Vulnerabilities > CVE-2008-2735 - Improper Input Validation vulnerability in Cisco Adaptive Security Appliance 5500 8.0/8.1

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
cisco
CWE-20

Summary

The HTTP server in Cisco Adaptive Security Appliance (ASA) 5500 devices 8.0 before 8.0(3)15 and 8.1 before 8.1(1)5, when configured as a clientless SSL VPN endpoint, does not properly process URIs, which allows remote attackers to cause a denial of service (device reload) via a URI in a crafted SSL or HTTP packet, aka Bug ID CSCsq19369.

Vulnerable Configurations

Part Description Count
Hardware
Cisco
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Seebug

bulletinFamilyexploit
description发布时间:2008-09-04 录入:启明星辰 BUGTRAQ ID: 30998 CVE ID:CVE-2008-2732 CVE-2008-2733 CVE-2008-2734 CVE-2008-2735 CVE-2008-2736 CNCVE ID:CNCVE-20082732 CNCVE-20082733 CNCVE-20082734 CNCVE-20082735 CNCVE-20082736 Cisco PIX是一款防火墙设备,可为用户和应用提供策略强化、多载体攻击防护和安全连接服务;Cisco ASA是一款可提供安全和VPN服务的模块化平台。 Cisco PIX和Cisco ASA存在多个安全问题,远程攻击者可以利用漏洞对服务程序进行拒绝服务攻击或获得敏感信息。 -错误的SIP处理漏洞 Cisco PIX和Cisco ASA设备SIP检查配置存在多个处理错误可导致拒绝服务攻击。所有Cisco PIX和Cisco ASA软件发型版本受此SIP处理漏洞影响,成功攻击可导致设备重载。 使用inspect sip命令可启用SIP检查。 要判断是否Cisco PIX或Cisco ASA安全应用配置了对SIP报文的检查配置,登录到设备并提交show service-policy | include sip命令,如果输出包含文本Inspect: sip和部分统计,那么此设备就受漏洞影响,如: asa#show service-policy | include sip Inspect: sip, packet 0, drop 0, reset-drop 0 asa# 这些漏洞的Cisco Bug IDs如下,并且CVE为CVE-2008-2732: CSCsq07867 (仅注册用户) CSCsq57091 (仅注册用户) CSCsk60581 (仅注册用户) CSCsq39315 (仅注册用户) -IPSec客户端验证处理漏洞 运行软件7.2, 8.0, 或8.1版本的Cisco PIX和Cisco ASA设备配置基于VPN连接的终端客户端受特殊构建验证处理漏洞影响,运行7.0或7.1版本不受此漏洞影响。 成功攻击可导致设备重载。 这漏洞的Cisco Bug ID为CSCso69942 ,并且CVE为CVE-2008-2733。 -SSL VPN内存泄漏和URI处理错误漏洞 特殊构建的SSL或HTTP报文可导致配置了终端无客户端VPN连接的Cisco ASA设备造成拒绝服务攻击。成功攻击可导致设备重载。 运行了无客户端SSL VPN的 7.2, 8.0, 或8.1版本下的设备受此漏洞影响。设备运行7.0和7.1的版本不受此漏洞影响。 无客户端VPN, SSL VPN客户端和AnyConnect连接可通过WEBVPN命令启用,如下面的配置显示了无客户端VPN配置的Cisco ASA ,在这种情况下,ASA会在默认TCP 443端口监听VPN连接: http server enable ! webvpn enable outside 注意使用这个特殊配置,在webvpn组配置中使用了enable outside命令,可导致攻击可从外部接口实现。 这些漏洞的Cisco Bug ID为Cisco Bug ID CSCso66472和 CSCsq19369 ,并且CVE为CVE-2008-2734和CVE-2008-2735。 -无客户端VPN可导致内存泄漏 配置了终端无客户端VPN连接的Cisco ASA设备,攻击者可以获得用户名和密码的敏感信息,这个攻击者诱使用户访问伪造的WEB服务器,回复EMAIL或与某个服务交互来利用此漏洞。 运行了无客户端SSL VPN的8.0, 或8.1版本下的设备受此漏洞影响。设备运行7.0和7.1或7.2的版本不受此漏洞影响。 无客户端VPN, SSL VPN客户端和AnyConnect连接可通过WEBVPN命令启用,如下面的配置显示了无客户端VPN配置的Cisco ASA ,在这种情况下,ASA会在默认TCP 443端口监听VPN连接: http server enable ! webvpn enable outside 注意使用这个特殊配置,在webvpn组配置中使用了enable outside命令,可导致攻击可从外部接口实现。 这漏洞的Cisco Bug ID为Cisco Bug ID CSCsq45636,并且CVE为CVE-2008-2736。 Cisco PIX/ASA 7.2.2 Cisco PIX/ASA 7.0.4 .3 Cisco PIX/ASA 7.0.4 Cisco PIX/ASA 7.0.1 .4 Cisco PIX/ASA 7.0 Cisco PIX/ASA 8.1(1)2 Cisco PIX/ASA 8.1(1)1 Cisco PIX/ASA 8.1 Cisco PIX/ASA 8.0(3)9 Cisco PIX/ASA 8.0(3)10 Cisco PIX/ASA 8.0(3) Cisco PIX/ASA 8.0(2)17 Cisco PIX/ASA 8.0(2) Cisco PIX/ASA 8.0 Cisco PIX/ASA 8.0 Cisco PIX/ASA 7.2.(2.8) Cisco PIX/ASA 7.2.(2.7) Cisco PIX/ASA 7.2.(2.19) Cisco PIX/ASA 7.2.(2.17) Cisco PIX/ASA 7.2.(2.16) Cisco PIX/ASA 7.2(4) Cisco PIX/ASA 7.2(3)2 Cisco PIX/ASA 7.2(3)006 Cisco PIX/ASA 7.2(2.24) Cisco PIX/ASA 7.2(2.15) Cisco PIX/ASA 7.2(2.14) Cisco PIX/ASA 7.2(2.10) Cisco PIX/ASA 7.2(2) Cisco PIX/ASA 7.2(1.22) Cisco PIX/ASA 7.2(1) Cisco PIX/ASA 7.2 Cisco PIX/ASA 7.1.(2.49) Cisco PIX/ASA 7.1.(2.48) Cisco PIX/ASA 7.1(2.5) Cisco PIX/ASA 7.1(2.27) Cisco PIX/ASA 7.1(2)70 Cisco PIX/ASA 7.1(2) Cisco PIX/ASA 7.1 (2.55) Cisco PIX/ASA 7.1 Cisco PIX/ASA 7.0 用户可参考如下Cisco安全公告获得补丁信息: <a href=http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml</a>
idSSV:3986
last seen2017-11-19
modified2008-09-10
published2008-09-10
reporterRoot
titleCisco PIX和Cisco ASA多个拒绝服务和信息泄漏漏洞