabled Conditions: Three combined condition: 1. Permanent base license 2. Timebased Security Plus License 3. Failover is enabled Workaround: No known workaround Further Problem Description: The problem exhibit itself after a reboot. Looks like a variant of CSCtf91862 Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17) Alert Type: Updated * Bug Id: CSCuv25327 Title: bgp ipv6 neighborship fails with ASA after hard reset on router Status: Fixed Severity: 2 Severe Description: Symptom: bgp ipv6 neighborship fails with ASA after hard reset on router Conditions: ASA with 9.5.1 or above has this issue. Workaround: Reset connection on ASA using clear ip bgp * command. Further Problem Description: Last Modified: 02-AUG-2015 Known Affected Releases: 100.14(0.61) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuv61791 Title: CWS redirection on ASA may corrupt sequence numbers with https traffic Status: Open Severity: 2 Severe Description: * Symptom: The ASA, when redirecting HTTPS traffic to a Cloud Web Security tower, may incorrectly modify the sequence numbers associated with HTTP traffic resulting in connectivity problems and/or poor performance in rare situations. Conditions: This appears to occur only when the client retransmits the HTTPS Client Hello. This may occur if the CWS tower is delayed in reaching the end SSL server. Workaround: None at this time. Further Problem Description: Last Modified: 04-AUG-2015 Known Affected Releases: 9.1(6.7), 9.4(1.3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCth81601 Title: ASA tracebacks in Thread Name: Dispatch Unit Status: Fixed Severity: 2 Severe Description: * Symptom: ASA tracebacks in Thread Name: Dispatch Unit Conditions: AIP-SSM module is used for traffic inspection. Workaround: Disable traffic inspection via AIP-SSM. Last Modified: 05-AUG-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: * 100.7(0.71), 100.7(11.2), 100.7(6.16), 100.7(8.3), 8.2(4.2), 8.2(5), 8.3(2.13), 8.4(1.1), 8.4(1.99), 8.4(2) Alert Type: Updated * Bug Id: CSCuq32286 Title: ASA - Standby unit Traceback in thread name DATAPATH Status: * Terminated Severity: 2 Severe Description: Symptom: ASA traceback in Thread Name: DATAPATH, due to recursive locks in CTM rings and VPN context (VPN tunnel). Conditions: ASA is running 8.4(6)6 Workaround: Not known Further Problem Description: Last Modified: 05-AUG-2015 Known Affected Releases: 8.4(6.6) Known Fixed Releases: * 8.4(6.190) Alert Type: Updated * Bug Id: CSCth02276 Title: FTP Inspection - Passing Non-RFC FTP command with ABOR Masking Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability exists in the Cisco ASA FTP inspection engine where an unauthenticated attacker could bypass security checks by sending Non-RFC compliant FTP commands. Conditions: Cisco ASA configured for FTP inspection. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=&version=2.0 dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-0929 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.23), 100.7(8.14), 100.7(9.4), 7.2(5.3), 8.0(5.24), 8.1(2.49) Alert Type: Updated * Bug Id: CSCto83156 Title: ASA Sequence of ACL changes when changing host IP of object network Status: Fixed Severity: 2 Severe Description: * Symptom: Changing the the ip of the object network makes that the access-list changes the sequence of the ACE to a lower sequence number Conditions: ASA 8.4.1 ASA 8.3.2 Access-list with object network and remarks in the ACL Workaround: Change manually the sequence of the access-list to previous one: E.g: Access-list line permit tcp host A host B or do not use remarks PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-1641 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(2), 8.4(1) Known Fixed Releases: 100.7(13.9), 100.7(14.1), 100.7(18.1), 100.7(6.40), 100.7(8.34), 100.7(9.33), 100.8(0.14), 100.8(0.6), 100.8(10.6), 100.8(12.15) Alert Type: Updated * Bug Id: CSCts89962 Title: SSH memory leak in ssh2_authenticate() Status: Fixed Severity: 2 Severe Description: * Symptoms: Malformed SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C&version=2.0 CVE ID CVE-2011-3314 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Alert Type: Updated * Bug Id: CSCth14248 Title: ASA not sending all logging messages via TCP logging Status: Fixed Severity: 2 Severe Description: * <B>Symptom:</B> If TCP syslogging is configured on the ASA, not all messages are sent to the syslog server. <B>Conditions:</B> The issue is seen during heavy tcp syslogging. <B>Workaround:</B> Use UDP syslogging instead of TCP syslogging. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2011-0356 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: 100.7(13.15), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(8.34), 100.7(9.43), 100.8(0.11), 100.8(0.31), 100.8(10.11) Alert Type: Updated * Bug Id: CSCtz63143 Title: ASA sip inspect - duplicate pre-allocate secondary pinholes created Status: Fixed Severity: 2 Severe Description: * Symptom: ASA is creating many duplicate pre-allocated secondary pinholes. The show local is being filled with duplicate pinhole entries: UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti UDP outside 192.168.10.2:5070 inside 192.168.11.5:0, idle 0:00:00, bytes 0, flags ti In some cases this may cause the CPU utilization to suddenly increase. Conditions: - ASA running with sip inspection. - Sip traffic that does not establish the secondary connection. Workaround: none at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-2472 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(3) Known Fixed Releases: 100.7(13.79), 100.7(21.7), 100.7(6.80), 100.8(0.146), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) Alert Type: Updated * Bug Id: CSCtq06046 Title: SunRPC inspection large port overwrite Status: Fixed Severity: 2 Severe Description: * Symptoms: The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. SunRPC inspection may be bypassed when certain sequences of SunRPC packets are sent. Conditions: Device configured for SunRPC inspection. To display the information about the Sun RPC service table configuration, enter the show running-config sunrpc-server command. The following is sample output from the show running-config sunrpc-server command: hostname(config)# show running-config sunrpc-server sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from show sunrpc-server active command: hostname# show sunrpc-server active LOCAL FOREIGN SERVICE TIMEOUT ----------------------------------------------- 1 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 2 209.165.200.5/0 192.168.100.2/2049 100003 0:30:00 3 209.165.200.5/0 192.168.100.2/647 100005 0:30:00 4 209.165.200.5/0 192.168.100.2/650 100005 0:30:00 Workaround: No workarounds are available other than disabling SunRPC inspection if not needed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-2572 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.25), 100.7(14.13), 100.7(18.1), 100.7(6.44), 100.7(9.58), 100.8(0.19), 100.8(0.32), 100.8(10.25), 100.8(12.26), 100.8(15.5) Alert Type: Updated * Bug Id: CSCty33946 Title: ASA5580 traceback after upgrade to 8.4.3.2 Status: Fixed Severity: 2 Severe Description: * Symptom: The Cisco Adaptive Security Appliance 5580 may experience a crash in thread name 'datapath' Conditions: ASA5580 running image 8.4.3.2 and configured for WebVPN Workaround: None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-4624 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2), 8.4(3), 8.4(3.12), 8.4(3.2), 8.4(3.8) Known Fixed Releases: 100.7(13.84), 100.7(21.9), 100.7(6.83), 100.8(0.169), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.9(0.1) Alert Type: Updated * Bug Id: CSCtx98905 Title: ASA traceback with Thread Name: dhcp_daemon Status: Fixed Severity: 2 Severe Description: * Symptom: ASA is crashing multiple times a day. The same crash was seen on both the primary and secondary asa. The crash is on thread: dhcp_daemon. Conditions: ASA is doing dhcp relay with setroute option. Workaround: 1) Disable setroute 2) Configure route option on DHCP server (ASA will overwrite via setroute) 3) disabling dhcp relay and use internal dhcp server PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-5732 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(5), 8.5(1.7) Known Fixed Releases: 100.7(13.79), 100.7(21.7), 100.7(6.80), 100.8(0.148), 100.8(11.23), 100.8(27.19), 100.8(33.7), 100.8(34.1), 100.9(0.1), 100.9(2.1) Alert Type: Updated * Bug Id: CSCtx33347 Title: Standby ASA traceback while trying to replicate xlates Status: Fixed Severity: 2 Severe Description: * Symptom: The standby ASA may generate a traceback and reload while it is trying to replicate the translation entries Conditions: Observed on ASA 5580 and 5585 platforms in failover environment Workaround: There is no known workaround at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2), 8.4(3) Known Fixed Releases: 100.7(13.57), 100.7(13.87), 100.7(18.10), 100.7(19.8), 100.7(6.63), 100.7(6.85), 100.8(0.181), 100.8(0.63), 100.8(11.10), 100.8(11.28) Alert Type: Updated * Bug Id: CSCud16590 Title: ASA may traceback in thread emweb/https Status: Fixed Severity: 2 Severe Description: * Summary Cisco ASA Software is affected by the following vulnerabilities: IKE Version 1 Denial of Service Vulnerability Crafted URL Denial of Service Vulnerability Denial of Service During Validation of Crafted Certificates DNS Inspection Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2013-1150 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.3), 100.9(0.6), 7.2(5.9), 8.0(5.29) Alert Type: Updated * Bug Id: CSCth60553 Title: CLI History Access Status: Fixed Severity: 2 Severe Description: * Symptoms: CTRL-r allows you to look at CLI history. If you enter ctrl-r and then enter a substring of some command in its history, it will pop up the entire command containing that substring. After the 'disable' command, history isn't flushed, so an unprivileged user can get at history from the last privileged user. Conditions: Cisco ASA with default configuration. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-1639 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.7(13.31), 100.7(14.21), 100.7(18.2), 100.7(6.44), 100.8(0.24), 100.8(10.34), 100.8(12.31), 100.8(15.5), 100.8(19.13), 100.8(2.14) Alert Type: Updated * Bug Id: CSCth34278 Title: Clientless WebVPN Memory Leak Causes Blank Page after Authentication Status: Fixed Severity: 2 Severe Description: * Symptom: ASA memory used increments slowly over weeks leading up to the problem - at time of problem typical memory usage is 50MB more then after reload. Conditions: Webvpn must be enabled and in use. The memory leak does not affect AnyConnect VPN sessions. Workaround: None. Reloading the ASA may clear up the memory allocation PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-2474 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(2.12), 8.2(3), 8.3 Known Fixed Releases: 100.7(13.17), 100.7(14.4), 100.7(16.1), 100.7(17.5), 100.7(18.1), 100.7(6.43), 100.7(9.48), 100.8(0.14), 100.8(15.5), 100.8(19.1) Alert Type: Updated * Bug Id: CSCtl04756 Title: IM Namelist Add Buffer Issue Status: Fixed Severity: 2 Severe Description: * Symptoms: This bug is to enhance the Cisco ASA IM inspection by fixing an issue that incorrectly calculates the length of the source buffer in IM inspection code. Conditions: Cisco ASA with IM inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.21), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49), 8.2(4.3) Alert Type: Updated * Bug Id: CSCua83032 Title: Some parts of the WebVPN login susceptible to HTTP Response Splitting Status: Fixed Severity: 2 Severe Description: * Symptom: ASA is vulnerable to HTTP response splitting in certain URLs. HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server. Detail on HTTP response splitting defects : http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.owasp.org/index.php/HTTP_Response_Splitting Conditions: This is default behavior for the ASA if Clientless webvpn is enabled. Workaround: There are no workarounds for this issue. Further Problem Description: The following Cisco Applied Mitigation Bulletin titled: Understanding Cross-Site Scripting (XSS) Threat Vectors provide several best practices and information that can be used to mitigate these type of issues: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-3285 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(5), 9.0(0.4) Known Fixed Releases: 100.7(6.88), 100.8(0.203), 100.8(11.31), 100.8(27.19), 100.8(34.1), 100.8(35.3), 100.8(36.1), 100.9(0.1), 100.9(3.2), 8.2(5.32) Alert Type: Updated * Bug Id: CSCuc65775 Title: ASA CIFS UNC Input Validation Issue Status: Fixed Severity: 2 Severe Description: * Symptoms: The Cisco Adaptive Security Appliance (ASA) is susceptible to an input validation issue which can result in a crash of the ASA. Conditions: ASA running an affected release of software. Workaround: None. Further Problem Description: The potential for the issue to occur is present when a user authenticated through WebVPN attempts to access a shared directory using the browse network interface. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-6395 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.111), 100.7(6.109), 100.8(27.63), 100.8(50.32), 100.9(0.33), 100.9(4.2), 100.9(6.4), 100.9(7.9), 100.9(8.1), 8.2(5.43) Alert Type: Updated * Bug Id: CSCso58622 Title: IPv6: IP services are reachable from the "far side of the box" Status: Fixed Severity: 2 Severe Description: * Symptom: Users can connect to, and interact with the FW via an interface that they are not logically connected to. Conditions: PIX or ASA device running 7.x or higher code. Using IPv6 routing and IPv6 enabled services (SSH, Telnet, HTTP, ICMP). Workaround: Restrict access to services by IPv6 subnet. (i.e. no '' ::/0 '' type config) Further Problem Description: Cisco FW products are designed to be ''through the box'' type appliances. IPv6 should behave the same way IPv4 does. You should only be interacting with the box via the interface that you are logically connected to. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2009-4913 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: 8.0(103.17), 8.0(103.18), 8.0(3.14), 8.1(1.4) Alert Type: Updated * Bug Id: CSCts58501 Title: SSH Incorrect length check in ssh_application_processing() Status: Fixed Severity: 2 Severe Description: * Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Authentication is needed in order to exploit this vulnerability. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-3311 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.41), 100.7(14.35), 100.7(17.5), 100.7(18.4), 100.7(6.49), 100.8(0.36), 100.8(11.2), 100.8(15.11), 100.8(19.29), 100.8(2.26) Alert Type: Updated * Bug Id: CSCtk12352 Title: Possible to browse flash memory when CA is enabled Status: Fixed Severity: 2 Severe Description: * Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: 100.7(0.72), 100.7(11.2), 100.7(13.1), 100.7(6.19), 100.7(8.4), 8.0(5.23), 8.1(2.49), 8.2(4.1), 8.2(5), 8.3(2.13) Alert Type: Updated * Bug Id: CSCtj04707 Title: Possible packet buffer exhaustion when operating in transparent mode Status: Fixed Severity: 2 Severe Description: * Summary Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-asa Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-0393 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(2.152), 8.2(3.240) Known Fixed Releases: 100.5(5.43), 100.7(0.60), 100.7(5.23), 100.7(6.9), 100.7(8.1), 7.0(8.12), 7.2(5.2), 8.1(2.49), 8.2(3.109), 8.2(3.6) Alert Type: Updated * Bug Id: CSCts13848 Title: ASA may traceback in dns_process Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco ASA may crash in dns_process Conditions: The crash is due to improper handling of DNS queries generated by the ASA. Condition for the crash to happen is to have a DNS server configured on the ASA ex: dns server-group DefaultDNS domain xxx and the ASA is triggering a DNS resolution request to the server. Workaround: Removing the DNS server command can workaround this issue PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-4651 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 100.8, 8.4(2.10), 8.4(2.7), 8.4(2.8) Known Fixed Releases: 100.7(13.37), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.31), 100.8(0.36), 100.8(0.46), 100.8(0.54) Alert Type: Updated * Bug Id: CSCua87170 Title: Interface oversubscription on active causes standby to disable failover Status: Fixed Severity: 2 Severe Description: * Symptom: Interface oversubscription on active causes standby to disable failover Conditions: A huge amount of traffic may exhaust interface blocks, which in turn may cause firewall to drop failover messages and go to disabled HA state Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-3914 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1), 8.4(3), 8.4(4.2) Known Fixed Releases: 100.7(13.101), 100.7(6.99), 100.8(0.239), 100.8(11.39), 100.8(27.20), 100.8(33.24), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.4) Alert Type: Updated * Bug Id: CSCtf20547 Title: Cmd authorization fails for certain commands on fallback to LOCAL db Status: Fixed Severity: 2 Severe Description: * Symptom: Certain commands like 'show running-config', 'show interface' are allowed to be executed by users with lower privilege-level when fallback has occured. Conditions: 1. Fallback to LOCAL is configured 2. All ASA commands are assigned their default privilege levels in LOCAL db. 3. Users with lower privilege-level than 15 login into privileged-exec mode and execute 'show running-config' or 'show interface' commands, and some config commands. Workaround: none. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.0/5.0: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-0358 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0 Known Fixed Releases: 100.5(5.57), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 7.0(8.12), 7.2(5.2), 8.0(5.23), 8.1(2.49) Alert Type: Updated * Bug Id: CSCub75522 Title: ASA TFW sends broadcast arp traffic to all interfaces in the context Status: Fixed Severity: 2 Severe Description: * Symptom: An Adaptive Security Appliance ASA allows certain traffic to traverse through all the interfaces in a context. Conditions: Multiple context ASA ASA in Transparent Mode First found in ASA code 8.4.3(11) but may affect previous versions. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/2.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(3.11) Known Fixed Releases: 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) Alert Type: Updated * Bug Id: CSCte91042 Title: SMTP Inspect Security Issue Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco ASA has a potential issue with its SMTP inspection engine, where an unauthenticated attacker may bypass certain policies of the SMTP inspection. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.4(0.47), 100.5(5.8), 100.7(2.1), 7.2(4.100), 7.2(5), 8.2(2.99), 8.2(4), 8.3(1.100), 8.4(1) Alert Type: Updated * Bug Id: CSCtl04699 Title: HTTP Header Bypass Status: Fixed Severity: 2 Severe Description: * Symptoms: The ASA has a set of rules or maps that can be configured to match on particular headers, and those headers' attributes. If a header has a space or tab between the header name and ':', it will cause the inspection not to be effective. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.8/5.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(14.1), 100.7(6.22), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49) Alert Type: Updated * Bug Id: CSCtl04737 Title: Buffer Issue in MSN IM Inspection Code Status: Fixed Severity: 2 Severe Description: * Symptoms: The ASA MSN IM Inspection code contains a potential code deficiency. This was found during internal code inspection. Conditions: Cisco ASA with MSN IM Inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3 Known Fixed Releases: 100.7(0.75), 100.7(11.2), 100.7(13.1), 100.7(6.21), 100.7(8.12), 100.7(9.3), 7.2(5.2), 8.0(5.23), 8.1(2.49), 8.2(4.3) Alert Type: Updated * Bug Id: CSCsz21934 Title: ASA AAA should treat RA username as case-insensitive Status: Fixed Severity: 2 Severe Description: * Symptom: Session management in ASA does case-sensitive string comparisons. If the AAA server treats usernames as case-insensitive (eg. RADIUS/ACS), then users can log on multiple times with the same username and different capitalization, regardless of the vpn-simultaneous-logins setting. Conditions: ASA using external AAA server that treats username as case-insensitive. Workaround: Use a AAA server that differentiates between same usernames with different capitalizations. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-2554 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: 100.8(0.52), 100.8(0.55), 100.8(11.6), 100.8(11.7), 100.8(14.4), 100.8(15.21), 100.8(15.22), 100.8(19.63), 100.8(24.23), 100.8(24.26) Alert Type: Updated * Bug Id: CSCtk13473 Title: URL Filtering incorrectly uses "host:" substring in non Host HTTP header Status: Fixed Severity: 2 Severe Description: * SYMPTOM: URL Filtering may not correctly parse the HOST parameter from the HTTP GET correctly resulting in incorrect URL classification. CONDITIONS: This is seen on version 8.3.3.7 and 8.0.5 and presumably earlier versions of ASA code as well. WORKAROUND: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-2481 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(2.7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtn74649 Title: BTF DNS-Snooping TTL maxes out at 24 hours, less than actual TTL Status: Fixed Severity: 2 Severe Description: * Symptom: The ASA Botnet filtering system relies on a DNS-to-IP binding stored in the DHCP Snooping table. The Table should contain entries that exist as long as the TTL listed in the DNS response it was generated from. Currtently the TTL maximum for the DNS-SNooping database is limited to 24 hours while DNS TTL's could be as high as 2^31 seconds. Conditions: This is present in all current builds that support botnet filtering. Workaround: None at this time. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.0/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(4), 8.3 Known Fixed Releases: 100.7(13.2), 100.7(14.1), 100.7(15.2), 100.7(6.36), 100.7(8.34), 100.7(9.23), 100.8(0.2), 100.8(10.2), 100.8(12.2), 100.8(2.1) Alert Type: Updated * Bug Id: CSCtw45576 Title: TCP sequence space check ignored in some cases Status: Fixed Severity: 2 Severe Description: * Symptoms: In some cases, the Cisco ASA is allowing 'spoofed' packets on an already established TCP flow even when the sequence number is way outside of the sequence space (window). Conditions: The packets must match an existing 5-tuple. Only the TCP sequence check can be partially bypassed by using this vulnerability. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-4648 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(1), 8.4(2), 8.4(2.18) Known Fixed Releases: 100.7(13.50), 100.7(13.65), 100.7(14.46), 100.7(17.12), 100.7(18.4), 100.7(18.9), 100.7(19.8), 100.7(6.58), 100.7(6.62), 100.8(0.50) Alert Type: Updated * Bug Id: CSCtr79885 Title: ASA with VoIP memory leak 1% per day on binsize 56 Status: Fixed Severity: 2 Severe Description: * Symptom: Free memory decreases 1% per day Conditions: ASA 8.2 handling VoIP Binsize 56 taking the memory Workaround: Proactively reboot the ASA when used memory arrives to 80-85% PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2012-5033 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: 100.7(13.73), 100.7(6.78), 100.8(0.126), 100.8(11.20), 100.8(27.7), 100.8(33.3), 100.8(34.1), 100.9(0.1), 100.9(2.1), 8.2(5.30) Alert Type: Updated * Bug Id: CSCtu16462 Title: Nessus security scanner scan causes webvpn error recovery Status: Terminated Severity: 2 Severe Description: * Symptom: ASA webvpn component crashes when you run a Nessus security scanner scan against it. Conditions: ASA is running webvpn and the scanner is Nessus security scanner. Workaround: None. Further Problem Description: Note: Only the Webvpn process is backtracing. The ASA remains stable and continue forwarding traffic. All Webvpn components (portal, Anyconnect) will be affected by this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2011-4655 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCth02291 Title: FTP Inspection Command Tailgating Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability exists in the Cisco ASA FTP inspection engine where an unauthenticated attacker could bypass security checks by sending certain FTP commands. Conditions: Cisco ASA configured for FTP inspection. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=&version=2.0 dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2011-0930 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: 100.5(5.35), 100.7(0.47), 100.7(8.1), 7.2(5.2), 8.1(2.48), 8.2(3.100), 8.2(3.240), 8.2(3.3), 8.2(4), 8.3(2.2) Alert Type: Updated * Bug Id: CSCur68866 Title: QEMU virtqueue_map_sg() Function Input Validation Buffer Overflow Vuln Status: Fixed Severity: 2 Severe Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4535 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-4535 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: * 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.15(0.21), 100.15(1.43), 100.15(15.4), 100.15(2.75), 100.15(3.26), 100.15(4.25), 100.15(8.9) Alert Type: Updated * Bug Id: CSCti24271 Title: Unable to ssh to the ASA (8.2.2) Status: Terminated Severity: 2 Severe Description: * <B>Symptom:</B> Unable to connect via SSH to a Cisco ASA running software version 8.2.2 on any interface. "show resource usage resource ssh" shows peak limit reached with no active sessions. "Denied" counter increments for each attempted ssh connection. <B>Conditions:</B> Cisco ASA running 8.2.2 and configured for SSH access. <B>Workaround:</B> The only available workaround is to reload the affected ASA PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C&version=2.0 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCti26874 Title: Control-plane feature not working for https traffic to-the-box Status: Fixed Severity: 2 Severe Description: * Symptom: Control-plane feature won't restrict webvpn traffic (tcp port 443) to-the-box. Conditions: If we want to restrict access to webvpn portal based on IP address, we create access-lists matching https traffic going to-the-box. By using these access-lists and control-plane feature under access-group, we should be able to restrict access. # access-group in interface control-plane Workaround: Apply access-list on next-hop router from webvpn enabled interface. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(3.39), 8.0(4), 8.2(2), 8.3(1) Known Fixed Releases: 100.5(5.56), 100.7(0.71), 100.7(11.2), 100.7(13.1), 100.7(6.17), 100.7(8.3), 8.2(4.5), 8.2(5), 8.3(2.12), 8.4(1.4) Alert Type: Updated * Bug Id: CSCtw50291 Title: TCP intercept initiated for traffic that is denied by access-list Status: Terminated Severity: 2 Severe Description: * Symptom: Portscanner against hosts behind the ASA may report some port to be open although they are blocked by the firewall access-list. This is due to a defect of the tcp intercept components of the ASA that erroneusly start sending syn cookie to the scanner source for port closed by the access-list. Note that no packet from the scanner is actually bypassing the access list and reach the target. Conditions: none Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-4494 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus62884 Title: ASA 9.1.5 does not always drop connections after receiving RST+ACK flag Status: Fixed Severity: 2 Severe Description: Symptom: ASA does not always drop connections after receiving RST+ACK flag Conditions: Verify that the problem occurs when the server receives duplicate packets from the client to the server and replies to both SYN Example Server packets client -> server SYN (seq=3922308568) ------> 1st SYN client -> server SYN (seq=3922308568) --------> 2nd SYN client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ACK (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN Firewall packets client -> server SYN (seq=3922308568) client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ack (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN, which the Firewall doesn't have it In the working and not working scenario the Firewall always sends one SYN packet. Workaround: TCPbypass Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.46), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Alert Type: Updated * Bug Id: CSCuu97304 Title: SSL connection failing to WebVPN portal Status: Fixed Severity: 2 Severe Description: Symptom: access to webvpn portal broken Conditions: try to access the webvpn portal via a browser Workaround: None Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 100.12(0.130), 100.14(0.39), 100.14(0.43), 100.14(0.46) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.13(29.28), 100.14(0.56), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12), 100.15(4.15) Alert Type: Updated * Bug Id: CSCuq57307 Title: ASA 8.4 Memory leak due to duplicate entries in ASP table Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may experience a memory leak each time a VPN tunnel is built and torn down. Conditions: The ASA must be configured with a QoS policy that matches on per-flow destination addresses for a particular tunnel-group. For example: class-map vpn-class match flow ip destination-address <<<<<<<<<<<<< match tunnel-group 10.38.110.250 ! policy-map outside-policy class vpn-class police output 30000000 Workaround: Temporarily disable the QoS policy Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.11(0.57), 100.11(0.58), 100.12(0.116), 100.12(0.121), 100.13(0.52), 100.13(0.63), 100.13(21.13), 100.13(21.9), 100.13(28.2), 100.13(29.28) Alert Type: Updated * Bug Id: CSCut01856 Title: ASA dropping traffic with TCP syslog configured in multicontext mode Status: Fixed Severity: 2 Severe Description: Symptom: ASA dropping traffic in multiple-context mode with TCP syslog server unreachable. Conditions: -ASA in multiple context mode -TCP syslog server configured on one of the contexts. -"no logging permit host-down" configured on a context. Workaround: On removing and adding the context , which is having the issue,back the issue goes away. Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) Alert Type: Updated * Bug Id: CSCuu66218 Title: ASA is not correctly handling errors on AES-GCM ICV Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association. This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA. Conditions: An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256. This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X. Workaround: There is no workaround for customers whose security policy requires the use of AES-GCM. For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-AUG-2015 Known Affected Releases: 9.3(3), 9.4(1.1) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2) Alert Type: Updated * Bug Id: CSCuq10239 Title: Windows 8 with new JRE, IE is not gaining access to smart tunnel Status: Fixed Severity: 2 Severe Description: Symptom: IE on windows 8 with java start is not gaining access to smart tunnel Conditions: user is starting smart tunnel with java, UAC is turned on Workaround: turn UAC off or use active-x to start smart tunnel Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuq99821 Title: ASA/ASASM drops SIP invite packets with From field containing "" and \ Status: Fixed Severity: 2 Severe Description: Symptom: ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field: "\"210*******\"" ;tag=SD7osu201-gK0d0f565b Conditions: ASA/ASASM running 9.1.4.6 with SIP inspection turned on. Workaround: disable SIP inspection. Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 9.1(4.6) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41) Alert Type: Updated * Bug Id: CSCut10078 Title: Standby ASA does not apply OSPF route after config replication Status: Fixed Severity: 2 Severe Description: Symptom: Standby unit was not following the OSPF routes that were replicated from the Active unit and installed in its routing table. For example, when trying to ping 10.202.7.135 from the Standby unit the ASA claimed it had no route to the host: Conditions: OSPF configured on active/standby ASA 5555 pair running 9.1.5.21 Workaround: A 'write standby' from the Active unit to force a bulk sync fixes the problem, though the routing table doesn't seem to change. I was able to reproduce the problem several times Further Problem Description: Last Modified: 09-AUG-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuv19917 Title: Traceback assert in calendar_queue.h Status: * Terminated Severity: * 2 Severe Description: Symptom: Traceback assert in calendar_queue.h Conditions: Cisco ASA running release 9.1.6.181 in a 4 node cluster. Workaround: None. Further Problem Description: Last Modified: 11-AUG-2015 Known Affected Releases: 9.1(6.181) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCun11074 Title: Cisco ASA SunRPC Inspection Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3387 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:< Last Modified: 11-AUG-2015 Known Affected Releases: 8.2(5), 8.4(1) Known Fixed Releases: 100.10(9.6), 100.7(6.134), 100.8(38.121), 100.8(40.62), 100.8(56.27), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 7.2(5.14) Alert Type: Updated * Bug Id: CSCui45606 Title: ASA traceback upon resetting conn due to filter and inspect overlap Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability in the inspection and filter features of the Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the affected system to reload. Conditions: Unsupported configuration with overlapping filters and inspects, asa configured to send resets for this dropped traffic. The vulnerability is due to an internal traffic loop condition that can be triggered when a received packet is matched both for filtering and inspection due to a configuration with overlapping traffic matching criteria, such configuration is not supported. An attacker could exploit this vulnerability by sending a packet that would be matched by the incorrect configuration, when resetting the connection, the ASA gets into a loop and the stack overflows. An exploit could allow the attacker to trigger a crash of the affected system resulting in a Denial Of Service condition. Workaround: Remove the misconfiguration or use ''no service reset{outbound|inbound|outside}'' as needed to prevent the RST from being generated. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2013-5567 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5567 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: 100.10(0.14), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.122), 100.8(38.34), 100.8(40.22), 100.8(41.2), 100.8(45.2), 100.8(46.3) Alert Type: Updated * Bug Id: CSCuu72066 Title: Traceback in snp_inject_new_pkt+36 at np/soft-np Status: Open Severity: 2 Severe Description: * Symptom: Traceback is observed in Thread Name: DATAPATH-16-2555 snp_inject_new_pkt Conditions: When Threat-detection traffic receiving ASA interface is removed. Workaround: Do not remove the interface involved in Threat-detection traffic being sent. Further Problem Description: Last Modified: 11-AUG-2015 Known Affected Releases: 100.15(1.13), 9.1(6), 9.1(6.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCun69561 Title: ASA Crafted Radius DoS Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: ASA crash in thread name radius_rcv_auth Conditions: ASA receives a RADIUS packet with a crafted attribute value during a radius exchange. Knowledge of the shared key is needed in order to exploit the vulnerability Workaround: none Further Problem Description: A vulnerability in the implementation of the RADIUS code of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of the affected system. The vulnerability is due to insufficient validation of RADIUS packets including crafted attributes. . An attacker could exploit this vulnerability by sending crafted RADIUS packets to the affected system. The attacker needs to know the RADIUS shared secret and inject the crafted packet while a RADIUS exchange is in progress. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3264 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3264 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 9.0(1), 9.1(1), 9.2(0.3) Known Fixed Releases: 100.10(0.87), 100.10(2.13), 100.10(6.16), 100.10(7.3), 100.11(2.1), 100.11(5.1), 100.8(38.133), 100.8(40.68), 100.8(56.47), 100.8(64.14) Alert Type: Updated * Bug Id: CSCul02601 Title: Cisco ASA SNMP Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptoms: Cisco ASA crashes in Thread Name: Checkheaps during SNMP polling Conditions: SNMP configured Workaround: none Further Problem Description: A vulnerability in SNMP code of Cisco ASA Software could allow an authenticated, remote attacker to cause the reload of the affected system. The vulnerability is due to improper handling of SNMP packets . An attacker could exploit this vulnerability by sending high rate of traffic through the device while performing SNMP operations continuosly. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4238 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 8.4(7), 8.6(1.2) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.33), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Alert Type: Updated * Bug Id: CSCuo68327 Title: Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.1/6.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3388 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:< Last Modified: 11-AUG-2015 Known Affected Releases: 9.1(5.2), 9.1(5.6) Known Fixed Releases: 100.10(17.2), 100.10(2.25), 100.10(7.13), 100.11(0.10), 100.11(5.17), 100.11(6.1), 100.12(18.1), 100.8(40.75), 9.0(4.12), 9.1(5.7) Alert Type: Updated * Bug Id: CSCum96401 Title: Cisco ASA IKEv2 Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3384 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:< Last Modified: 11-AUG-2015 Known Affected Releases: 9.1(4.3) Known Fixed Releases: 100.10(9.6), 100.7(6.129), 100.8(38.117), 100.8(40.61), 100.8(56.21), 100.8(62.2), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Alert Type: Updated * Bug Id: CSCun10916 Title: Cisco ASA SCH Digital Certificate Validation Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Denial of Service Vulnerability Cisco ASA IKEv2 Denial of Service Vulnerability Cisco ASA High Performance Monitor Denial of Service Vulnerability Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability Cisco ASA DNS Inspection Engine Denial of Service Vulnerability Cisco ASA VPN Failover Command Injection Vulnerability Cisco ASA VNMC Command Input Validation Vulnerability Cisco ASA Local Path Inclusion Vulnerability Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco ASA IKEv2 Denial of Service Vulnerability, Cisco ASA High Performance Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Successful exploitation of the Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability may result in the disclosure of internal information or, in some cases, a reload of the affected system. Successful exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability may result in a compromise of the Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to cross-site scripting (XSS), stealing of credentials, or redirects of users to malicious web pages. Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability may result in a digital certificate validation bypass, which could allow the attacker to bypass digital certificate authentication and gain access inside the network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM). Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 5.0/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3394 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL:< Last Modified: 11-AUG-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.10(9.6), 100.11(2.1), 100.11(4.1), 100.7(6.130), 100.8(38.126), 100.8(40.63), 100.8(56.31), 100.8(63.2), 100.8(64.5), 100.8(65.4) Alert Type: Updated * Bug Id: CSCuv49675 Title: ASA5506W-X Missing default-gateway On AP Status: * Other Severity: 2 Severe Description: Symptom: Can't connect to http://192.168.1.2 to configure wireless access point in ASA5506W-X as described in the Quick Start Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html Conditions: The default configuration of the AP in the ASA5506W-X is missing the default-gateway. Workaround: Run the following from the ASA: session wlan console configure terminal ip default-gateway 192.168.10.1 Further Problem Description: Last Modified: 13-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv39775 Title: ASA cluster-Incorrect "current conns" counter in service-policy Status: Fixed Severity: 2 Severe Description: Symptom: Incorrect "currents conns" counter on service-policy ASA cluster. Does not match up with the current connection "show connection count" on the unit, will lead to traffic drops in the service-policy once the limit is hit in the service-policy. Conditions: 1) ASA in a cluster setup. 2) Applies to both single or multiple mode. 3) Typical config : class connection_limit set connection conn-max 500000 embryonic-conn-max 2000 per-client-max 200 per-client-embryonic-max 50 Workaround: None. Further Problem Description: CLSTR1-Primary/ASAFW# cluster exec show service-policy | i conns CLSTR1-Primary(LOCAL):************************************************ current embryonic conns 3, current conns 5732, drop 0 CLSTR1-Secondary:******************************************************* current embryonic conns 1, current conns 88720, drop 0 <<<< CLSTR1-Primary/ASAFW# cluster exec show conn count CLSTR1-Primary(LOCAL):************************************************ 5823 in use, 36602 most used Cluster stub connections: 3300 in use, 30142491 most used CLSTR1-Secondary:******************************************************* 3270 in use, 120262 most used <<<<<<<<<<<<<<Cluster stub connections: 5794 in use, 5288523 most used Last Modified: 18-AUG-2015 Known Affected Releases: 9.1(2), 9.2(2.4), 9.3(3.2) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1), 100.15(2.80), 100.15(3.25) Alert Type: New Bug Id: CSCuv80223 Title: ASA Rest-API fails to start with command authization enabled Status: Open Severity: 2 Severe Description: Symptom: REST-API will show as enabled but calls will fail with and internal error. Conditions: ASA configured with REST-API agent and command authorization also enabled. Workaround: Partial workaround: Disable command authorization before enabling the REST-API agent 1. Disable the REST-API agent is already enabled, no rest-api agent 2. Disable command authoization, no aaa authorization command server LOCAL ! server is the aaa-server group 3. Enable the REST-API agent, rest-api agent 4. After 1 minute enable command authorization again, aaa authorization command server LOCAL This will need to be repeated after a reload. Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.3, 9.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu73395 Title: Auth-prompt configured in one context appears in another context Status: Fixed Severity: 2 Severe Description: Symptom: Auth-prompt configured in one context appears in another context. Conditions: ++ Device in multiple context. ++ More than one context. ++ More than on context with cut through proxy configured. ++ Only one context with custom auth-prompt. Workaround: If auth-prompt is configured in all the contexts then there is no issue seen. Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.0(4.24), 9.1(4), 9.4(1) Known Fixed Releases: * 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.49), 100.15(1.51), 100.15(15.11), 100.15(15.13), 100.15(16.1), 100.15(2.80) Alert Type: New Bug Id: CSCuv75992 Title: ASA5580 Traceback in CERT API thread after upgrading 9.1.5.21 to 9.1.6.6 Status: Other Severity: 2 Severe Description: Symptom: After upgrade from 9.1.5.21 to 9.1.6.6 Active ASA generated a traceback. Secondary device took the Active role and this also caused a Traceback almost immediately in CERT API thread. Conditions: Workaround: Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Alert Type: New Bug Id: CSCuv65888 Title: DATAPATH ASA Traceback for "Address not mapped" on Scansafe component Status: Open Severity: 2 Severe Description: Symptom: When Scansafe inspection is enabled and the device is also configured with a number of ACEs higher than the maximum recommended to the platform may cause a Traceback Conditions: > ASA configured with scansafe > Number of ACEs above the maximum recommended to the platform Workaround: > Reduce the number of ACL entries to the maximum recommended for the platform: > Or use ACL Optimization feature: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/o.html#pgfId-1866962 Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu92632 Title: ASA sets non-zero FA in OSPF for anyconnect redistrubuted network Status: Fixed Severity: 3 Moderate Description: Symptom: Re-distribution of anyconnect static routes on ASA 9.x doesn't work. The output of the command "show ospf database external" shows the forward address being set to non-zero/incorrect value. ciscoasa# show ospf database external 10.0.103.161 OSPF Router with ID (172.16.10.1) (Process ID 1) Type-5 AS External Link States LS age: 1503 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.0.103.161 (External Network Number ) Advertising Router: 172.16.10.1 LS Seq Number: 80000001 Checksum: 0xfff4 Length: 36 Network Mask:255.255.255.255 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 172.16.10.10 <---------------- External Route Tag: 0 Conditions: - ASA with OSPF enabled - redistributing Anyconnect VPN static addresses into OSPF - Anyconnect VPN terminates on the same interface where distribution is performed Workaround: Route redistributed network to the Null0 interface Further Problem Description: Last Modified: 02-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(10.3), 100.15(2.65), 100.15(3.16), 100.15(4.20) Alert Type: Updated * Bug Id: CSCuv02619 Title: Standby ipv6 address setting is not replicated to standby Status: Fixed Severity: 3 Moderate Description: Symptom: Replicating of standby ipv6 settings is not replicated correctly. Conditions: In L2 firewall mode and multiple context mode. Workaround: 'write standby' twice on the active unit. Further Problem Description: none Last Modified: 02-AUG-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(15.4), 100.15(4.24), 100.15(8.9) Alert Type: Updated * Bug Id: CSCuv33945 Title: * 2nd password field on the webvpn portal is hidden by default Status: Open Severity: 3 Moderate Description: * Symptom: 2nd password field on the webvpn portal not is hidden on one ASA in a FO pair without the use of Javascript while on the other it requires the javascript to hide the 2nd password field Conditions: - ASA FO configured - webvpn portal customization configured. Workaround: n/a Further Problem Description: Last Modified: 03-AUG-2015 Known Affected Releases: 8.6(1.13) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu79657 Title: Pin hole creation failed on 3RU cluster. libc_functions.mmap failure Status: Fixed Severity: 3 Moderate Description: Symptom: Logs: ciscoSSPasa# pinhole-peek : proto-17 management:0.0.0.0/68 -> 255.255.255.255/67 pinhole-peek : proto-17 management:192.168.1.1/67 -> 255.255.255.255/68 pinhole-peek : proto-6 inside:192.168.127.7/43577 -> 10.100.127.7/21 flow: requesting PH_SNORT_INSPECT - mapped inside:192.168.127.7/0 -> mapped inside:10.100.127.7/53489 emb_time_out:110 est_time_out:0 map_sock_opt:0x8 flow_opts:0x1000000fuser_data_len:0 conn_flags:0x0 nat: rewriting real outside:10.100.127.7/53489, hint 10.100.127.7/0, dest inside:192.168.127.7/0 (rdip 192.168.127.7) nat: rewriting real inside:192.168.127.7/0, hint 0.0.0.0/0, dest outside:10.100.127.7/53489 (rdip 10.100.127.7) libc_fnctions.mmap(addr=0x0000000000000000, len=1073741824, prot=3, flag=8001, fd=1483, off=0) returned -1 errno=12! libc_fnctions.mmap(addr=0x0000000000000000, len=2097152, prot=3, flag=8001, fd=1483, off=0) returned -1 errno=12! flow: failed to allocate hole PH_SNORT_INSPECT src inside:192.168.127.7/0 Conditions: Cluster setup on 3RU and ftp initiated connection Workaround: NA Further Problem Description: Last Modified: 03-AUG-2015 Known Affected Releases: 99.1(3), 99.1(8.11) Known Fixed Releases: * 99.1(3.138), 99.1(8.12) Alert Type: Updated * Bug Id: CSCuv61158 Title: OWA365 doesn't work on any browser when we select TLSv1.2 on the ASA Status: Open Severity: * 3 Moderate Description: Symptom: SSO with OWA365 does not work on any version after 9.2.3 up to and including 9.4.1 when selecting TLS1.2 Conditions: SSO for OWA365 any bowser with TLS1.2 ASA 9.2.3.1 through 9.4.1 Workaround: Use 9.2.3 or TLSv1.1 Further Problem Description: Last Modified: 04-AUG-2015 Known Affected Releases: 9.2(3.100), 9.3(1), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtx02193 Title: Easy VPN Allows Cleartext User and Administrative Credentials Status: Terminated Severity: 3 Moderate Description: * Symptoms: Easy VPN Remote web interface passes credentials used for Secure Device Authentication (SUA) and individual user authentication in the clear. Easy VPN can be configured so that the easy VPN Remote must authenticate interactively. It can also be configured so that individual users must authenticate interactively. This can be done via a web interface which is accessible via the inside interface of the Easy VPN Remote. Conditions: Cisco ASA configured for Easy VPN Remote and Secure Device Authentication (SUA). This problem has been present since SUA/IUA was introduced. Workaround: Issue the ''http redirect command'' in global configuration mode in order specify that the security appliance redirect HTTP connections to HTTPS, as shown in the following example: hostname(config)# http redirect inside https Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtu30630 Title: CLI improperly sized buffer in ci_getline() Status: Fixed Severity: 3 Moderate Description: * Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:M/C:N/I:N/A:C/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.97), 100.7(6.94), 100.8(0.232), 100.8(11.35), 100.8(27.19), 100.8(33.20), 100.8(34.1), 100.8(39.1), 100.9(0.1), 100.9(3.3) Alert Type: Updated * Bug Id: CSCto26844 Title: ESMTP Inspection Bypass via Data Header Status: Fixed Severity: 3 Moderate Description: * Symptoms: If ESMTP inspection is enabled, the ASA will prevent invalid ESMTP commands from being sent from the client to the server. However, if a non-standard email message is sent, the ASA will not correctly recognize some of the patterns. Conditions: ASA configured with ESMTP inspection. Workaround: None, other than disabling ESMTP inspection. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.27), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.21), 100.8(12.27), 100.8(15.5), 100.8(19.4), 100.8(20.1), 100.8(21.1) Alert Type: Updated * Bug Id: CSCtt07749 Title: ASA is responding to IKE request when in vpnclient mode Status: Fixed Severity: 3 Moderate Description: * Symptom: ASA5505 if configured in vpnclient mode may reply to IKE initiation requests MM1 Conditions: This happens only if the ASA in vpnclient mode is connected to a vpn server. Workaround: none Further Problem Description: While a full tunnel cannot be established, an ASA in client mode should not reply to any IKE initiation request. Additionally some non critical information could be disclosed such information about IKE policy in use. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-3309 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: 100.7(13.36), 100.7(14.26), 100.7(17.5), 100.7(18.3), 100.7(6.44), 100.8(0.30), 100.8(0.36), 100.8(0.46), 100.8(0.54), 100.8(10.43) Alert Type: Updated * Bug Id: CSCty42441 Title: ASA-After adding 9th network on asa threat detection quit shunning hosts Status: Terminated Severity: 3 Moderate Description: * Symptom: Threat detection rate with default asa ip audit signatures enabled quit shunning hosts when defined more than 8 networks for exclusion. Conditions: After adding the 9th network on ASA, threat detection quit shunning hosts. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-1329 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtx55351 Title: Easy VPN Web Management Interface Improperly Handles User Credentials Status: Other Severity: 3 Moderate Description: * Symptoms: An issue exists in the Cisco ASA EZVPN web interface where an inside user can provide 128 byte strings while the web interface limits the size of the text fields to 64. This internal EZVPN user can still supply 128 bytes. Conditions: Cisco ASA configured for EZVPN. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCts29113 Title: ASA 8.0.4 : Webvpn port remains open after disabling it Status: Other Severity: 3 Moderate Description: * Symptoms: When a port scan is performed to an interface of an ASA running 8.0.4, we can see that port 443 is open even though webvpn is disabled and http server are disallowed/disabled on that interface. Condition: This issue occurs if webvpn was enabled at certain time and then disabled. To enable webvpn asa(config)#webvpn asa((config-webvpn)# enable This issue is seen only on 8.0.4.x train. 8.0.3 and 8.0.5 and above do not show this issue Workaround: Reloading the device resolves this issue PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtu30598 Title: Incorrect bounding length in crypto_get_pubkey_by_name() Status: Fixed Severity: 3 Moderate Description: * Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(6.117), 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.40), 100.9(6.17), 100.9(7.20), 8.4(6.99), 8.4(7), 9.1(2.99) Alert Type: Updated * Bug Id: CSCtu74257 Title: CLI missing return on error condition in gl_yank() Status: Fixed Severity: 3 Moderate Description: * Symptoms: This is a proactive software enhancement to implement secure best practice procedures into the code. Conditions: Cisco ASA with default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: 100.7(13.43), 100.7(14.36), 100.7(17.7), 100.7(18.4), 100.7(6.51), 100.8(0.40), 100.8(11.4), 100.8(15.17), 100.8(19.35), 100.8(2.30) Alert Type: Updated * Bug Id: CSCtb92911 Title: ASDM logging freezes when a long URL is accessed Status: Fixed Severity: 3 Moderate Description: * Symptom: ASDM real-time log viewer freezes occasionally. Conditions: ASA is running 8.2.1 version and is configured with [URL-Filtering HTTP inspection] or ['user-defined' HTTP inspection policy]. Workaround: The problem seems to be triggered by the syslogs 304001-304005 which display the URLs accessed. By disabling logging these logs, the problem can be mitigated. ASA(config)#no logging message 304001 ASA(config)#no logging message 304002 ASA(config)#no logging message 304003 ASA(config)#no logging message 304004 ASA(config)#no logging message 304005 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2009-5037 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.3(0.12), 100.4(0.19), 8.2(1.101), 8.2(1.12), 8.2(2), 8.2(2.99), 8.2(4), 8.3(0.0) Alert Type: Updated * Bug Id: CSCtr95846 Title: TACACS+ Failure to check length values in check_author_args() Status: Other Severity: 3 Moderate Description: * Symptoms: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtu86256 Title: WebVPN email proxy feature may not terminate connections to email server Status: Fixed Severity: 3 Moderate Description: * Symptom: When a Cisco ASA configured for WebVPN and email proxy, sending a series of characters may cause the email server to wait indefinitely and it may not close the connection because the email proxy keeps sending TCP keep alives. Conditions: Cisco ASA configured for WebVPN and email proxy. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html More Info: Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(6.115), 100.8(27.63), 100.8(60.3), 100.9(0.37), 100.9(4.5), 100.9(6.12), 100.9(7.19), 8.4(6.99), 8.4(7), 9.1(2.99) Alert Type: Updated * Bug Id: CSCsm11264 Title: When long url triggers syslog 304001 ASA stops sending syslogs to ASDM Status: Fixed Severity: 3 Moderate Description: * Symptom: When viewing syslogs generated by the firewall from within ASDM, the syslogs might stop being logged. This will continually happen until you disable the 304001 syslogs. Conditions: The ASA must be running at least version 8, and must be configured for either http inspection, or url filtering with an external url server. Workaround: The problem seems to be triggered by the syslog 304001 which displays the URL that a user accesses. By disabling logging of this syslog, the problem can be mitigated. The command to do this is: ASA(config)#no logging message 304001 This bug has been fixed, but a similar issue is being tracked with the bug CSCtb92911. Bug CSCtb92911 has the same symptoms and trigger. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2009-5037 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(2), 8.0(3) Known Fixed Releases: 100.3(0.1), 100.4(0.1), 8.0(4.24), 8.0(5), 8.1(2.14), 8.2(0.205), 8.2(2.99), 8.2(4) Alert Type: Updated * Bug Id: CSCto19832 Title: OpenLDAP needs to be upgraded or patched Status: Open Severity: 3 Moderate Description: * Symptoms: OpenLDAP must be upgraded or patched to address CVE-2011-1024 CVE-2011-1081 CVE-2009-3767. Conditions: Cisco ASA with LDAP authentication enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2011-1024, CVE-2011-1081, CVE-2009-3767 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtj62534 Title: Linux Kernel Issue Status: Fixed Severity: 3 Moderate Description: * Symptoms: Recent ASA software uses the 64-bit Linux kernel version 2.6.29. This version is affected by the vulnerability described in CVE-2010-3081. The Linux kernel is not accessible by the main ASA software. However, this defect is to track this issue and to upgrade the underlying Linux kernel. Conditions: Cisco ASA default configuration. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.4/2.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:H/Au:M/C:P/I:P/A:P/E:U/RL:ND/RC:UC&version=2.0 CVE ID CVE-2010-3081 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.7(1), 9.1(1) Known Fixed Releases: 100.7(13.112), 100.8(38.13), 9.2(0.99), 9.2(1) Alert Type: Updated * Bug Id: CSCto40770 Title: ESMTP Inspection Decode Bypass Status: Fixed Severity: 3 Moderate Description: * Symptoms: The Cisco ASA's ESMTP inspection blocks emails sent to the decode and uudecode aliases. However, in some cases the ESMTP inspection may not detect the use of decode in some transactions. Conditions: Cisco ASA with ESMTP inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.27), 100.7(14.14), 100.7(18.1), 100.7(6.44), 100.8(0.21), 100.8(10.29), 100.8(12.27), 100.8(15.5), 100.8(19.5), 100.8(2.10) Alert Type: Updated * Bug Id: CSCtb71323 Title: Cisco ASA Webtype ACL By-Pass Vulnerability Status: Fixed Severity: 3 Moderate Description: * Symptom: On ASA web type access-list''s do not honor case sensitivity and hence it does not allow us to configure two access-list entries as below: access-list abcd webtype permit url http://cisco/TEST access-list abcd webtype permit url http://cisco/test INFO: Specified entry already exists in access-list ''abcd'' Conditions: ASA Software version 9.1(2) Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 06-AUG-2015 Known Affected Releases: 100.5(0.26), 100.8(38), 8.2(1) Known Fixed Releases: 100.10(0.76), 100.10(2.8), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.8(38.112), 100.8(40.59), 100.8(56.17), 100.8(63.2) Alert Type: Updated * Bug Id: CSCtu99219 Title: Non-null terminated ikev2 session strings Status: Fixed Severity: 3 Moderate Description: * Symptoms: A vulnerability exist in the Cisco ASA 5500 Series Adaptive Security Appliances where an authenticated, remote attacker can cause a denial of service condition on an affected device by sending a series of IKEv2 packets. Conditions: Cisco ASA configured for IKEv2. Workaround: No workarounds exist other than using IKEv1 instead of IKEv2 or SSL VPN for remote access VPN sessions. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.9/4.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:U/RC:C&version=2.0 CVE ID CVE-2012-0372 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(6.117), 100.8(27.83), 100.8(40.2), 100.8(60.7), 100.9(0.39), 100.9(4.5), 100.9(6.17), 100.9(7.20), 8.4(6.99), 8.4(7) Alert Type: Updated * Bug Id: CSCtj33158 Title: SHA2 User Cert allowed on SHA1 cert chain system Status: Fixed Severity: 3 Moderate Description: * Symptoms: When using certain certificate chains the Cisco ASA may fail to see or process the ID cert and instead is validating the SUBCA and potentially allow the connection. Conditions: Cisco ASA configured for PKI. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1.2) Known Fixed Releases: 100.5(5.46), 100.7(0.64), 100.7(0.65), 100.7(6.10), 100.7(8.1), 7.2(5.2), 8.0(5.21), 8.1(2.49), 8.2(3.150), 8.2(3.7) Alert Type: Updated * Bug Id: CSCtr20809 Title: ICMP inspection permits echo-reply packets with code set to non-zero Status: Fixed Severity: 3 Moderate Description: * Symptom: A Cisco ASA with ICMP inspection enabled may not be able to successfully block incoming ICMP echo-reply packets that are related to an existing ICMP session where an echo-request had been sent. A remote attacker could send crafted ICMP echo-reply packets to bypass ICMP inspection. Conditions: Cisco ASA with ICMP inspection enabled. Workaround: Disable ICMP inspection or block ICMP packets from untrusted hosts. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2011-2552 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2(3) Known Fixed Releases: 100.7(13.25), 100.7(13.65), 100.7(14.13), 100.7(18.1), 100.7(18.9), 100.7(19.8), 100.7(6.44), 100.7(6.62), 100.7(9.58), 100.8(0.19) Alert Type: Updated * Bug Id: CSCts58520 Title: SSH memory leak in ssh2_application_processing() Status: Fixed Severity: 3 Moderate Description: * Symptoms: Certain SSH version 2 packets may cause a memory leak on a Cisco ASA configured for SSH. Authentication is needed in order to exploit this vulnerability. Conditions: This issue is observed on a Cisco ASA configured for SSH version 2 after it has received malformed SSHv2 packets. Successful, exploitation may cause system degradation or a partial denial of service condition on an affected device. Workaround: The only workaround is to disable SSH version 2. Additionally, administrators can restrict SSH access to only trusted host by using the ''ssh'' command. To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command. This command supports IPv4 and IPv6 addresses. The ''ssh ip_address'' command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ''ssh'' commands in the configuration. The ''no'' form of the command removes a specific SSH command from the configuration. Use the ''clear configure ssh'' command to remove all SSH commands. More information about SSH configuration can be found at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1561244 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:U/RC:C&version=2.0 CVE ID CVE-2011-3313 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.7(13.111), 100.7(6.111), 100.8(27.63), 100.8(50.39), 100.9(0.35), 100.9(4.5), 100.9(6.10), 100.9(7.9), 100.9(8.1), 8.4(5.99) Alert Type: Updated * Bug Id: CSCto40773 Title: ESMTP Inspect Race Condition Bypass Status: Terminated Severity: 3 Moderate Description: * Symptoms: The Cisco ASA's ESMTP inspection may allow some transactions to not be inspected or blocked when certain responses are splitted across multiple packets. Conditions: Cisco ASA with ESMTP inspection enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtw82116 Title: L2TP Messages Can Kill Arbitrary VPN Sessions Status: Fixed Severity: 3 Moderate Description: * Symptom: An L2TP over IPSec user could potentially send an L2TP message to the Cisco ASA and potentially disconnect a valid L2TP over IPSec connection. In order to do this, the ''attacker'' must be an valid and authenticated L2TP over IPSec user with an a established L2TP over IPSec session. This user must guess detailed information about the victim user's L2TP over IPSec connection. Conditions: Cisco ASA configured for L2TP over IPSec. Workaround: This issue is only present in L2TP over IPSec. AnyConnect/SSL VPN or IPsec clients are not affected by this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:N/A:P/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(2) Known Fixed Releases: 100.10(0.67), 100.10(2.5), 100.10(6.1), 100.10(9.1), 100.7(6.128), 100.8(38.101), 100.8(40.56), 100.8(56.10), 100.9(10.23), 9.2(0.99) Alert Type: Updated * Bug Id: CSCtf56790 Title: Applet and ActiveX Filtering Bypass Status: Fixed Severity: 3 Moderate Description: * Symptom: This bug is to enhance the Cisco ASA Applet and ActiveX Filtering capabilities to prevent policy and inspection bypass. Conditions: Cisco ASA with Applet and ActiveX Filtering enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 06-AUG-2015 Known Affected Releases: 8.2 Known Fixed Releases: 100.14(2.15), 100.14(6.4), 100.14(7.7), 100.15(1.2), 100.15(2.26), 100.15(3.1), 100.15(4.2), 100.15(5.2), 100.15(6.2) Alert Type: Updated * Bug Id: CSCtl54580 Title: Telnet connection is permitted inappropriately in some situation Status: Fixed Severity: 3 Moderate Description: * <B>Symptom:</B> Administrators are able to Telnet to the lowest security level interface inappropriately in some situation. <B>Conditions:</B> Some interface become lowest security-level(greater than 0) interface after configuration change. (A) When "failover lan interface <name> <hw_interface_name>" command is configured, 8.0.5 only does not happen this issue. (B) When "failover lan interface <name> <hw_interface_name>" command is NOT configured, 8.0.x does not happen this issue. <B>Workaround:</B> (A) Chenge the security level of relevant interface to zero. (B) Chenge the security level of relevant interface to zero or reload. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2011-0362 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.0(4), 8.0(5), 8.2(1), 8.2(3), 8.2(4) Known Fixed Releases: 100.7(13.5), 100.7(13.65), 100.7(14.12), 100.7(15.4), 100.7(18.9), 100.7(19.8), 100.7(6.39), 100.7(6.62), 100.7(9.26), 100.8(0.14) Alert Type: Updated * Bug Id: CSCut52048 Title: Saleen jumbo frame support failed with N7K and Spirent 8K UDP PK Status: * Terminated Severity: 3 Moderate Description: Symptom: 1)From Spirent TestCenter send more than 8000 bytes UDP packet jumbo frame and through the CAT6K SUP2T and to the Saleen ASA. We will see underrun in the interface statistics and packet got dropped. 2)This is only happened in the specific performance regression CAT6K testbed. Conditions: From the test tool vendor Spirent TestCenter to send more than 8000 bytes UDP packets. And thisis Workaround: Change the UDP packet size to less than 8000 bytes and do a shut and no shut to let interface start to flow those UDP packets. Further Problem Description: None Last Modified: 06-AUG-2015 Known Affected Releases: 100.14(7.12), 8.6(1), 9.2(1), 9.3(2), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtk61443 Title: OpenSSL Ciphersuite Downgrade and J-PAKE Issues Status: Fixed Severity: 3 Moderate Description: * Symptom: The device may be affected by an OpenSSL vulnerabilities described in CVE-2010-4180, CVE-2010-4252, and CVE-2008-7270. This bug was opened to address the potential impact on this product. Conditions: Device configured with any feature that uses SSL. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html Workaround: Not available PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.1/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C&version=2.0 CVE IDs CVE-2010-4180 and CVE-2010-4252 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1) Known Fixed Releases: 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.34), 100.7(8.27), 100.7(9.18), 100.8(0.2), 100.8(10.1), 100.8(12.1), 100.8(2.1) Alert Type: Updated * Bug Id: CSCuc23831 Title: WebVPN Session Cookie Information Disclosure Status: Other Severity: 3 Moderate Description: * Symptoms: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Cisco ASA configured for SSL VPN. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtn71770 Title: Applet and ActiveX Filtering Bypass with Extra Characters Status: Fixed Severity: 3 Moderate Description: * Symptoms: There is a potential bypass of applet or ActiveX filtering on the Cisco ASA when sending specific packet sequences. Conditions: Cisco with applet or ActiveX filtering enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.1), 100.7(14.1), 100.7(15.1), 100.7(6.34), 100.7(8.29), 100.7(9.20), 100.8(0.2), 100.8(10.1), 100.8(12.1), 100.8(2.1) Alert Type: Updated * Bug Id: CSCtq35954 Title: copy FTP/TFTP crash Status: Fixed Severity: 3 Moderate Description: * Symptoms: Device may experience a reload when issuing copy FTP/TFTP commands. Conditions: User must be authenticated in privilege mode in order to induce the crash. Workaround: None. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:M/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: 100.7(13.13), 100.7(14.1), 100.7(18.1), 100.7(6.42), 100.7(9.38), 100.8(0.31), 100.8(0.8), 100.8(10.9), 100.8(12.7), 100.8(15.1) Alert Type: Updated * Bug Id: CSCuu95926 Title: 5585-SSP10 shows speed of 1GE SFP interfaces as 10 Mbps Status: * Terminated Severity: 3 Moderate Description: Symptom: ASA5585-SSP10 is connected to 6500 switch using 1GE SFP optics in 10GE receivers. Everything works fine besides speed as detected as 10 Mbps in 9.1.5.19 version Conditions: ASA5585-SSP10 is connected to 6500 switch using 1GE SFP optics in 10GE receivers. Workaround: None Further Problem Description: Last Modified: 07-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur17006 Title: Add cli to control masked username in syslog Status: Fixed Severity: 3 Moderate Description: Symptom: This bug is tracking a change to introduce a CLI to control the hiding of username in syslog Conditions: Default behaviour was changed to mask the username: %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 198.18.1.200 : user = ***** : user IP = 198.18.0.1 This is intentional incase a user accidentally enters their password in the username field. The CLI that will be introduced as part of this bug will provide a configuration value to not mask the username. Workaround: None. Further Problem Description: PSIRT-Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-AUG-2015 Known Affected Releases: 9.2(2) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.13(29.28), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.18) Alert Type: Updated * Bug Id: CSCui75190 Title: Auto-update vulnerable to MitM using HTTP or HTTPS w/o cert verification Status: Fixed Severity: 3 Moderate Description: * Symptom: A man-in-the-middle (MitM) attack is possible against the auto-update feature of the Cisco Adaptive Security Appliance (ASA). This is possible when the auto-update feature is not configured to perform certificate verification. Conditions: An ASA running an affected release of software that is configured to utilize HTTP or HTTPS without certificate verification for the auto-update feature. Workaround: Enable certificate verification for auto-update server by including the ''verify-certificate'' directive: hostname(config)# auto-update server url [source interface] [verify-certificate] PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.9/2.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 11-AUG-2015 Known Affected Releases: 9.0(2) Known Fixed Releases: 100.10(0.35), 100.10(1.21), 100.10(2.2), 100.10(3.1), 100.10(9.1), 100.8(38.59), 100.8(40.39), 100.8(45.8), 100.8(46.28), 100.8(52.4) Alert Type: Updated * Bug Id: CSCup54208 Title: Cisco ASA SharePoint RAMFS Integrity and Lua Injection Vulnerability Status: Other Severity: 3 Moderate Description: * Symptoms: A vulnerability in the SSL VPN code of Cisco ASA Software could allow an authenticated, remote attacker to overwrite arbitrary file present on the RAMFS file system or inject Lua scripts. The vulnerability is due to insufficient validation of the code that handled session information of the SSL VPN when a sharepoint handled is created. A sharepoint handler is created when a valid sharepoint connection is initiated.. An attacker could exploit this vulnerability by sending crafted HTTP request to the affected system. SSL VPN feature needs to be configured for the system to be vulnerable. An exploit could allow the attacker to overwrite arbitrary file on the RAMFS cache or inject lua scripts. As results an attacker can cause a denial of service to the Clientless SSL VPN portal or potentially cause the reload of the system. This vulnerability was reported to Cisco by Alec STUART-MUIRK Conditions: SSL VPN should be configured on the system. Additionally a Sharepoint handled needs to be present in order to exploit this issue. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3399 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3399 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-AUG-2015 Known Affected Releases: 8.0(1.28), 8.6(0), 8.7(1), 9.0(3), 9.2(1), 9.3(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuj45293 Title: Sensitive SRTP Information Printed to Debug Status: Fixed Severity: 3 Moderate Description: * Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 11-AUG-2015 Known Affected Releases: 8.2, 9.1 Known Fixed Releases: 100.10(0.29), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.125), 100.8(38.55), 100.8(40.35), 100.8(45.7), 100.8(46.28), 100.8(52.2) Alert Type: New Bug Id: CSCuv73636 Title: ASA: Traceback seen on L2 Cluster in multimode with large NAT configs Status: Open Severity: 3 Moderate Description: Symptom: This problem is seen on 9.1.6 but not on asa100-15-3-20-smp-k8.bin Conditions: under Huge software configurations Workaround: no workaround know Further Problem Description: The crash is seen with 9.1.6 branch and is not seen with the latest image :asa100-15-3-20-smp-k8 Please find the steps followed to reproduce the issue: --------------------------------------------------------------------------- - Clear config on both the ASA, and form L2 cluster in multimode - Create user context and add customer config and unb configs to the user context (please find the customer config and unb file attached) - Then reload the Master ASA and could see slave ASA changes state to Master - While reloaded ASA coming up as slave, at SLAVE_BULK_SYNC state the ASA is crashing with the below traceback and moved to hung state after rebooting for some time. Please find the traceback and tracebackdecode attached. ciscoasa# INFO: UC proxy will be limited to maximum of 752 sessions by the UC Proxy license on the device WARNING: Removing all contexts in the system Removing context 'ctx1' (2)... Done Removing context 'admin' (1)... Done INFO: Admin context is required to get the interfaces *** Output from config line 82, "arp timeout 14400" INFO: Admin context is required to get the interfaces *** Output from config line 83, "no arp permit-nonconnect..." Creating context 'admin'... Done. (3) *** Output from config line 87, "admin-context admin" WARNING: Skip fetching the URL disk0:/admin.cfg *** Output from config line 91, " config-url disk0:/admi..." Creating context 'ctx1'... Done. (4) *** Output from config line 94, "context ctx1" WARNING: Skip fetching the URL disk0:/unb1.txt *** Output from config line 97, " config-url disk0:/unb1..." Cryptochecksum (changed): e43147b3 bc397eef a0ed30c2 efa1145d Cryptochecksum (changed): 91f0bd8d 089ef004 77a4e4c3 56c01ac9 ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ Cryptochecksum (changed): b5a038b4 76d9af41 02cb3c60 392c4378 Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e End configuration replication from Master. Register dump: Thread 0 in thread group other: Unknown r8 0x00007ffeb40d7770 r9 0x0000000000000000 r10 0x0000000000000000 r11 0x0000000000001500 r12 0x00007ffefb5ce680 r13 0x00007ffeb40db000 r14 0x00000080f86ee400 Last Modified: 19-AUG-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv52750 Title: Cannot change "management-only" for port-channel interfaces on 5500-X Status: Fixed Severity: 3 Moderate Description: Symptom: Once a port-channel interface is created, its management-only setting cannot be changed (enabled or disabled, whatever the initial management-only setting was when the interface was created). The following error is shown if an attempt to change the setting is made: "It is not allowed to make changes to this option for management interface on this platform" This happens only with port-channel interfaces, and this behavior is not tied to the management-only state of the member interfaces. Conditions: 5500-X models, excluding 5585-X Workaround: None Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83), 100.15(3.30), 100.15(6.19), 100.15(6.20) Alert Type: New Bug Id: CSCuv80580 Title: ASA allows AC session with existing AAA assigned address after failover Status: Open Severity: 3 Moderate Description: Symptom: After failover, ASA allows to create AnyConnect session that uses the same Framed-IP-Address which is created and replicated before the failover, not detecting that the IP address has already been assigned by AAA. While the session with the same assigned address is created, ASA will not pass the vpn data traffic for that session. Conditions: ASA with HA setup and radius is used as address assignment. Workaround: Assuming framed-ip-address value is associated with a specific username, enable AutoReconnect so that new session is not required after failover.It is also considered a workaround to configure simultaneous login to 1 or configure vpn-idle-timeout to shorter value to push off the existing session. If these are all unacceptable, it is also possible not to use radius for address assignment. Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.1(6), 9.1(6.6) Known Fixed Releases: Alert Type: New Bug Id: CSCur94037 Title: NTP authentication config replication fails in ASA failover and cluster. Status: Fixed Severity: 3 Moderate Description: Symptom: ASA failover devices will fail to replicate the NTP authentication commands during a bulk sync (Write-standby, disable/enable failover or reload of standby unit). Same issue is seen in ASA cluster setup when the slave unit rejoins the setup. But NTP server related commands will replicate successfully. Conditions: ASA running in cluster or failover setup will fail to replicate NTP authentication related commands when a slave unit re-joins or during a bulk sync respectively. Workaround: Manually renter the NTP authentication commands on active unit which will sync it to standby unit. But when the next bulk sync happens, the NTP authentication commands will disappear. Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.0 Known Fixed Releases: 100.11(0.55), 100.12(0.104), 100.13(0.12), 100.13(1.16), 100.13(16.24), 100.13(19.6), 100.13(20.3), 100.13(21.3), 100.13(23.1), 100.8(40.94) Alert Type: Updated * Bug Id: CSCuu45000 Title: Evaluate CVE-2015-3456 aka Venom QEMU vulnerability Status: Fixed Severity: 3 Moderate Description: * Symptom: Cisco ASA 5500-X devices include a version of QEMU/KVM that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-3456 (VENOM) Cisco has analyzed these vulnerabilities and concluded that the issue does exist, but is not exploitable. The vulnerability is being proactively patched to remove the issue from future releases of Cisco ASA Software. Conditions: Cisco ASA devices running an affected version of ASA software. Workaround: None Available Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.4/6.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C CVE ID CVE-2015-3456 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 20-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.15(1.13), 100.15(10.2), 100.15(2.46), 100.15(3.6), 100.15(4.7), 100.15(5.11), 100.15(6.9), 100.15(9.4) Alert Type: New Bug Id: CSCuv71086 Title: ssl server-version tlsv1-only error on upgrade Status: Open Severity: 3 Moderate Description: Symptom: ssl server-version tlsv1-only error on upgrade Conditions: Upgrade ASA image Workaround: None Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.4(1), 9.4(1.104) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuq27723 Title: WebVPN Citrix client browser couldn't save Java Client as preferred Status: Fixed Severity: 3 Moderate Description: Symptom: - As a remote access user - On the Citrix client accessed through the browser - When the client preference option in settings is changed from default native client to Java client and saved - It's not showing up the new change when the settings is visited again. Conditions: Access XenApp server using web-browser through Clientless SSL VPN This happens on Mac OS X v10.9 with FireFox 30 and Safari v7.x This also happens on Windows 7 with FireFox v28 and Internet Explorer 9 Workaround: None Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.2(1.102) Known Fixed Releases: * 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.54), 100.15(15.15), 100.15(16.1), 100.15(2.85), 100.15(3.29), 100.15(6.19) Alert Type: Updated * Bug Id: CSCut67779 Title: Investigate impact of jumbo-frame reservation on low-end ASA platforms Status: Fixed Severity: 3 Moderate Description: Symptom: Low-end ASA models, like ASA5512-X or ASA5515-X may fail to boot if Jumbo frames are enabled (jumbo-frame reservation) and additional interface card, like ASA-IC-6GE-CU-A card is present in the chassis. Conditions: This issue was seen in 9.2(3) and 9.3(1) software. Workaround: Try to load 9.3(2) software, run "no jumbo-frame reservation" and reload. Further Problem Description: Even though 9.3(2) software boots up, the ASA cannot service ASDM connections if Jumbo frames are enabled. This happens due to low volume of free DMA memory. Use "show memory detail" command to check. Last Modified: 21-AUG-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuu48813 Title: WebVpn: portal is not displayed after re-login Status: Fixed Severity: 3 Moderate Description: Symptom: When logging in to webvpn after once logging out from it, ASA goes to access a different page than the portal. Conditions: It started to happen after 9.1(5)16 and up Workaround: 1. Roll back to 9.1(5), if acceptable. 2. Restart the browser after logging out and before logging-in again. Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.1(5.160), 9.1(5.190), 9.1(6) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: New Bug Id: CSCuv54615 Title: Clients not able to ping IPv6 Gateway (ASA) Status: Terminated Severity: 3 Moderate Description: Symptom: Observed on ASA 9.0.4 ASA is forming neighborships with clients behind firewall. ICMP requests/replies (to/from) ASA (to/from) clients are failing ASA asp-drop captures shows drops from client to ASA (acl-drop denied to configured rule) Conditions: ASA running 9.0.4 IPv6 enabled and running on ASA Workaround: remove IPv6 configuration from interface and reapply e.g. ASA# sh run int g0/0 ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.9.2.10 255.255.255.0 ipv6 address 2607:f330:2160:106::1/64 standby 2607:f330:2160:106::2 ipv6 address fe80::106:1 link-local standby fe80::106:2 ipv6 enable ! no ipv6 address 2607:f330:2160:106::1/64 standby 2607:f330:2160:106::2 no ipv6 address fe80::106:1 link-local standby fe80::106:2 no ipv6 enable ! ipv6 address 2607:f330:2160:106::1/64 standby 2607:f330:2160:106::2 ipv6 address fe80::106:1 link-local standby fe80::106:2 ipv6 enable Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv60724 Title: Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability Status: Fixed Severity: 3 Moderate Description: * Symptom: A vulnerability in the Unicast Reverse Path Forwarding (uRPF) feature in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to bypass the uRPF validation checks. The vulnerability is due to incorrect uRPF validation where IP packets from an outside interface whose IP address is both in the ASA routing table and associated with an internal interface are not dropped. An attacker could exploit this vulnerability by sending spoofed IP packets to the ASA in a subnet range which should be dropped. An exploit could allow the attacker to bypass uRPF validation on the ASA and the packet will be incorrectly forwarded on the internal network. Conditions: The ASA has the command ''ip verify reverse-path interface '' configured on an outside interface which has a default route. Workaround: None. Further Problem Description: This problem was introduced by ASA software version 9.3(3). PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-4321 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-AUG-2015 Known Affected Releases: 9.3(1.50), 9.3(2.100), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(3.32), 100.15(6.19), 100.15(6.20), 100.15(8.11) Alert Type: Updated * Bug Id: CSCua32176 Title: IPv6 Complete Packet Fragment Reassembly Check Bypass Status: Fixed Severity: 3 Moderate Description: Symptom: It is possible for a crafted IPv6 packet to bypass the fragment reassembly check of the Cisco Adaptive Security Appliance (ASA). Conditions: Cisco ASA configured for IPv6. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5736 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(3.37), 100.15(6.22), 9.4(1.106), 99.1(2.223), 99.1(3.156) Alert Type: Updated * Bug Id: CSCuv32789 Title: ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads Status: Fixed Severity: 3 Moderate Description: Symptom: Acting as the IKEv2 responder, ASA receives initial IKEv2 packet that contains more than 10 payloads for NAT_DETECTION_SOURCE_IP from initiator. ASA rejects the connection, enumarates 10 payloads and prints "INVALID_SYNTAX" afterwards. Conditions: -ASA acts as IKEv2 responder. -ASA receives more than 10 payloads for "NAT_DETECTION_SOURCE_IP" from the initator. Workaround: Use IKEv1 Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.12(0.141), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.62), 100.15(16.1), 100.15(3.36), 100.15(6.21), 100.15(8.11), 9.4(1.106) Alert Type: Updated * Bug Id: CSCuv09538 Title: ASA: CLI commands not showing help(?) options for local authorization Status: Fixed Severity: 3 Moderate Description: Symptom: ASA: CLI commands not showing help(?) options for local authorization in configuration mode Conditions: ASA device configured with LOCAL authorization Workaround: Do not use LOCAL authorization Type the complete command without using the (?) symbol Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(3.37), 100.15(6.21), 9.4(1.106), 99.1(2.223), 99.1(3.156) Alert Type: New Bug Id: CSCuu42433 Title: Interface VLAN Not Updated in ASA Configuration Status: Fixed Severity: 3 Moderate Description: Symptom: The desired VLAN ID for an interface is not set on ASA device. Conditions: Modifying the VLAN ID of an existing interface on ASA via northbound API from ACI. Workaround: Trigger a serviceAudit. One way to do it is to click on 'Re-Query fro Device Validation' menu item on LDev from APIC. Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 1.2(0.24) Known Fixed Releases: 1.2(0.26) Alert Type: New Bug Id: CSCuv93369 Title: DOC: ASA/CoA Should be documented what attrs in CoA are supported Status: Open Severity: 3 Moderate Description: Symptom: CoA should be documented in terms of what attributes are supported Conditions: CoA Workaround: None Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 9.2(4) Known Fixed Releases: Alert Type: New Bug Id: CSCuv63875 Title: ASA traceback in Thread Name:ci/console while running show ospf commands Status: Open Severity: 3 Moderate Description: Symptom: ASA traceback in Thread Name:ci/console while running show ospf commands Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 25-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCui94757 Title: ASA tears down SIP signaling conn w/ reason Connection timeout Status: Fixed Severity: 3 Moderate Description: * Symptom: When a user tries to disconnect a SIP call established through ASA, it doesn't get disconnected properly. As a result, subsequent call attempts fail. Conditions: 1. ASA is configured for SIP inspection. 2. Endpoints are using TCP for SIP transport. 3. The first call should have been up for atleast a minute. Workaround: Restart the SIP endpoint if calls are failing with above symptoms. Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: * 8.2(5.41), 8.4(6.5), 9.0(3), 9.1(2.6) Known Fixed Releases: * 100.10(0.21), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.47), 100.8(40.29), 100.8(45.5), 100.8(46.11), 100.8(48.1) Alert Type: New Bug Id: CSCuv96789 Title: ASDM image file missing on newly shipped ASA5506/ASA5508/ASA5516. Status: Terminated Severity: 3 Moderate Description: Symptom: ASDM image file missing on newly shipped ASA5506/ASA5508/ASA5516. Conditions: N/A Workaround: Download asdm image file from www.cisco.com and manually upload it on flash. Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 7.4(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCud90235 Title: SSH: ASA default config should support only SSHv2 Status: Open Severity: 3 Moderate Description: Symptoms: The ASA default configuration should only support SSHv2 connections. The use of SSHv1 is not recommended for security reasons and, with this change, a user must explicitly enable it to allow a client to connect with any version other than SSHv2. Conditions: ASA configured for SSH access. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 28-AUG-2015 Known Affected Releases: * 100.12(0.65), 8.4(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv62204 Title: "show ipv6 neighbor" command not available in system space Status: Fixed Severity: 3 Moderate Description: Symptom: "show ipv6 neighbor" command is not available in the system execution space Conditions: ASA in multiple mode. Workaround: None Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.13(0.97), 100.15(1.77), 100.15(3.45), 9.4(1.107), 99.1(2.229) Alert Type: New Bug Id: CSCuv62129 Title: CX : Failed to retrieve IDPROM data from software module Status: Open Severity: 3 Moderate Description: Symptom: You will see logs similar to the following on the ASA: CMGR VM: In cmgr_kvm_sw_mod_idp_req_thread, Failed to retrieve IDPROM data from software module 2Message #302 : CMGR VM: In cmgr_kvm_sw_mod_idp_req_thread, Failed to retrieve IDPROM data from software module 2Message #303 : CMGR VM: In cmgr_kvm_sw_mod_idp_req_thread, Failed to retrieve IDPROM data from software module 2Message #304 : Conditions: The CX data plane will go down Workaround: Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv85752 Title: Group-lock value can be set with space in a tunnel-group name Status: Fixed Severity: 3 Moderate Description: Symptom: Group-lock setting does not get deleted from group-policy attributes and causes AnyConnect connections to fail for a given tunnel-group. Conditions: Standard AnyConnect configuration plus group-lock in the group-policy. Workaround: Reapply the group-lock without space after a tunnel-group name. Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 8.2, 9.1, 9.1(4), 9.3, 9.3(2), 9.4, 9.4(1) Known Fixed Releases: * 100.12(0.145), 100.13(0.97), 100.15(3.46), 9.4(1.107), 99.1(2.229) Alert Type: Updated * Bug Id: CSCuv86227 Title: ASA sending incorrect ACL hash for ASDM TopN ACL statistics on a cluster Status: Fixed Severity: 3 Moderate Description: Symptom: Error message under firewall dashboard "n/a config out of sync" for ASDM supporting ASA cluster. Conditions: Running ASA cluster on ASDM with threat detection statistics turned on. Workaround: None Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.145), 100.15(3.46), 99.1(2.229) Alert Type: Updated * Bug Id: CSCua32157 Title: Remove Code for Type 0 Routing Headers Status: Fixed Severity: 3 Moderate Description: Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.12(0.145), 99.1(2.229) Alert Type: Updated * Bug Id: CSCuv93407 Title: ASA Lina: fix memory leak in debug menu option 20 Status: Fixed Severity: 3 Moderate Description: Symptom: When using 'debug menu memory 20 X' troubleshooting command, with X != 1, sometimes not all the allocated memory is released. Conditions: 'debug menu memory 20 X' where X != 1 Workaround: Use 'debug menu memory 4' to release all remaining allocated memory. Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 100.12(0) Known Fixed Releases: * 100.12(0.145), 100.13(0.97), 100.14(16.6), 100.14(5.31), 100.15(1.77), 100.15(3.45), 9.4(1.107), 99.1(2.229) Alert Type: Updated * Bug Id: CSCut35367 Title: SVG Parser not mangling xlink:href attribute Status: Fixed Severity: 3 Moderate Description: Symptom: When loading an url with svg tag via webvpn, page is rendering correctly but the xlink:href attribute is not mangled. Conditions: Workaround: Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 100.13(16.1), 9.3(2) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(3.37), 100.15(6.21), 100.15(8.12), 99.1(2.221), 99.1(3.156) Alert Type: Updated * Bug Id: CSCuv90156 Title: All Remarks in ACLs are pushed to the end of each ACL after upgrade Status: Fixed Severity: 3 Moderate Description: Symptom: All remarks in a ACLs are bundled together and pushed to the end of each ACL after running an upgrade Conditions: This happens when the command "object-group-search access-control" is present in the configuration when you upgrade Workaround: Remove the "object-group-search access-control" command before the upgrade and re-apply it after the upgrade. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3, 9.4, 9.5 Known Fixed Releases: * 100.12(0.145), 100.15(0.25), 100.15(1.78), 100.15(3.46), 9.4(1.107), 99.1(2.229) Alert Type: Updated * Bug Id: CSCuu54660 Title: ASA Remote Access - Phase 1 terminated after xauth Status: Fixed Severity: 3 Moderate Description: Symptom: IPSEC remote access clients are intermittently not able to connect. The user is prompted for password and then the connection fails. From the ASA debugs we can see the Phase 1 and X-auth + config mode are passing fine. Then the ASA deletes the Phase 1, sends delete information to the client and discards QM1 packet sent by the client. Conditions: MacOS / iOS bult in IPSEC VPN client. Clients behind NAT. More detailed triggers unknown. Workaround: Reload the ASA. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCur51051 Title: LU allocate connection failed on the Standby ASA unit Status: Fixed Severity: 3 Moderate Description: Symptom: ASA-3-210005: LU allocate connection failed syslog on the Standby Unit. Mismatch in number of connections on the Active/Standby Units Conditions: ASA running in HA pair Active/Standby Workaround: Try to fail-over the devices and that resolves the issue. During a live debugging session, it was observed that the first "wr standby" caused hundreds of the "Failed to replicate flow" error messages. If you executed "wr standby" again immediately after it was done sync'ing, I saw just 20. It may be possible that if you execute it multiple times one after the other, then it will sync completely. Further Problem Description: None Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.19) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(26.9), 100.14(4.38) Alert Type: New Bug Id: CSCsl74827 Title: Error messages on console due to QoS configuration Status: Open Severity: 3 Moderate Description: Symptom: Due to QoS configuration on the ASA, errors like below might be seen on the console: Message #941 : ERROR: Problem with interface 8 Message #942 : ERROR: Problem with interface 9 Message #943 : ERROR: Problem with interface 10 It is believed that these errors are cosmetic, and do not indicate a problem with the operational state of the ASA. Conditions: QoS must be configured to encounter this problem Workaround: None known Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.0(2), 8.1(0.135), 9.4(1.3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu07308 Title: "ssh scopy enable" deleted from configuration Status: Fixed Severity: 3 Moderate Description: Symptom: "ssh scopy enable" deleted from configuration Conditions: Seen in multi context ASA ssh scopy enable is turned on. Command may be removed when making ASA system context changes. Confirmed command will disappear after deleting a context. Workaround: simply re-add command to configuration to continue use of ssh scopy Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuv72010 Title: Kernel command line is displayed while booting 9.5.1 Image Status: Fixed Severity: 3 Moderate Description: Symptom: Kernel command line is displayed while booting 9.5.1 Image. Conditions: Booting device with 9.5.1 Image Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.14(16.5), 100.14(5.29), 9.5(0.117), 9.5(1) Alert Type: Updated * Bug Id: CSCuu99349 Title: ASA-3-317012 and "No route to host" errors even though the route exists Status: Fixed Severity: 3 Moderate Description: Symptom: Certain sequence of configuration steps can lead to errors: %ASA-3-317012: Interface IP route counter negative - Management0/0 and No route to host when traffic is sent from the ASA to a remote IP address and a valid route exists to reach the destination. Conditions: This was found in transparent firewall mode in 9.3(2). Workaround: This is a rare situation. Reboot the ASA. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(2.58), 100.15(3.13) Alert Type: Updated * Bug Id: CSCus14147 Title: ASA generate pool exhausted for sip inspect with embedded IP but no port Status: Fixed Severity: 3 Moderate Description: Symptom: When ASA receive UDP SIP message Status: 200 OK for not existing transaction the syslog "%ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection" is generated. NAT does return success and SIP sends out the packet. Conditions: ASA is configured with sip inspection. PAT is configured for sip traffic. Workaround: NONE Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(2), 9.1(3), 9.1(5), 9.2(2.4), 9.3(1) Known Fixed Releases: * 100.11(0.56), 100.12(0.112), 100.13(0.27), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3) Alert Type: Updated * Bug Id: CSCus69021 Title: 5506-X: 'no buffer' interface counter reports incorrect errors Status: Fixed Severity: 3 Moderate Description: Symptom:The 'no buffer' counter on the 5506 will increment incorrectly. Non "no buffer" interface errors will increment the counter. Conditions: Workaround: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.4(0.40) Known Fixed Releases: * 100.12(0.112), 100.13(0.33), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5) Alert Type: Updated * Bug Id: CSCus19673 Title: "no nameif" is removing the policy-route configuration Status: Fixed Severity: 3 Moderate Description: Symptom: When interface name is removed using "no nameif" command, the attached policy-route configuration is getting removed. Policy-route configuration should still be intact but only effective when nameif is configured again. Conditions: Issuing "no nameif" on an interface having policy-route configuration. Workaround: Removed policy-route configuration has to be added again manually. Further Problem Description: Policy-route configuration attached to an interface is removed only on clearing the interface configuration or policy-route configuration. When "no nameif" is used to remove the interface name, the policy-route configuration should still be intact but only effective when nameif is configured again. Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(1.27) Known Fixed Releases: * 100.13(0.36), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5), 100.14(26.2) Alert Type: Updated * Bug Id: CSCut37042 Title: Secondary ASA stuck in config sync while upgrading to 8.4.x Status: Fixed Severity: 3 Moderate Description: Symptom: In a situation where we are doing a "zero-downtime upgrade" of the firewall from 8.2(5)48 to 8.4.x, we see the following repeated messages appear on the console of the secondary unit (the primary has not yet been upgraded). Even after waiting for several hours the logs keep on appearing. WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 10.0.0.0 255.0.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 172.20.0.0 255.252.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 192.168.0.0 255.255.0.0 eq 9998 log : : Conditions: While upgrading to 8.4(6) or 8.4(7)3 or 8.4(7)23. Workaround: The issue does not occur for standalone ASA. Manually upgrade (no zero-downtime upgrade) wherein we can arrange a downtime to upgrade the primary and secondary at the same time so that they don't get into syncing configuration. Further Problem Description: If we refer the flow towards getting these warning messages, it looks like this starts occurring when at the "replication" phase than the "upgrade" phase (upgrade occurs successfully). Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(6), 8.4(7), 8.4(7.230) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6) Alert Type: Updated * Bug Id: CSCut06531 Title: ASA: XFRAME support for .JS and .JNLP URL's Status: Fixed Severity: 3 Moderate Description: Symptom: Clickjacking vulnerability reported via compliance scan for .js and .jnlp url's Conditions: Flagged during compliance scan Workaround: None at present Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6) Alert Type: Updated * Bug Id: CSCuu09302 Title: ASAv: RSA key pair needs to be automatically generated with 2048 bits Status: Fixed Severity: 3 Moderate Description: Symptom: RSA keys generated automatically on ASAv use 1024-bit length. Conditions: Workaround: crypto key generate rsa general-keys modulus 2048 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(21.11), 100.14(5.10), 9.4(1) Known Fixed Releases: * 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCut26062 Title: xszASA 9.2.1 Eigrp Authentication does not work with 16 character key Status: Fixed Severity: 3 Moderate Description: Symptom: ASA 9.2.1 Eigrp Authentication does not work with 16 character key. ASA not able to read 16th character of the key-string. Conditions: ASA running 9.2 software version and using Eigrp Authentication key of 16 characters. Workaround: This issue has not been observed in 8.2 and 9.1 all releases Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.53), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4) Alert Type: Updated * Bug Id: CSCus37840 Title: AnyConnect upgrade from AC 2.5 to AC 3.1 fails Status: Fixed Severity: 3 Moderate Description: Symptom: AnyConnect upgrades fail from 2.5.X to 3.1.Y. Conditions: ASA 9.2(1), AC upgrade from client 2.5.6005 to 3.1.5170. In general, any upgrades from AC 2.5 to 3.1 fail. Failure here means that the new version is not able to resume the tunnel initiated by the old version. The new version is still downloaded and installed. Workaround: None. Have client manually reconnect with the new version. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2 Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20) Alert Type: Updated * Bug Id: CSCuu13345 Title: Drop reasons missing from asp-drop capture Status: Fixed Severity: 3 Moderate Description: Symptom: Drop reasons missing from asp-drop capture. Conditions: Viewing capture with "show capture -or- Downloading via HTTP with https:///capture/ Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0 Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.12(0.128), 100.13(0.77), 100.13(0.78), 100.13(21.15), 100.13(21.16), 100.14(0.27), 100.14(0.35), 100.14(10.23) Alert Type: Updated * Bug Id: CSCus74398 Title: Cisco ASA PIM Multicast Registration Vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in Protocol Independent Multicast (PIM) application of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to disrupt the multicast traffic forwarding on the affected device via a denial-of-service (DoS) attack. The vulnerability is due to an inconsistency in how the PIM Registration is implemented for multicast forwarding. An attacker could exploit this vulnerability by sending a crafted multicast packet to the affected device. An exploit could allow the attacker to disrupt the multicast forwarding via a DoS attack. Conditions: The ASA is configured for PIM multicast configuration running an affected version of software. To determine if PIM Multicast is configured on this device the following command can be used: 1. This will verify if the PIM Rendezvous Point (RP) is configured. ciscoasa# show running-config | in pim pim rp-address 192.128.1.1 2. The command ''show pim interface'' to verify that multicast is properly configured on the interface. Workaround: None. Further Problem Description: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-0742 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.21), 100.13(20.3), 100.14(1.1), 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCuu88548 Title: Ampersand (&) not encoded in packet tracer phase 'extra' field Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM is unable to run packet tracer when traffic traverses and interface with an ampersand (&) in the name. ASDM will show an error indicating 'Error while forming XML' Conditions: This is seen when the packet path traverses an interface with an ampersand character in the name. Workaround: Change the interface name to not include an ampersand. Further Problem Description: This is caused by the ASA not encoding the ampersand as & when generating the XML payload. You can verify you are hitting this issue by running the packet tracer command on the CLI and looking for an unencoded ampersand character. For example: ASA# packet-tracer input inside tcp 192.168.100.200 12345 10.10.0.100 80 xml ::output truncated:: 2 ROUTE-LOOKUP Resolve Egress Interface ALLOW found next-hop 10.10.10.254 using egress ifc DMZ&Servers <<<< Unencoded ampsersand Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu07462 Title: Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno) Status: Fixed Severity: 3 Moderate Description: Symptom: The ASAv attempts to verify its image during bring up, but ends up failing with a console message of... The digital signature of the booted image file did not verify successfully. 57 (Unable to get the platform key storage size or key is corrupted) Rebooting now... Conditions: Failure occurs when deploying the ASAv on a KVM hypervisor with a host that is running with a RHEL OS distribution. The problem was noticed on RHEL version 7.1 and OpenStack (Juno). Workaround: A workaround to reach the ASAv CLI prompt is to remove the virt-install variable setting --cpu host. You can also set the variable to --cpu none. However, setting --cpu to 'none' may have an impact on the performance characteristics of the ASAv. Further Problem Description: A case has been opened with Red Hat (https://access.redhat.com/support/cases/#/case/01431506). As a workaround you can update /etc/nova/release file from the compute node and restart openstack-nova-compute service: [root@compute]# cat /etc/nova/release [Nova] vendor = Red Hat <=== product = OpenStack package = 19.el7ost Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCut24490 Title: L2TP/IPSec Optimal MSS is not what it's supposed to be Status: Fixed Severity: 3 Moderate Description: Symptom: This is a bug to clarify how to calculate the optimal MSS for L2TP/IPSec Conditions: ASA terminating IPSec/L2TP For Windows 7, MTU on IPSec/L2TP virtual adaptor is 1300. Because 1300 is small enough, MSS configuration may not be required. However, it is not always the case for Android. Workaround: TAC lab test indicates the following formula can be used to calculate MSS. MSS = MTU - 156 e.g. when MTU is 1500: MSS = 1500 - 156 = 1344 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(2), 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(2.23) Alert Type: Updated * Bug Id: CSCus86487 Title: PBR: DF & DSCP bits are not getting set without valid set next-hop Status: Fixed Severity: 3 Moderate Description: Symptom: The DSCP bits are not getting set if the route-map contains only "set ipv6 dscp" set option Conditions: PBR applied using route-map that has just "set ipv6 dscp" as the set option Workaround: DSCP bits get set correctly if a valid next-hop is configured in the route-map via set ipv6 next-hop Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.29) Known Fixed Releases: * 100.13(0.31), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4), 100.14(2.5), 100.14(26.2), 100.14(3.1), 100.14(4.3) Alert Type: Updated * Bug Id: CSCuv01022 Title: ASA:OSPF over L2L tunnels is not working with multiple cry map entries Status: Fixed Severity: 3 Moderate Description: Symptom: OSPF over L2L tunnels is not working. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: Multiple crypto map sequences configured under single crypto map Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCus06165 Title: ASA:Dataplane capture doesn't capture packets From Service module to ASA Status: Fixed Severity: 3 Moderate Description: Symptom: ASA Data plane capture does not capture packets From Service module to ASA. Conditions: This works fine till 9.1.2.8 (It captures packets in both directions) and is broken in all images after that. Workaround: Downgrade to 9.1.2.8 or lower. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.56), 100.12(0.113), 100.13(0.35), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Alert Type: Updated * Bug Id: CSCuu33321 Title: Two Dynamic PAT with and without block-allocation Status: Fixed Severity: 3 Moderate Description: Symptom: Was able to configure wrong NAT CLI Conditions: ASA allows Two or more dynamic PAT which has same Mapped address should have same "block-allocation" option either enable all disable all. Workaround: Delete and re add the wrong rule. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(6.29), 100.15(5.4) Known Fixed Releases: * 100.14(0.19), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3), 100.15(4.5), 100.15(5.6) Alert Type: Updated * Bug Id: CSCus85532 Title: IKEv2: IPSec SA's are created by dynamic crypto map for static peers Status: Fixed Severity: 3 Moderate Description: Symptom: When a static IKEv2 VPN peer adds any traffic to the crypto ACL, an SA is built even though the traffic is not allowed in the crypto acl on the ASA. Those SA's are eventually matched and setup by the dynamic crypto map instance. Conditions: The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6) Alert Type: Updated * Bug Id: CSCut04996 Title: DHCPRelay Server in interface mode not getting deleted Status: Fixed Severity: 3 Moderate Description: Symptom: DHCPRelay Server in interface mode not getting deleted Conditions: Build should be with fix CSCuq32943 and route should not be present for dhcprelay server Workaround: clear config interface Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(11.23), 9.1(5.20) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.44), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Alert Type: Updated * Bug Id: CSCuv07126 Title: ikev2 enable added to config when zones are used despite ERROR msg Status: Fixed Severity: 3 Moderate Description: Symptom: If an interface is added to a zone, it is not possible to enable both webvpn and IKEv1, however it is not the case for ikev2 despite an ERROR message. Conditions: -- Traffic Zones used. -- Attempt to enable ikev2 Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.82), 100.14(0.56), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12), 100.15(4.15) Alert Type: Updated * Bug Id: CSCuu16983 Title: ASA: failover logging messages appear in user context Status: Fixed Severity: 3 Moderate Description: Symptom: Failover syslog messages should appear in the admin context, but they appear in user context. Conditions: ASA in multi-context mode. Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.19), 9.2(2.8) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuc16662 Title: HTML/Java File Browser- created file or folder shows 9 months offset Status: Fixed Severity: 3 Moderate Description: Symptom: Create a new folder or file on the FTP or CIFS server over webvpn, the date created shown has 9 months offset. Conditions: 1. Create a new folder or file on the FTP or CIFS server. 2. The date has 9 months offset. 3. Checked the date on the share server it looks fine. 4. Could be a display issue Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.3(1), 9.0(0.113) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCur68226 Title: ASA SMTP inspection should not disable TLS by default Status: Fixed Severity: 3 Moderate Description: Symptom: The Cisco ASA Software when configured with ESMTP inspection may strip the STARTTLS flags which results in STARTTLS not being negotiated. This bug is open to make the stripping of the flag optional. Conditions: None Workaround: If SMTP sessions need to use the STARTTLS extension to provide privacy through TLS encryption, TLS must be allowed in the ESMTP inspection policy map. The behavior described in the Interaction Between ASA ESMTP Inspection and STARTTLS section can be avoided by using the allow-tls option that is supported in Cisco ASA Software Releases 8.0.3 and later as shown here: policy-map type inspect esmtp esmtp_map parameters allow-tls action log Further Problem Description: Additional information can be found at: http://www.cisco.com/web/about/security/intelligence/asa_esmtp_starttls.html PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.3(3) Known Fixed Releases: * 100.11(0.55), 100.11(0.56), 100.12(0.111), 100.12(0.112), 100.13(0.22), 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(20.11), 100.13(21.7) Alert Type: Updated * Bug Id: CSCuv02304 Title: EEM action not executed on absolute time when NTP is configured Status: Fixed Severity: 3 Moderate Description: Symptom: EEM action is not executed on exact time of "absolute time" configured when NTP is configured. Command is executed with some delay or earlier than configured. On the following configuration, action should be executed on 10:30:00. But actually, it is not executed on time.(for example 10:29:58) event manager applet eem-test event timer absolute time 10:30:00 action 0 cli command "show xxxxx" output file new ntp server x.x.x.x Conditions: When NTP server is configured or if the clock time is changed. Workaround: Re-configure the EEM applet absolute timer if NTP is configured or the time is changed by any other means (e.g. via the 'clock set' command if NTP is disabled). This will cause the timer to be re-synced with the current clock time. Further Problem Description: The time difference is due to the internal clock drift. It is typically a few seconds. Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCus34033 Title: ASA fails to pass ipv6 address to anyconnect client when using RADIUS Status: Fixed Severity: 3 Moderate Description: Symptom: when ip address assignment is done using RADIUS and not local pool,anyconnect does not get ipv6 address from Radius debugs on anyconnect/webvpn show below message webvpn_cstp_accept_ipv6_address: No IPv6 Address Conditions: when using Radius for assigning ipv6 address to anyconnect client Workaround: 1. use local pool for ipv6 address assignment 2. downgrade to 9.2.1 as issue was seen on 9.2.2.4 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2 Known Fixed Releases: * 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1), 100.14(3.1), 100.14(4.1) Alert Type: Updated * Bug Id: CSCus42901 Title: JANUARY 2015 OpenSSL Vulnerabilities Status: Fixed Severity: 3 Moderate Description: Symptom: The following Cisco products Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including: 7.2.1 - 7.2.5.15, 8.0.2 - 8.0.5.39, 8.1.1 - 8.1.2.56, 8.2.1 - 8.2.5.52, 8.3.1 - 8.3.2.42, 8.4.1 - 8.4.7.25, 8.5.1 - 8.5.1.22, 8.6.1 - 8.6.1.15, 8.7.1 - 8.7.1.14, 9.0.1 - 9.0.4.28, 9.1.1 - 9.1.5.21, 9.2.1 - 9.2.3, and 9.3.1 - 9.3.2.2 include a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3570 - Bignum squaring may produce incorrect results CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted: CVE-2014-3569 - no-ssl3 configuration sets method to NULL CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] CVE-2014-8275 - Certificate fingerprints can be modified CVE-2015-0205 - DH client certificates accepted without verification [Server] Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains. Cisco recommends that customers upgrade to a fixed release. Conditions:The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to CVE-2014-3570 - Bignum squaring may produce incorrect results, however, there is no known exploit for this. The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] when the ASA acts as a client (clientless, TLS proxy, and other cases). The Cisco Adaptive Security Appliance (ASA) running software version 9.2.x or later is vulnerable to CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record. Configurations: CVE-2015-0206 device will have to be configured for DTLS. DTLS is used for AnyConnect SSL VPN. If it is configured, DTLS is enabled by default. It may be disabled explicitly if needed in the group-policy CVE-2015-0204 ASA configured to acts as a SSL/TLS client. Features include: Clientless (Webvpn), TLS Proxy, Cut-thru proxy, LDAP over SSL, Smart call home, Smart Licensing, IFS (copy https://) and Clustering use SSL in client mode CVE-2014-3570 no known exploit vectors. This is is resolved in 9.1.6 and later. Workaround: Not currently available. More Info:PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 5.0/3.7 http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Ciscos security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.2, 8.7(1), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 99.1 Known Fixed Releases: * 100.11(0.55), 100.12(0.115), 100.13(0.24), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.13(30.1), 100.14(0.3), 100.14(1.2), 100.14(10.13) Alert Type: Updated * Bug Id: CSCuq69907 Title: ASA traceback: thread name "scansafe_poll" Status: Fixed Severity: 3 Moderate Description: Symptom: ASA traceback in thread name "scansafe_poll" when configured for Cisco Cloud Web Security , CWS, (a.k.a ScanSafe) Conditions: ASA configured for Cisco Cloud Web Security , CWS, (a.k.a ScanSafe) Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.12(20.10), 100.13(1.40), 9.3(2.1) Known Fixed Releases: * 100.11(0.55), 100.12(0.111), 100.13(0.21), 100.13(19.9), 100.13(20.9), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Alert Type: Updated * Bug Id: CSCut22865 Title: [ASA] CTP not working if proxyACL port_argument is gt Status: Fixed Severity: 3 Moderate Description: Symptom: Customer reported that cut-throug proxy is not working when the proxy ACL is configured with source port_argument. Conditions: proxy_ACL operator configured with 'gt' operator Workaround: do not use "gt" operator Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4) Alert Type: Updated * Bug Id: CSCut23991 Title: PPPoE session state timer does not initialize properly Status: Fixed Severity: 3 Moderate Description: Symptom: The value of "Last Chg" always showed 4294967 secs after execute "show vpdn session pppoe state". Conditions: The value of "Last Chg" remains at its maximum value once the max value(4294967) is reached. The pppoe connection will not be effected if the value of "Last Chg" remains reaches the maximum value. Workaround: Reboot device. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.2(3), 8.4(6), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4) Alert Type: Updated * Bug Id: CSCuu08031 Title: ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ Status: Fixed Severity: 3 Moderate Description: Symptom: There is very big difference between tx-ring-limit 512 vs tx-ring-limit 511. More specifically we see that with tx-ring-limit 512 packets the LLQ traffic is having packet loss, while we don't see any Tail Drops for BE traffic. With tx-ring-limit 512, the bigger the average packet size for BE traffic, the bigger the packet loss for LLQ traffic. With tx-ring-limit 511 packets, LLQ traffic has no packet loss anymore while we start seeing many Tail Drops for BE traffic which is actually expected. Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7.26) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut05676 Title: Handling esmtp default parameters for TLS Status: Fixed Severity: 3 Moderate Description: Symptom: In multi-mode, when migrated from one version to another. Each context should have TLS behavior based on it config-url file's version. It should not be with respect to startup configuration version. Conditions: When migration happen in Multimode where a context's config-url contains a old version followed by next context which contains new version. Workaround: Can use user-defined esmtp policymap instead depending on default-esmtp policymap. Or Do 'write memory all' in multimode before migrating to a new version. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.6), 100.14(3.5), 100.14(4.25) Alert Type: Updated * Bug Id: CSCuu41142 Title: IPv6 local host route fail when setting link-local/Global simultaneously Status: Fixed Severity: 3 Moderate Description: Symptom: When configuring link local address and global address simultaneously by copy&paste from text editor, IPv6 local host route cannot be seen on "show ipv6 route". For example, assume trying to set 2001:1111:1111:111::1/128 as IPv6 address on interface, local host routing table of 2001:1111:1111:111::1/128 should be set but was not set in certain situation. ciscoasa/C1(config-if)# sh ipv6 route IPv6 Routing Table - 3 entries Codes: C - Connected, L - Local, S - Static O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001:1111:1111:111::/64 [0/0] via ::, outside L fe80::/10 [0/0] via ::, outside L ff00::/8 [0/0] via ::, outside The following local host routing should be set. L 2001:1111:1111:111::1/128 [0/0] via ::, outside Conditions: The symptom only occurs when changing link local address and global address simultaneously. Therefore, symptom does not occur when not changing link local address or configuring link local address and global address 1 line by 1 line. Workaround: - Configure link local address and global address 1 line by 1 line(Do not use copy&paste multiple lines) - Not change link local address when configuring global address Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuu00733 Title: ASA: ECMP stopped working after upgrade to 9.3.2 Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrade to 9.3.2, ASA for equal cost routes via the same interface: O IA 172.25.225.0 255.255.255.0 [110/4012] via 172.22.247.4, 12:12:19, outside [110/4012] via 172.22.247.3, 12:12:19, outside send most of the traffic via first (sometimes second) gateway, instead of load balancing. Conditions: Equal cost routes via the same interface on ASA Workaround: Downgrade to 9.3.1 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.124), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Alert Type: Updated * Bug Id: CSCuu73087 Title: Standalone AnyConnect fails to connect due to empty DAP user message Status: Fixed Severity: 3 Moderate Description: Symptom: Standalone AnyConnect client fails with the following message: 'The VPN configuration received from the secure gateway is invalid. Please contact your network administrator.' Conditions: 1) The AnyConnect client version 2.5.6005 or lower is referenced on the ASA. 2) The DAP record being hit - not the Default DAP record - has no user message. 3) ASA version is 9.3.2 and above. Workaround: 1) Configure a User Message for the DAP record. 2) Use the AnyConnect client version 3.0.x/3.1.x/4.x on the ASA. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCtx20108 Title: TCP conns between ASA and Websense server disappear over lossy link Status: Fixed Severity: 3 Moderate Description: Symptom: Poor performance through connections that use websense filtering Total number of TCP connections between ASA and websense server as seen in "show conn all | i 15868" is lower than the number that is configured in the "url-server" line. Conditions: Websense url filtering configured to use TCP between the Websense server and ASA Very lossy link/connection between ASA and Websense server Workaround: Remove and re-add the url-server line to re-establish the connections Last Modified: 31-AUG-2015 Known Affected Releases: 8.2(5), 8.4(2) Known Fixed Releases: * 100.7(13.62), 100.7(18.15), 100.7(20.4), 100.7(6.67), 100.8(0.88), 100.8(11.13), 100.8(24.42), 100.8(27.2), 100.9(0.1), 100.9(2.1) Alert Type: Updated * Bug Id: CSCus47192 Title: NAT conversion fails when port range 1024 65535 is source Status: Fixed Severity: 3 Moderate Description: Symptom: NAT conversion fails when port range 1024 65535 is source. If you rewrite the rules to gt 1024, the issue does not exist. This requires that you manually correct all configurations before upgrading to 9.1 from any pre-8.3 code. Conditions: port range is used in the ACL source as opposed to gt 1024 Workaround: Rewrite all rules manually before upgrading to 9.1 from any pre-8.3 code. Further Problem Description: N/A Last Modified: 31-AUG-2015 Known Affected Releases: 7.2(5.7), 8.1(2.56), 8.2(5), 9.1(5.19) Known Fixed Releases: * 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2) Alert Type: Updated * Bug Id: CSCut96928 Title: ASA : Password creation date is decrementing by one with every reboot Status: Fixed Severity: 3 Moderate Description: Symptom: ASA " Local User" password creation date is decrementing by one day with every reboot Conditions: ASA configured with Command : password-policy lifetime Workaround: No workaround Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCui71332 Title: IPv6 ND not replicating to Slave units Status: Fixed Severity: 3 Moderate Description: Symptoms: IPv6 ND is not replicated to the slave units Conditions: ASA configured in cluster Workaround: none Additional Information: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 100.8(0.187) Known Fixed Releases: * 100.11(0.56), 100.12(0.113), 100.13(0.34), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) Alert Type: Updated * Bug Id: CSCut80316 Title: Ikev2 Session with bogus assigned IP address stays on ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Ikev2 EAP-TLS Connection with Win 8.1 Phone Conditions: Ikev2 EAP-TLS Connection with Win 8.1 Phone with continuous connect/disconnect Workaround: - Remove bogus externally assigned IP address to avoid issue /or - Wait for sometime before connecting again as address becomes available again Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1.230) Known Fixed Releases: * 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCut49724 Title: Corrupted host name may occur with DHCP Status: Fixed Severity: 3 Moderate Description: Symptom: Corrupted host name may occur with DHCP Conditions: Timing issue which can happen because the hostname pointer is shared by both webvpn and IP address subsystem. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCui37201 Title: Misleading error msg for pat-pool with mapped object Status: Fixed Severity: 3 Moderate Description: Symptom: Wrong error message thrown while configuring dynamic PAT Conditions: Issue is seen with dynamic PAT. Workaround: None. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(2.5) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.56), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut83833 Title: USB device hot plug not supported in running ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Hot plug of USB stick not working as expected on 5506, 5506H, 5506W, 5508, 5516 and follow on models Conditions: After unit is started, unable to plug in a drive and have it recognized. Workaround: Boot with USB stick inserted. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(11) Known Fixed Releases: * 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.8), 100.14(0.21), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCus98309 Title: Duplicate IPv6 address is configurable in 1 ASA or context Status: Fixed Severity: 3 Moderate Description: Symptom: Duplicate IPv6 address is configurable in 1 ASA or context. In case of L2 transparent mode, a duplicate ipv6 address for 2 BVI interfaces in 1 context is configurable by configuring 'ipv6 address' first and 'bridge-group' later. In case of L3 routed mode, duplicate ipv6 address is configurable for multiple interfaces by configuring the 'ipv6 address' is first and 'nameif' later. Conditions: IPv6 environments Workaround: 'bridge-group' configures first for L2 transparent mode. 'nameif' configures first for L3 routed mode. Further Problem Description: none Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.12) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.47), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.8), 100.14(26.2) Alert Type: Updated * Bug Id: CSCuu93339 Title: Cisco ASA Poodle TLS Variant Status: Fixed Severity: 3 Moderate Description: Symptoms: Cisco ASA models 5506-X 5508-X and 5516-X include a version of SDK which is vulnerable to a variant of POODLE TLS where the first byte of the padding is not checked. Additional information about this issue can be found at: https://vivaldi.net/en-US/blogs/entry/there-are-more-poodles-in-the-forest Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There are no workaround for this issue other then disabling the affected feature. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C&version=2.0 CVE-2015-4595 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(3.2), 9.4(1.3) Known Fixed Releases: * 100.12(0.130), 100.13(0.81), 100.13(29.28), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuu88607 Title: Doubling counting flow bytes for decrypted packets Status: Fixed Severity: 3 Moderate Description: Symptom: Some of statistics and syslogs related to flow bytes may be inflated due to the double counting of decrypted packets. Conditions: Traffic involving decrypted packets. Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(5.20) Alert Type: Updated * Bug Id: CSCut08663 Title: Both ASAs in failover use the same MAC address Status: Fixed Severity: 3 Moderate Description: Symptom: - If manually configured the "mac-address mac_address [ standby mac_address ]" within the physicall interface, bot ASAs active and standby will use the same active MAC address disrupting the traffic. - If the "mac-address" command is used within the subinterface then both ASAs will negotiate properly the MAC address based on the failover state. Conditions: ASAs in failover with an interface using subinterfaces. Workaround: Do not configure the "mac-address mac_address [ standby mac_address ]" into the physical interface, instead configure it within the sub interface. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7), 9.0(4), 9.1(2), 9.1(4), 9.1(5.21), 9.1(6), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) Alert Type: Updated * Bug Id: CSCut48571 Title: Incorrect cert chain sent to connecting IPSec clients Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA might not send the correct certificate chain to connecting IPSec clients. Conditions: This may occur if the ASA has more than one version (same DNs, but different public keys) of any one of the chain certificates in its configuration. Workaround: It may be possible to work around this by repositioning the affected certificates and trustpoints in the configuration Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.7), 100.14(3.5), 100.14(4.25) Alert Type: Updated * Bug Id: CSCut49711 Title: show cluster mem indicates incorrect values Status: Fixed Severity: 3 Moderate Description: Symptom: "show cluster memory" will indicate incorrect values of Free & Used memory in both summary and individual node output. Conditions: When executing "show cluster memory" from Master or slave node in the cluster Workaround: Issue "show memory" on individual nodes or "cluster exec unit show mem" to fetch correct values. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0, 9.3(2.103), 9.4(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCuu02761 Title: DNS should perform IPv4 lookups if IPv6 address is not reachable Status: Fixed Severity: 3 Moderate Description: Symptom: DNS returns IPv6 addresses which are not reachable by ASA Conditions: IPv6 is enabled on at least one ASA interface. DNS lookups are configured. Hosts are accessed by name rather than IP or IPv6 address. Workaround: Options: 1. If this is a manual operation (e.g. ping), then specify the IP or IPv6 address. 2. disable IPv6 on all interfaces. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.69), 100.13(21.13), 100.14(0.10), 100.14(10.14), 100.14(26.11), 100.14(5.14), 100.14(6.16), 100.14(7.16) Alert Type: Updated * Bug Id: CSCus63269 Title: HTTP redirect to the VPNLB address using HTTPS fails in 9.1.5 Status: Fixed Severity: 3 Moderate Description: Symptom: Http redirect for the virtual ip address in a load balanced environment doesn't work. Conditions: - vpn load balancing is configured - ASA 9.1.5 or higher Workaround: - use the actual physical ip address of the ASA - downgrade one of the ASAs in the cluster to 9.1(3) or lower - use the anyconnect client Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7.26), 9.1(5), 9.1(5.21) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu74823 Title: Cryptomaps lose trustpoint when syncing configuration from cluster unit Status: Fixed Severity: 3 Moderate Description: Symptom: When the ASA is in a cluster(master/slave) setup, replication of crypto map trustpoint configuration may not be accepted/synced properly. Conditions: ASA Cluster Crypto map trustpoint configured Workaround: Manually re-add the crypto map set trustpoint configuration Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.53), 100.15(3.9) Alert Type: Updated * Bug Id: CSCus83476 Title: More than 255 messages in multicast packet with jumbo frames Status: Fixed Severity: 3 Moderate Description: Symptom: PIM join messages are lost after passing through the ASA. Conditions: 1. ASA has jumbo-frames enabeld and has an MTU of 5134 or higher 2. Multicast routing is enabled on ASA and there are more than 255 (*/S,G) groups on it Workaround: Disable jumbo frames or use MTU lower than 5134 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.47), 100.13(21.8), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.8) Alert Type: Updated * Bug Id: CSCut58935 Title: WebVPN: Tsweb fails to work through clientless portal Status: Fixed Severity: 3 Moderate Description: Symptom: TSweb access through clientless VPN may fail when using a customized TSWeb portal. Users will see a blank window instead of the server logon screen Conditions: ASA running 9.1.5.10 or later releases Workaround: Use the rdp plugin or smart-tunnel the terminal services client. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.10), 9.1(5.19), 9.1(5.21), 9.2(2.4), 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuu81932 Title: ASA tunnel-group-map cannot contain spaces Status: Fixed Severity: 3 Moderate Description: Symptom: ASA can not use spaces in tunnel-group-map even though tunnel group can use it. Conditions: spaces are used in tunnel-group-map such as tunnel-group-map TEST 5 "TEST CISCO" Workaround: NOT use spaces at now Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu02635 Title: Remove demo and eval warning for sfr monitor-only Status: Fixed Severity: 3 Moderate Description: Symptom: A warning is produced when configuring the SFR module to monitor-only mode. Example: ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only WARNING: Monitor-only mode should be used for demonstrations and evaluations only. This mode prevents SFR from denying or altering traffic. Conditions: This policy map sfr monitor-only mode is supported for production which makes the "should be used for demonstrations and evaluations only" incorrect and confusing. Workaround: None. Ignore the "should be used for demonstrations and evaluations only" portion of the warning. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCus98250 Title: ASA WEBVPN: Usernames shown as '*' in logs for failed authentication Status: Fixed Severity: 3 Moderate Description: Symptom: ASA shows usernames in the syslog id ASA-6-716039 as a bunch of asterisks for failed login attempts. Eg: %ASA-6-716039: Group User <*****> IP <10.65.36.61> Authentication: rejected, Session Type: WebVPN Conditions: 1) ASA running 9.1.5(16) or later 2) Using WEBVPN (SSL CLIENTLESS VPN portal) 3) Using local authentication and typing an incorrect password Workaround: Downgrade to 9.1(5.12) or before Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(5.16), 9.1(5.21) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.37), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.5), 100.14(2.5) Alert Type: Updated * Bug Id: CSCus49405 Title: SCH enrollment issue with Saleen serial number Status: Fixed Severity: 3 Moderate Description: Symptom: adding ASA 5500-X model for Smart Call Home enrollment Conditions: ASA 5500-X model and Smart Call Home Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2 Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.37), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.5), 100.14(2.5) Alert Type: Updated * Bug Id: CSCur99221 Title: NetFlow incorrect reporting for PPTP VPN over GRE Status: Fixed Severity: 3 Moderate Description: Symptom: ASA reports via NetFlow incorrectly transferred data for PC client which connects to the remote PPTP VPN over GRE traffic through the ASA Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.39), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.5), 100.14(11.5), 100.14(2.5) Alert Type: Updated * Bug Id: CSCut64327 Title: L2TP/IPsec traffic dropped due to "vpn-overlap-conflict" Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrading the code from 911 to 912/916 l2tp/Ipsec users are not able to access inside resources. Inside hosts can reach connected l2tp/Ipsec client fine Set up: ******* 10.48.100.0/24-----[inside] ASA [outside]---------ISP---------------Site-to-Site-VPN-peer----10.48.0.0/16 ( contains multiple subnets in 10.48.x.0/24 range, so it has been summarized to /16) | | |------------------l2tp/ipsec-vpn user (10.48.252.128-10.48.252.254) NOTE: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map a deny entry has been added. ************* access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0 ************* Presence of either of two ACE shown above causes the drop/"vpn-overlap-conflict", only removal of both fixes the traffic issue and l2tp/Ipsec client can reach inside resources fine. 'sh asp drop' shows huge increments in 'vpn-overlap-conflict' counter. Conditions: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map; a deny entry has been added to static map ACL. access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 //** Deny vpn pool access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0 //** site to site vpn ACE Workaround: Use a different range/subnet for RA users. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(1), 9.1(6) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuu19489 Title: ASA inspection-MPF ACL changes not inserted into ASP table properly Status: Fixed Severity: 3 Moderate Description: Symptom: New ACL changes not taking effect for inspection policies. When adding new rules to the top of an existing ACL which is mapped to an inspection policy, the ASA installs this rule incorrectly at the bottom of its ASP table. This is applicable for any inspection policy that has an ACL bound to it. Conditions: There should be an ACL bound to an inspection policy. Workaround: Remove and re-apply the service-policy or remove and re-apply the effected class-map in the policy-map. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCup89922 Title: ASA DNS lookups always prefer IPv6 response Status: Fixed Severity: 3 Moderate Description: Symptom: A DNS server configured on the ASA will always use IPv6 DNS requests (type=AAAA) if any of the interfaces are configured with IPv6. There is no way to prevent this behaviour, or make the ASA prefer and sending type=A requests. Conditions: This only occurs if IPv6 is enabled on any interface of the ASA, even if no Globally Unique Address is assigned. If IPv6 is enabled, then the ASA only makes Type=AAAA DNS requests. This will always result in an IPv6 DNS response, and potentially cause features that depend on DNS to fail (ie. Smart Call Home). Workaround: Disable all IPv6 addresses on the ASA. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(0.2), 9.1(1), 9.1(5) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuc16228 Title: Can't use an object-group for NAT which was used for pat-pool earlier Status: Fixed Severity: 3 Moderate Description: Symptom: Same object-group cannot be used in NAT when it was used in PAT earlier Conditions: PAT configured, followed by removal of NAT or clear-conf-nat, New NAT rule try to use that object-group as now NAT pool Workaround: No workaround Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(2), 8.4(4.3), 8.4(4.8) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(2.58), 100.15(3.13) Alert Type: Updated * Bug Id: CSCur42776 Title: Mac version smart-tunnel uses SSLv3 which is a vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: The Clientless Smart Tunnel Component for MacOSX of Cisco ASA Software includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 Conditions: Exposure is not configuration dependent. Workaround: Not available. Further Problem Description: This bug is only for the client-side, the Clientless Smart Tunnel Component for MacOSX. For SSL server-side, please check CSCur23709. SSLv3 support in the Clientless Smart Tunnel Component for MacOSX will be removed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 9.4(1), 99.1 Known Fixed Releases: * 100.11(0.54), 100.11(0.55), 100.12(0.111), 100.12(0.94), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(0.21), 100.13(11.17), 100.13(12.36) Alert Type: Updated * Bug Id: CSCut67315 Title: ASA :Top 10 Users status is not getting enabled from ASDM. Status: Fixed Severity: 3 Moderate Description: Symptom: Top 10 Users status is not getting enabled from ASDM. Conditions: ASA running code 9.3.2 Workaround: Downgrade ASA to 9.1.5 to get this feature working. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(1), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCuj68919 Title: Multiple problems with output of show processes memory Status: Fixed Severity: 3 Moderate Description: Symptom: Certain outputs of "show processes memory" can have incorrect values which may impede troubleshooting memory issues on the ASA platform. Conditions: Run "show processes memory" Workaround: None Further Problem Description: n/a Last Modified: 31-AUG-2015 Known Affected Releases: 8.4, 9.1 Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.40), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.5), 100.14(11.5), 100.14(2.5) Alert Type: Updated * Bug Id: CSCus54537 Title: ASAv requires a reboot for the license to take effect. Status: Fixed Severity: 3 Moderate Description: Symptom: ASAv shows as Unlicensed even after license is in compliance and entitlement is proper Conditions: Instantiate a ASAv with config in cdrom. Smart Licensing configuration is at the end of the config in cdrom. License info in "show license all" is in compliance. License registration is "show license registration" is complete. License entitlement is "show license entitlement" is empty. "Show version" shows license as unlicensed. Perform a write and reload ASAv. License is applied and entitlement is shown. Workaround: Either re-enter Smart Licensing configuration manually, or copy running-config to startup-config and reload ASAv. Further Problem Description: Instantiate a ASAv with config in cdrom. Smart license and entitlement is part of the config in cdrom. License info in "show license all" is in compliance. License registration is "show license registration" is complete. License entitlement is "show license entitlement" is empty. "Show version" shows license as unlicensed. Perform a write and reload ASAv. License is applied and entitlement is shown. Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2.200) Known Fixed Releases: * 100.12(0.112), 100.13(0.27), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3), 100.14(2.3) Alert Type: Updated * Bug Id: CSCut35406 Title: Src url of video track tag not mangled via webvpn Status: Fixed Severity: 3 Moderate Description: Symptom: When loading a url with video content with subtitle via webvpn, page is loaded successfully but the src url is not mangled for track tag. Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(16.1), 9.3(2) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu75675 Title: kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250 Status: Fixed Severity: 3 Moderate Description: Symptom: For ASA5516, ASAOS supports 250 SSLVPN sessions, based on marketing data, it should increase to 300 sessions. Conditions: ASA5516 Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9), 100.15(5.17) Alert Type: Updated * Bug Id: CSCuu25430 Title: Object nat rule is not matched Status: Fixed Severity: 3 Moderate Description: Symptom: Object rule is not matched Conditions: There is object nat configured transactional commit model object network NAT_X.X.X.X host X.X.X.X nat (inside,outside) static Y.Y.Y.Y ASA runs 9.3.3 Transactional commit model for nat rule engine is enabled : asp rule-engine transactional-commit nat Workaround: Downgrade to 9.3.2 or disable transactional commit model for nat rule engine and reload ASA no asp rule-engine transactional-commit nat Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.15(5.18), 100.15(5.6), 9.1(6), 9.3(3), 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(2.58), 100.15(3.13) Alert Type: Updated * Bug Id: CSCut54218 Title: ASA tunnel-group"password-expire-in-days"not prompting a password change Status: Fixed Severity: 3 Moderate Description: Symptom: "password-expire-in-days" option of "password-management" is not prompting the users for password change Conditions: Use of anyconnect remote access and WebVPN tunnel-group "password-management" Workaround: Revert to version 9.3.1 Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Alert Type: Updated * Bug Id: CSCtq90780 Title: ASA allows removing address pool conf even if it is in use in grp-policy Status: Fixed Severity: 4 Minor Description: Symptom: startup config error or errors when doing wr standby Conditions: address pool configured and being used in group-policy or tunnel-group Workaround: remove the pool config from where it is being used(group-policy or tunnel-group) then remove it from the running config Further Problem Description: Last Modified: 02-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.88), 100.14(0.67), 100.15(0.21), 100.15(1.37), 100.15(10.4), 100.15(15.2), 100.15(2.75), 100.15(4.23) Alert Type: New Bug Id: CSCuv68721 Title: ASA 9.3(3): unable to remove ACE with 'log disable' option Status: Other Severity: 4 Minor Description: Symptom: ASA 9.3(3) ASDM 7.3.3 Unable to remove ACL after adding an ACL using ASDM with logging default then changing the ACL to logging disabled Conditions: ACL has to be added using the ASDM with logging enabled, then ACL log needs to be disabled, after that the ACL will be irremovable from the CLI and ASDM and it will give the following error "specified access-list does not exist" Workaround: Remove the ACl from the CLI without using "log disable" at the end change the ACL from logging disable to logging default from the ASDM and remove it from the ASDM or CLI Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu60391 Title: Activation key info printed at bootup on ASAv Status: Fixed Severity: 4 Minor Description: Symptom: During initialization an ASAv will attempt to read an activation key from license storage: Verify the activation-key, it might take a while... Failed to retrieve permanent activation key. Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 Since the ASAv does not support the traditional ASA PAK-enabled there is no reason to attempt to retrieve licensing activation keys. The act of retrieving the activation key does not have a negative impact on the operation of the ASAv. Conditions: Normal operation. Workaround: None. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12), 100.15(5.15), 100.15(8.3) Alert Type: Updated * Bug Id: CSCuo05238 Title: 'show activation-key' command does not display the flash key correctly Status: Fixed Severity: 4 Minor Description: Symptom: Contents of the flash permanent activation key is not displayed correctly in the output of the 'show activation-key' command. Conditions: An ASA with a running permanent activation key that is different from the flash permanent activation key. Workaround: None. When the ASA is reloaded, and the flash permanent activation key becomes the running permanent activation key, its contents are displayed correctly. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.8(38.131) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCto63702 Title: ASA's ARP table will populate with non connected subnets Status: Fixed Severity: 4 Minor Description: * <B>Symptom:</B> Currently the Adaptive Security Appliance (ASA) will install broadcast Address Resolution Protocol(ARP) replies into it's ARP table for any Internet Protocol (IP) address. Normally only values that are in the same subnet as the interface that receives the ARP would be installed into the ARP table. <B>Conditions:</B> Any Cisco ASA with default configuration. Any Pix running 7.x or later <B>Workaround:</B> Limit ARP traffic allowed to reach the ASA. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/3.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 7.0 Known Fixed Releases: 100.7(13.14), 100.7(14.1), 100.7(17.5), 100.7(18.1), 100.7(6.42), 100.7(9.40), 100.8(0.10), 100.8(0.14), 100.8(0.31), 100.8(10.10) Alert Type: Updated * Bug Id: CSCty30899 Title: fqdn command option is removed when deleting RSA key Status: Fixed Severity: 4 Minor Description: Symptom: If both fqdn and keypair commands are configured in trustpoint, and RSA key which is associated with the trustpoint is removed by crypto key zeroize, fqdn command's option is unexpectedly removed and remains blank. Conditions: Both fqdn and keypair commands are configured in trustpoint. Workaround: Reconfigure fqdn command with option in trustpoint configuration mode. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.2, 8.4 Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.18), 100.14(26.7), 100.14(3.6), 100.14(4.26) Alert Type: Updated * Bug Id: CSCus88626 Title: Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. Status: Fixed Severity: 4 Minor Description: Symptom: Radius Acct-Terminate-Cause for L2TP over IPSec session is incorrect. The value in Accounting-Request always be User-Request even if the disconnected reason is session-timeout,idle-timeout, etc. (Loss of service is covered under defect under CSCut69675) Conditions: none Workaround: none Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(7.23), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.4) Alert Type: New Bug Id: CSCuv68725 Title: ASA 9.3(3): unable to remove ACE with 'log disable' option Status: Open Severity: 4 Minor Description: Symptom: ASA 9.3(3) ASDM 7.3.3 Unable to remove ACL after adding an ACL using ASDM with logging default then changing the ACL to logging disabled Conditions: ACL has to be added using the ASDM with logging enabled, then ACL log needs to be disabled, after that the ACL will be irremovable from the CLI and ASDM and it will give the following error "specified access-list does not exist" Workaround: Remove the ACl from the CLI without using "log disable" at the end change the ACL from logging disable to logging default from the ASDM and remove it from the ASDM or CLI Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: Alert Type: New Bug Id: CSCuv96380 Title: Failover uptime sync failure Status: Open Severity: 4 Minor Description: Symptom: ASAs running in Failover, Failover up time doesn't sync up to match on both the ASAs. Conditions: ASAs in failover with huge number of contexts in a multicontext setup.(108 context in my setup) Workaround: N/A Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.1(4), 9.1(4.5), 9.1(6) Known Fixed Releases: Alert Type: New Bug Id: CSCur42057 Title: Smart Licensing: License config warning needs message classification Status: Open Severity: 4 Minor Description: Symptom: Incomplete smart licensing config will be reported as an error by ASDM. Conditions: User configures only one part of smart licensing. There are two parts: feature tier and throughput. If the user specifies only one and then exits, the message that is displayed will be interpreted as an error by ASDM. Workaround: Configure both parts of smart licensing before exiting smart licensing config. Further Problem Description: This should be displayed as a warning by ASDM. The code should be modified to prepend "WARNING:" so that ASDM properly displays it as a warning. Last Modified: 26-AUG-2015 Known Affected Releases: 100.12(6.24) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu07393 Title: "sysopt traffic detailed-statistics" is removed after ASA reload Status: Fixed Severity: 4 Minor Description: Symptom: ASA command "sysopt traffic detailed-statistics" turns off automatically after reload Conditions: 1. ASA is configured with 'sysopt traffic detailed-statistics' 2. The ASA is reloaded Workaround: None Further Problem Description: Last Modified: 22-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.21), 100.15(8.12), 99.1(2.221), 99.1(3.156) Alert Type: New Bug Id: CSCuv75287 Title: ASA does not retain NAT-D information from Phase 1 Status: Other Severity: 4 Minor Description: Symptom: When phase 1 is already established by peer, and phase 2 is initiated by ASA, the ASA does not check whether NAT detection happened on Phase 1. It invariably brings the tunnel up on IP protocol 50 Issue is most visibly seen with Fortigate firewall, as it brings up Phase 1 immediately after configuration Conditions: 1. There is a NAT device in between 2. Peer device has initiated Phase 1 3. ASA initiates Phase 2 Workaround: Change the behaviour on the other firewall. Either disable the behavior where it tries to bring Phase 1 up, or configure it to bring both Phase 1 and Phase 2 up Further Problem Description: Last Modified: 13-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu92238 Title: No function of Syslog ID 108003 in ASA (SMTP Inspection) Status: * Other Severity: 4 Minor Description: Symptom: ASA will not be logged syslog ID 108003 for smtp inspection with '`', '|', '\0' in mail address Conditions: SMTP inspection is enabled email address has invalid character such as '`', '|', '\0' Workaround: none at current Further Problem Description: Last Modified: 16-AUG-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuj04682 Title: ping TCP always shows result "?" if destination IP is translated Status: Fixed Severity: 4 Minor Description: Symptom: When using the ping tcp feature, if the destination of the ping is translated by the ASA the response (TCP reset, TCP syn-ack, etc) is not displayed in the ping tcp CLI results. Only a "?" is shown the to the user (instead the correct code should be displayed "R" or "!"). Example: ASA5505# ping tcp dmz 192.168.1.2 21 repeat 1 source 14.36.1.1 1234 Type escape sequence to abort. Sending 1 TCP SYN requests to 1192.168.1.2 port 21 from 14.36.1.1 starting port 1234, timeout is 2 seconds: ? Success rate is 0 percent (0/1) ASA5505# Conditions: The ping tcp command must be used, and the destination of the TCP ping must be translated by the ASA. Workaround: None. Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.12(0.140), 100.13(0.86), 100.13(0.95), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(1.66), 100.15(10.4) Alert Type: New Bug Id: CSCuv70925 Title: DOC: crypto ikev1 limit max-in-negotiation-sa in command reference Status: Open Severity: 4 Minor Description: Symptom: "crypto ikev1 limit max-in-negotiation-sa" explanation in the command reference needs to be corrected. Conditions: The description looks to come from "crypto ikev2 limit max-in-negotiation-sa" but ikev1 has its own default value which is different from ikev2. Workaround: NA Further Problem Description: Last Modified: 19-AUG-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuj67043 Title: SpykerA: CX performance drop from 9.1.1 to 9.1.2/9.1.3 (CSCuj23572) Status: Open Severity: * 4 Minor Description: Symptom:CX performance drop from 9.1.1(ASA image) to 9.1.2(ASA image) and 9.1.3(ASA image) Conditions:EMIX throughput performance tests. Workaround:None More Info:Followup from CSCuj23572 SpykerA: CX performance drop from 9.1.1 to 9.1.2/9.1.3 Last Modified: 03-AUG-2015 Known Affected Releases: 100.8(60.40), 9.1(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuc02113 Title: ISAKMP debugs display incorrect Message ID and length data Status: Fixed Severity: 5 Cosmetic Description: Symptom: ISAKMP debugs display the MessageID and Length values incorrectly in the BEFORE ENCRYPTION section when sending a packet. Conditions: Cisco ASA running release 7.2.4 or 8.2.5. ISAKMP debugs are enabled at level 255. Workaround: Use "capture type isakmp interface " Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 7.2(4), 8.2(5.31) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.22), 100.14(7.21), 100.15(0.9) Alert Type: Updated * Bug Id: CSCua66557 Title: arp permit-nonconnected not indented in help arp multiplei mode Status: Fixed Severity: 5 Cosmetic Description: Symptom: Help arp in multiple mode has incorrect indentation for "arp permit-nonconnected" entry. Conditions: Workaround: Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(3.45), 99.1(2.229) Alert Type: New Bug Id: CSCuv90711 Title: ASA/DOC: syslog 113015/113016/113017 do not have IP address information Status: Open Severity: 5 Cosmetic Description: Symptom: Syslog %ASA-6-113015/%ASA-6-113016/%ASA-6-113017 do not have IP address information. These messages guide("Cisco ASA Series Syslog Messages") should have IP address information Conditions: 9.2.1 or later Workaround: N/A Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut06553 Title: ASA - PBR Debug Output Shows HEX representation of DSCP Value w/o '0x' Status: Fixed Severity: 5 Cosmetic Description: Symptom: The ASA policy-based routing debug output shows the HEX representation value and not the decimal value. This causes confusion since it looks like a decimal value due to the fact that the '0x' header is omitted. This is a cosmetic bug to modify the output so that the '0x' is printed in the output so that it's obvious that it is a HEX representation of the DSCP value. Conditions: Using 'debug policy-route' to verify functionality of PBR on an ASA and viewing DSCP values Workaround: N/A - this is a cosmetic issue. Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.22), 9.4(1.107), 99.1(2.223), 99.1(3.156) Alert Type: Updated * Bug Id: CSCuv78215 Title: ASA DHCP relay dropping ACKed INFORM packets Status: Open Severity: * 6 Enhancement Description: Symptom: Client does not get all of requested DHCP data from server through DHCP relay Conditions: Observed ASA running 8.4.7-23 and later ASA is running DHCP relay Client does not get all data from initial DORA process, and needs to follow up with INFORM No explicit access-list permitting return traffic from server Workaround: Create pinhole access-list entry permitting traffic from server with port range 67, 68 to any e.g. access-list out_in permit udp host Server_IP range 67 68 any Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 8.4(7.23), 9.1(6.6), 9.3(1), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsr53828 Title: Ability to pass full DHCP option list to client and Mac Addres from cli Status: Open Severity: 6 Enhancement Description: * Objection to this comment - The is more than an enhancement request. Customers DEPEND on the ability to pass Option 150 for our VPN Phone functionality for remote users. This is a critical issue for our customers and they don't view it as a feature enhancement. This is CORE functionality that should work as part of our UC strategy. !This is an ENHANCEMENT REQUEST only! Symptom: 1) The ASA does not pass DHCP options learned from the DHCP server down to the client 2) The ASA does not pass the client's MAC address to the DHCP server Conditions: 1) All ASA versions are affected for both AnyConnect and IPSec VPN client; for L2TP clients the ASA can pass down DHCP options 2) All ASA versions are affected for AnyConnect, IPSec VPN and L2TP clients Workaround: 1) Pass the required attributes via group-policy instead 2) None Further Problem Description: This is an enhancement request for the following features: 1) Enable the ASA to pass the full set of options learned from DHCP directly to a client 2) Enable the ASA to pass the client's MAC Address to the DHCP server as part of making the DHCP request Last Modified: 18-AUG-2015 Known Affected Releases: 8.0(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCud15978 Title: Allow conditional debugging for webvpn Status: Other Severity: 6 Enhancement Description: * Symptom: This is an Enhancement request to allow conditional filtering of webvpn debug messages. Conditions: n/a Workaround: n/a Last Modified: 12-AUG-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu35854 Title: The engine ID goes out of sync during upgrade of the ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: The SNMP stops working for a FO pair when doing a zero-downtime upgrade. The engine-ID of the ASAs goes out of sync causing the SNMP to fail. Conditions: Zero-downtime upgrade being performed on an ASA FO pair. Workaround: None known. Further Problem Description: Last Modified: 22-AUG-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.22), 100.15(8.12), 99.1(2.222), 99.1(3.156) Alert Type: Updated * Bug Id: CSCui35880 Title: ENH: Globally add timestamp to debug messages on ASA Status: Open Severity: 6 Enhancement Description: Symptom: Enhancement: This is a request to add timestamps to all ASA debug messages. Conditions: ASA code version 9.1 Workaround: Configure "logging debug-trace" and "logging timestamp". This will divert the debugs to a syslog server and include a timestamp in the syslog message. More Info: Last Modified: 24-AUG-2015 Known Affected Releases: * 9.1(3.246), 9.3(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv80463 Title: IPv6 default route not installed w/ Win IKEv2 client connecting to ASA Status: Open Severity: * 6 Enhancement Description: Symptom: Default IPv6 route via the IKEv2 tunnel is not installed on the client when connecting from the Windows native IKEv2 client to an ASA headend Conditions: ASA is configured for full tunneling with an IPv6 pool , and IPv6 or IPv4 is used as transport for the VPN connection Workaround: None Further Problem Description: Last Modified: 26-AUG-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtj89313 Title: BTF issues with Bot stats and dns snoop bindings Status: Open Severity: 6 Enhancement Description: * Symptoms: A bot spoofing its source ip address talking to its bot maste can make any legit internal host look like an infected host caught by the botnet filter. Additionally, the feature might report improper information under certain conditions. Conditions: Cisco ASA configured for Botnet Filtering. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:W/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtj93072 Title: BotNet filter might drop all DNS for some ISPs Status: Open Severity: 6 Enhancement Description: * Symptoms: The Cisco ASA botnet filtering feature might cause network instability due to DNS under certain conditions. Conditions: Cisco ASA with the botnet filtering feature enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:W/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv19705 Title: Disable MD5 and 96-bit MAC algorithms in SSH Implementation on ASA Status: * Other Severity: 6 Enhancement Description: Symptom: None Conditions: SSH enabled for Management Workaround: Further Problem Description: Last Modified: 27-AUG-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Alert Type: New Bug Id: CSCuv97083 Title: ASA ENH - Support in SIP inspection for failover of end voice devices Status: Open Severity: 6 Enhancement Description: Symptom: This is enhancement to track implementation of change in SIP inspection to support "failover" of end VoIP devices Conditions: ASA using SIP inspection Workaround: Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: 9.0, 9.1, 9.2, 9.3, 9.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCum63371 Title: ENH: Allow configurable HMAC and encryption algorithms on ASA SSH server Status: Open Severity: 6 Enhancement Description: Symptom: The Cisco ASA SSH server is not configurable as to encryption and HMAC algorithms. Since 8.4.4, certain versions are able to use the 'ssh key-exchange group' command to use different key exchange algorithms, but the encryption and HMAC algorithms are still not configurable. Some customers claim that this is causing them to fail security audits. Conditions: Normal operation Workaround: None Further Problem Description: Last Modified: 28-AUG-2015 Known Affected Releases: * 9.2(1), 9.2(3.4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCto17848 Title: RSA BSafe Issues Status: Other Severity: 6 Enhancement Description: * Symptoms: RSA BSafe must be upgraded to address CVE-2006-3894. Conditions: Cisco ASA with default configuration. Workaround: Upgrade the ASA to version 9.x which has version 6.4 of the BSAFE library and addresses CVE-2006-3894. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2006-3894 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus32313 Title: IPv4 Route addition and deletion through EIGRP on management interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path rout Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCsd78340 Title: Syslog 106017 should provide more information about the trigger packet Status: Open Severity: 6 Enhancement Description: * Symptom: In any instance where the syslog message 106017 is generated, more detailed information needs to be provided about the packet that caused the message. Specifically, the syslog should show MAC addresses and the interface name where the Land Attack was detected. This especially applies in the following example: %PIX-2-106017: Deny IP due to Land Attack from 0.0.0.0 to 0.0.0.0 In this case, the ip address is all zeros. It would be much easier to troubleshoot for the customer and TAC if the message included the source and destination MAC address of the packet. In addition, we should state on what interface of the firewall device the packet was seen. The above information would provide enough data to help begin tracking down the offending host using sniffer traces hop by hop and start at a specific network segment rather than having to sniff all segments connected to the firewall. Conditions: Error Message %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address Explanation The Cisco ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack. Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates. See: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/syslog/logmsgs.htm#wp1279850 Workaround: Without the extra information requested by this enhancement request, the only option is to use packet sniffers such as Ethereal to sniff each segment of the PIX/ASA/FWSM and locate one of the offending packets. Then track the packets hop by hop using source MAC addresses until the offending host is located. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 04-AUG-2015 Known Affected Releases: 7.0, 7.1 Known Fixed Releases: Alert Type: New Bug Id: CSCuv99871 Title: ENH: Add Secondary IP address support on ASA Status: Open Severity: 6 Enhancement Description: Symptom: This is an enhancement request to allow Cisco Adaptive Security Appliance to assign multiple IP addressed to network interfaces. Conditions: n/a Workaround: n/a Further Problem Description: Last Modified: 29-AUG-2015 Known Affected Releases: 9.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus55989 Title: ASA Failover Etherchannel can cause packet loss due to MAC address flaps Status: Open Severity: 6 Enhancement Description: * Symptom: When ASA is used in a failover setup with LACP enabled etherchannel interfaces, and secondary unit is active, it can result in MAC address flaps and packet loss. The behavior observed is due to the mac-address of active unit lowest interface (ex gi0/0) being used for the active port-channel interface of secondary unit and at the same time also used for LACP hellos via the lowest interface of the primary unit, which can result in MAC flaps on the switch. The packet loss is very minimal (less than 10 packets) especially when active unit is egressing traffic over the etherchannel such that the connected switches re-learns the MAC address quickly. Conditions: 1) ASA with Etherchannel and LACP is enabled 2) Failover is enabled. Workaround: 1) Configure mac addresses manually (active and standby) for the port-channel on the ASA. 2) disable LACP and statically enable etherchannel 3) Use non-etherchannel interface Further Problem Description: Issue is reproduced in 9.1(3) and 9.3(2). Last Modified: 29-AUG-2015 Known Affected Releases: 9.1(3), 9.3(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuw01555 Title: Packet not reclassified when route switch and one interface ipsec Status: Open Severity: 6 Enhancement Description: Symptom: When using ASA with mutliple routes, if one of the interfaces is using crypto and the routes switch, flows that land on the crypto interface will not be reclassified back to the non crypto interface Conditions: floating routes and egress interfaces consisting of crypto and non crypto protected. Workaround: none Further Problem Description: Last Modified: 29-AUG-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv74549 Title: ASA: add ability to start/stop capture without disbaling it Status: Open Severity: 6 Enhancement Description: Symptom: Enhancement request to add the ability to stop a capture on the ASA without disabling it. Conditions: n/a Workaround: n/a Further Problem Description: Last Modified: 30-AUG-2015 Known Affected Releases: 9.1(6), 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCta36873 Title: BTF: DNS query response with EDNS0 option does not get added to DNSRC Status: Fixed Severity: 6 Enhancement Description: <B>Symptom:</B> When DNS snooping is enabled with the Botnet Traffic Filter feature, it is supposed to watch for DNS query response packets that come through the ASA, and add it to the DNS Reverse Cache (DNSRC). An issue was found in which if the DNS query response packet has additional Resource Record (RR) with EDNS0 option used, the ASA would pass the DNS query response packet through BUT does not add it to the DNSRC. This mechanism would cause the Botnet Traffic Filter not being able to flag the malicious traffic for the domain names that is in the A record response. When this issue is seen, a 'debug dynamic-filter dns-snooping' would print "rr off end". <B>Conditions:</B> DNS snooping is enabled. <B>Workaround:</B> None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2013-5520 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 31-AUG-2015 Known Affected Releases: 8.2 Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(2.3), 100.14(5.15), 100.14(6.4), 100.14(7.7), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: Updated * Bug Id: CSCtx43501 Title: CPU hog due to snmp polling of ASA memory pool information Status: Fixed Severity: 6 Enhancement Description: Symptom: The ASA provides access to three different memory pools via SNMP. 1) The "System memory" pool (which is a superset of 2 and 3 below) 2) The MEMPOOL_DMA pool 3) The MEMPOOL_GLOBAL_SHARED pool If the MEMPOOL_GLOBAL_SHARED pool information is queried via SNMP, a CPU hog might occur. The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough through the ASA, packets might be dropped. If an ASA is experiencing this problem, it could generate syslogs that look like this: %ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a 0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca 0x00000000004245a5 Also, the output of 'show process cpu-hog' will show entries for SNMP: Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33 Conditions: To encounter this problem, memory information for the "Global Shared" pool must be queried via SNMP. Workaround: Avoid polling the memory information for the Global Shared pool: Exclude: .1.3.6.1.4.1.9.9.48.1.1.1.X.7 - "MEMPOOL_GLOBAL_SHARED" where X is the integer corresponding to a particular statistic about the pool. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-4664 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.1(2.23), 8.2(3.6), 8.4(2.8), 8.4(3.8), 8.4(4), 9.1(2) Known Fixed Releases: * 100.12(0.140), 100.12(0.144), 100.12(0.145), 100.13(0.95), 100.13(0.96), 100.14(0.70), 100.14(0.71), 100.15(0.24), 100.15(0.25), 100.15(1.60) Alert Type: Updated * Bug Id: CSCus19373 Title: IPv4 connected & Local route addition & deletion at mgmt-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus63711 Title: IPv4 Route addition and deletion through RIP on management interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path rout Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCth96549 Title: URL Logging Bypass Status: Open Severity: 6 Enhancement Description: * Symptoms: Cisco URL logging may be bypassed in certain scenarios when sending certain HTTP packets. Conditions: Cisco ASA configured with the URL Logging feature enabled. Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C&version=2.0 CVE ID CVE-2011-2049 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus09845 Title: IPv4 RIB for management-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCtu27738 Title: ASA - tunnel group should have a way to specify a trustpoint to be used Status: Open Severity: 6 Enhancement Description: * Symptoms: The ASA is not able to force the use of a specific trustpoint to validate client certificate. This result in the client certificate to be authenticated by any trustpoint the ASA has in use. Conditions: none Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsj50741 Title: ASA: DHCP relay does not validate the Server Identifier of a reply Status: Fixed Severity: 6 Enhancement Description: Symptom: If you have multiple DHCP servers configured the ASA if configured as a DHCP relay will forward all DHCP requests to all DHCP servers. When a client requests an address with a DHCPDISCOVER message it gets a DHCPOFFER from one server. Then it will confirm the lease with the server with the DHCPREQUEST message, this message identifies the server that offered the lease with the "Server Identifier" and only that server should reply. The ASA relays the DHCP traffic, but stops at the first ACK, NACK or decline it receives, wthout validating the Server Identifier. If a wrong server replies with the wrong Server Identifier then the ASA will close the relay, but the client ignore that wrong reply and will wait for the correct reply. Which the ASA will not relay anymore, because it saw a ACK. Conditions: - ASA configured as a DHCP relay - multiple DHCP servers, some of which reply for messages not intended for them. Workaround: None. You should configure the DHCP servers to only reply to valid requests. Further Problem Description: If you do debug dhcprelay packet 255 and debug dhcprelay event 255 you will see: DHCPRA: relay binding created for client 0015.5881.0e9c. DHCPD: setting giaddr to 192.168.1.254. dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.1. dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.2. dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.3. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 0015.5881.0e9c. DHCPRA: exchange complete - relay binding deleted for client 0015.5881.0e9c. DHCPD: returned relay binding 192.168.1.254/0015.5881.0e9c to address pool. DHCPRA: forwarding reply to client 0015.5881.0e9c. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: dhcp_relay_agent_receiver:can't find binding Last Modified: 31-AUG-2015 Known Affected Releases: 7.2(2.22) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Alert Type: Updated * Bug Id: CSCut15695 Title: Support for Route redistribution in management routing table in ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(4.16), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: Updated * Bug Id: CSCui69677 Title: SNMP: ENTITY-SENSOR-MIB returns wrong values for 5585 Status: Fixed Severity: 6 Enhancement Description: Symptom: Some of the ENTITY-SENSOR-MIB OID's return the wrong values for the 5585. Particularly for Power supply input and sensors it returns entPhySensorType as truthvalue for all 4. For the Power supply Fan sensor, this should be rpm Conditions: Cisco ASA running release 8.4.6. Workaround: None. Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.55), 100.13(21.10), 100.14(0.13), 100.14(0.4), 100.14(1.4), 100.14(10.23), 100.14(10.8), 100.14(11.8) Alert Type: Updated * Bug Id: CSCus07884 Title: Cli's for management-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus67480 Title: Support for Management routing table in multiple context mode Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus84509 Title: Failover support for management routing table in ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: Updated * Bug Id: CSCus67400 Title: IPv4 & IPv6 Route add & delete through OSPF on mgmt-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus43455 Title: ASA IPV6 Policy-Based Routing (PBR) support Status: Fixed Severity: 6 Enhancement Description: Symptom: ASA doesn't support IPV6 Policy-Based Routing (PBR) Conditions: - Workaround: - Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 100.14(4.2), 9.1 Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(4.1), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: New Bug Id: CSCuv10516 Title: Security alert:Python JSON Module Vulnerability Status: Open Severity: 6 Enhancement Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-4616 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-4616 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 05-AUG-2015 Known Affected Releases: 99.1(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur27817 Title: Show Tech should include 'show processes cpu-usage sorted non-zero' Status: Fixed Severity: 6 Enhancement Description: Symptom: This is a request to include the output of ' show processes cpu-usage sorted non-zero ' in the standard 'show tech' output. This would greatly assist debugging of CPU related problems when provided only the output of show tech. Conditions: Workaround: Further Problem Description: Debugging CPU related issues on the ASA platform can be daunting, providing useful output such as 'show processes cpu-usage sorted non-zero' helps simplify this process Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(4), 9.1(5), 9.2(2), 9.3(2) Known Fixed Releases: * 100.13(0.23), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(10.2), 100.14(11.2), 100.14(2.2), 100.14(3.1) Alert Type: Updated * Bug Id: CSCur37349 Title: ASA does not url-encode certain special characters during POST SSO Status: Fixed Severity: 6 Enhancement Description: Symptom: POST SSO to an external portal page or bookmark may fail to work after an upgrade to ASA 9.x Conditions: The user password contains special characters Workaround: None Further Problem Description: Last Modified: 31-AUG-2015 Known Affected Releases: 9.0(2), 9.1(5) Known Fixed Releases: * 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12), 100.15(5.15), 100.15(8.3) Alert Type: Updated * Bug Id: CSCuc48104 Title: ENH:ASA -Allow EKU attribute option under trustpoint for CSR generation Status: Open Severity: 6 Enhancement Description: * Symptom: --No option to add EKU (Enhanced key Usage) attribute under trustpoint on ASA Conditions: --CSR generated on ASA, and trying to include EKU attribute (which is needed for server certificate authentication for Anyconnect 3.0 and 3.1) Workaround: --Use external CA to add these EKU attributes.. Last Modified: 17-AUG-2015 Known Affected Releases: 8.4 Known Fixed Releases: Alert Type: New Bug Id: CSCuv66916 Title: ENH: Allow WebVPN customization to disable Floating toolbar without APCF Status: Open Severity: 6 Enhancement Description: Symptom: This is an enhancement request to disable floating toolbar from WebVPN portals. Conditions: ASA configured as Clientless SSLVPN [WebVPN] Server. We would like to be able to disable the floating toolbar: highlighted in Red-square: http://i.imgsafe.org/b45cbb9.jpg Workaround: Currently, only an APCF file can disable the floating toolbar: a) Depending on the ASA version, use one of the following APCF files, and save it as notoolbar.xml [or any_name.xml on ASA's flash] 8.4(4)2 and before 1.0 Disable WebVPN toolbar for all sites * Post 8.4(4)2 1.0 Disable WebVPN toolbar for all sites * s|CSCO_ITB_attach_event();|CSCO_addEvent(window, 'load',CSCO_SSO_check);| Note: Here, notice that the first script has " *" and the second script has, "*". The "*" between this xml schema indicates that the apcf should be enabled on all the sites. If you need to diable this on a specific site, define the uri of the site instead of the "*" example: if you need to disable the apcf on http://www.intranet.com/some_page/abc.htm, the URI would be "some_page/abc.htm" or "some_page/*" for any pages within this folder. b) Under global WebVPN enable this APCF: config terminal webvpn apcf flash:/notoolbar.xml c) For this APCF to take effect, one must logoff the WebVPN portal [and the user might need to clear cache on the browser] and re-login Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 9.1(6), 9.5(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuv57599 Title: ASA DevPak - Service Resetinbound/resetoutbound option Status: Other Severity: 6 Enhancement Description: Symptom: ASA allows user to enables or disables resets for the specified interface, currently this configuration option is not exposed in ASA device package. Conditions: Workaround: Further Problem Description: Last Modified: 20-AUG-2015 Known Affected Releases: 1.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut50667 Title: ENH: "debug timestamps" to show datetime format Status: * Other Severity: 6 Enhancement Description: Symptom: "debug timestamps" should show human readable datetime Conditions: debugs used Workaround: debugs used Further Problem Description: Last Modified: 21-AUG-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Find additional information in Bug Search index.   2013 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks