From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 21 Jan 2007 19:53:08 +0200
Subject: [NEWS] Cisco SSL/TLS Certificate and SSH Public Key Validation
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070121174005.04EA85935@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco SSL/TLS Certificate and SSH Public Key Validation
------------------------------------------------------------------------
SUMMARY
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and
the Cisco Adaptive Security Device Manager (ASDM) do not validate the
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or
Secure Shell (SSH) public keys presented by devices they are configured to
connect to. Malicious users may be able to use this lack of certificate or
public key validation to impersonate the devices that these affected
products connect to, which could then be used to obtain sensitive
information or misreport information.
DETAILS
Affected Products:
* Cisco Security Monitoring, Analysis and Response System (CS-MARS)
versions prior to 4.2.3.
To verify the version of CS-MARS software, log into CS-MARS web
interface using a web browser and go to the "Help" tab located on the
top-right corner of the browser window. Then click on the "About" link.
The CS-MARS version will be displayed in the center of the browser window
under "CS-MARS Information".
Alternatively, it is possible to use an SSH connection or a direct
serial console connection to verify the version of the CS-MARS software by
logging into the system administration command line interface with the
pnadmin account and executing the version command:
shell$ ssh pnadmin@10.0.0.1
pnadmin@10.0.0.1's password:
Last login: Mon Jan 8 18:42:45 2007 from 10.0.0.2
CS MARS - Mitigation and Response System
? for list of commands
[pnadmin]$ version
4.2.3 (2403)
* Cisco Adaptive Security Device Manager (ASDM) versions prior to
5.2(2.54) are affected when the ASDM Launcher (the stand-alone version of
ASDM) is used.
If the ASDM Applet is used, i.e. ASDM is launched via a web browser,
then it is the web browser's responsibility to verify the certificates
presented by the devices that ASDM connects to. The user can instruct the
web browser to save devices' root Certificate Authority certificates so a
warning is generated if something changes (this can be used as a
workaround - please refer to the Workarounds section for details.)
To verify the version of ASDM software, launch ASDM and look in the
"General" tab of the "Device Information" section.
Some Cisco products connect to different devices for configuration or
monitoring purposes. The actual connection method used varies depending on
the product, but SSL/TLS and SSH are the most prevalent ones due to their
use of strong cryptography to ensure the confidentiality and integrity of
the communication.
Two examples of these products include the Cisco Security Monitoring,
Analysis and Response System (CS-MARS), a security threat mitigation
system that talks to devices such as IPS sensors and firewalls, and the
Cisco Adaptive Security Device Manager (ASDM), which provides management
and monitoring services for the Cisco ASA 5500 Series Adaptive Security
Appliances, Cisco PIX 500 Series Security Appliances and the Firewall
Services Modules for the Cisco Catalyst 6500 Switches and the Cisco 7600
Series Routers.
When these products connect to their managed devices via SSL/TLS or SSH,
they do not validate the SSL/TLS certificates or SSH public keys presented
by these managed devices.
Because the certificates and public keys presented by devices are not
validated, in the event that a certificate or public key has changed, the
affected products will not be able to determine whether the device they
are communicating with is legitimate, or if it is a device impersonating a
legitimate one.
The following Cisco Bug IDs are being used to track these vulnerabilities
on the affected products:
* CS-MARS -
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsf95930>;
CSCsf95930 ( registered customers only)
* ASDM -
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg78595>;
CSCsg78595 ( registered customers only)
Vulnerability Scoring Details:
Cisco is providing scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS).
Cisco will provide a base and temporal score. Customers can then compute
environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are
encouraged to apply the bias parameter when determining the environmental
impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
<http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html>;
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
<http://intellishield.cisco.com/security/alertmanager/cvss>;
http://intellishield.cisco.com/security/alertmanager/cvss
Impact:
Successful exploitation of this vulnerability may allow an attacker to
obtain sensitive information such as login credentials or submit false
data to the affected Cisco product by impersonating a managed device, thus
impacting the integrity of the affected Cisco product.
Software Version and Fixes:
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
assistance.
This vulnerability is fixed in version 4.2.3 (2403) of the CS-MARS
software. CS-MARS software can be downloaded from the following location:
<http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2>;
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2
This vulnerability is fixed in version 5.2(2.54) of ASDM. ASDM can be
downloaded from the following location:
<http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2>;
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2
Note: The ASDM versions for the PIX/ASA and the FWSM are different. A
fixed version of the ASDM software for the FWSM is forthcoming. This
advisory will be updated when a fixed image for the FWSM version of ASDM
is available.
Workarounds:
There are no workarounds for this vulnerability in the case of CS-MARS.
In the particular case of ASDM, using the ASDM Applet, i.e. launching ASDM
via a web browser and not via the stand-alone ASDM Launcher, will
workaround the vulnerability since the SSL/TLS certificate verification
will be performed by the web browser, and in the case that the certificate
has changed, the browser will produce a warning. Note that this requires
the user to save the root Certificate Authority (CA) certificate as a
trusted certificate.
While not a workaround for the affected products, as a security best
practice, you should always configure the devices that the affected
products connect to so only connections from trusted hosts or networks are
accepted. The way to configure this varies depending on the device. Please
refer to the documentation of your managed device for details.
For the full article please visit:
<http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
