Vulnerabilities > CVE-2016-1445 - Unspecified vulnerability in Cisco Adaptive Security Appliance Software

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

Cisco Adaptive Security Appliance (ASA) Software 8.2 through 9.4.3.3 allows remote attackers to bypass intended ICMP Echo Reply ACLs via vectors related to subtypes.

Vulnerable Configurations

Part Description Count
Application
Cisco
355
OS
Cisco
11

Nessus

NASL familyCISCO
NASL idCISCO-SA-20160711.NASL
descriptionAccording to its version and configuration, the Cisco Adaptive Security Appliance (ASA) software running on the remote device is version 8.2.x or 9.4.x prior to 9.4(3.3), 9.5.x prior to 9.5(2.10), or 9.6.x prior to 9.6(1.5). It is, therefore, affected by an ACL bypass vulnerability due to a flaw in the implementation of ACL-based filters for ICMP echo requests and the range of ICMP echo request subtypes. An unauthenticated, remote attacker can exploit this, by sending ICMP echo request traffic, to bypass ACL configurations on the affected device, allowing ICMP traffic to pass through that otherwise would be denied. Note that ICMP must be enabled for the device to be affected by this vulnerability.
last seen2020-06-01
modified2020-06-02
plugin id92630
published2016-07-29
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/92630
titleCisco Adaptive Security Appliance ICMP Echo Request ACL Bypass (cisco-sa-20160711-asa)
code
#TRUSTED 2b1228c237110ac00eb377a41bbfc621080ff7fe1e46988c83bf0cd37c6a007bd6e02e7486567e299f467960bbdb133857148438fdcd7dc1f3eac3eaec129f6a1716bffed033489ab190de2f524fdea3f288f74d8636fc72548e07d9d85dc3ff3f828cd3008d0ad55984dea1130ba1e0da6e17be436f3d3caf85444653fb597b6a37940e062eab765ab5a5dd695d0f3d47828f1b2b3126d2bd5d5dccb2a02c7fc69f03367dc37f7f935f00e62f05dbad79672d58bda6e3002b2263c312b2473a793daf8895d6028c1cfe9ed7e5a96533fa2cf0a861f05f35008d98aad101a64e38cef512eb650b19444d4daff71be3d75f870958227fb9dbb2096ce2ca8465052ce749873cab8dddf1e3d418e22f9d05622bb84d5ef2ea9c1fd668e09f71f2d3938a04b2a0a8f59840ceab9702e95d45815bf81f9a4ddf9828d8895c3bad7a6d7634e83a9369c263109191850ce143a4078444d73e948639e22ae52567325d0ec410507ffb8d7ea1a59410b04c2d0d0855506dcf3d620dd53cbf831e283a8bf42467d33c5a1d197f53ca0b8d9bf210b46100259ff6df915980b3749825dd71b8b6693c5323129a31f6272c1983757dec5f910b20ecce71236924fe9fae7dc2437de0656a6647b60602c20950eb1f1164cf1b769cc77f5ed0f7bfcaf695a5e2ac6ba74fbbcfbf23f6f113ac3aac631fe8f7ad3914921d4b8375774215a30d50a4
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92630);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-1445");
  script_bugtraq_id(91693);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuy25163");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160711-asa");

  script_name(english:"Cisco Adaptive Security Appliance ICMP Echo Request ACL Bypass (cisco-sa-20160711-asa)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its version and configuration, the Cisco Adaptive
Security Appliance (ASA) software running on the remote device is
version 8.2.x or 9.4.x prior to 9.4(3.3), 9.5.x prior to 9.5(2.10),
or 9.6.x prior to 9.6(1.5). It is, therefore, affected by an ACL
bypass vulnerability due to a flaw in the implementation of ACL-based
filters for ICMP echo requests and the range of ICMP echo request
subtypes. An unauthenticated, remote attacker can exploit this, by
sending ICMP echo request traffic, to bypass ACL configurations on the
affected device, allowing ICMP traffic to pass through that otherwise
would be denied.

Note that ICMP must be enabled for the device to be affected by this
vulnerability.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160711-asa
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c4fa89b9");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCuy25163.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa   = get_kb_item_or_exit('Host/Cisco/ASA');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');
fixed_ver = NULL;

if (ver =~ "^8\.2[^0-9]")
  fixed_ver = "Refer to vendor.";

else if (ver =~ "^9\.4[^0-9]" && check_asa_release(version:ver, patched:"9.4(3.3)"))
  fixed_ver = "9.4(3.3)";

else if (ver =~ "^9\.5[^0-9]" && check_asa_release(version:ver, patched:"9.5(2.10)"))
  fixed_ver = "9.5(2.10)";

else if (ver =~ "^9\.6[^0-9]" && check_asa_release(version:ver, patched:"9.6(1.5)"))
  fixed_ver = "9.6(1.5)";
if (isnull(fixed_ver))
  audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);

flag     = FALSE;
override = FALSE;

if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_accesslist", "show running-config | include access-list");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"permit icmp", string:buf)) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");

security_report_cisco(
  port     : 0,
  severity : SECURITY_WARNING,
  override : override,
  version  : ver,
  fix      : fixed_ver,
  bug_id   : "CSCuy25163",
  cmds     : make_list("show running-config | include access-list")
);