Vulnerabilities > CVE-2019-12677 - Improper Handling of Exceptional Conditions vulnerability in Cisco Adaptive Security Appliance Software

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-755
nessus

Summary

A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition that prevents the creation of new SSL/Transport Layer Security (TLS) connections to an affected device. The vulnerability is due to incorrect handling of Base64-encoded strings. An attacker could exploit this vulnerability by opening many SSL VPN sessions to an affected device. The attacker would need to have valid user credentials on the affected device to exploit this vulnerability. A successful exploit could allow the attacker to overwrite a special system memory location, which will eventually result in memory allocation errors for new SSL/TLS sessions to the device, preventing successful establishment of these sessions. A reload of the device is required to recover from this condition. Established SSL/TLS connections to the device and SSL/TLS connections through the device are not affected. Note: Although this vulnerability is in the SSL VPN feature, successful exploitation of this vulnerability would affect all new SSL/TLS sessions to the device, including management sessions.

Vulnerable Configurations

Part Description Count
Application
Cisco
20
OS
Cisco
536
Hardware
Cisco
10

Nessus

NASL familyCISCO
NASL idCISCO-SA-20191002-ASA-SSL-VPN-DOS.NASL
descriptionA denial of service (DoS) vulnerability exists in Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software due to incorrect handling of Base64-encoded strings. An unauthenticated, remote attacker can exploit this issue, via opening many SSL VPN sessions to an affected device, to cause a denial of service (DoS) condition that prevents the creation of new SSL/Transport Layer Security (TLS) connections to an affected device. Please see the included Cisco BIDs and Cisco Security Advisory for more information
last seen2020-06-01
modified2020-06-02
plugin id129815
published2019-10-11
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/129815
titleCisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability
code
#TRUSTED 45cf7a92c7012999afe8a37ee1238d9493f703094628fa73bd66a6e96b531140f635db309e4726edf9be2699aa695867e88755adcb96d01f73c8ca53ecddc78b5756773e99f90a2faf97f61ff514832b919f1c60eee7591f57ede6555a8127a6f8f0ed909941118867c3c054428faefd27f15729813f3ed895f15269fe91211f8fea54b0e5cb7c9c4fcbb2f01bc1dd321a73f18844292fd7535fe940e7565fd245b5d5e7970727a4b9cc7c4bece3a1c9a70127022f544ae8be527adfd2544adffd76673b0f7b19ca2bdd46bcd24a1fc63a574134c1beb204573d4dfa48fe54570bca3578790beb91b1e24e8173113876b1dada09b0ff16e070fe40526ee9cd327dc6cefc194d22d660a193b1797fe953df812b8e5965d9285ef9f7e5edabefb7d113e5125684642b693361c9c555e08923af0c2fa4264b84ab21c115859c109ce3c8543e9b090b258e52dbd11d7a2c648e707881d5e79e4233bd132bf3b6a82cee68ea7af67ce7b79ad88dd3016f5b8993f959654aaaf2e06d7eee80ee0194096fe803977242f75c9afc059a47471e20cf29a9f98917be5d9a7159a1273f9b9c1312281b89df8f9eca214e1c5e7cfe41921e98ba92b917ca4d84700834dfac1ef0a81f8c69c3b40cd5fbaac57d67c9760e87844e4fa91c47c2b45fb9a9dc43673c5dd78a3c4d48ae3a9fa16322c911a2f4fa6db50f0cdf8d0f24c46dd15f79cb
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(129815);
  script_version("1.7");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2019-12677");
  script_xref(name:"CISCO-BUG-ID", value:"CSCux45179");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20191002-asa-ssl-vpn-dos");
  script_xref(name:"IAVA", value:"2019-A-0370");

  script_name(english:"Cisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"A denial of service (DoS) vulnerability exists in Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security
Appliance (ASA) Software due to incorrect handling of Base64-encoded strings. An unauthenticated, remote attacker can
exploit this issue, via opening many SSL VPN sessions to an affected device, to cause a denial of service (DoS)
condition that prevents the creation of new SSL/Transport Layer Security (TLS) connections to an affected device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-ssl-vpn-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74ef3796");
  # http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72541
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?61c47b6a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux45179");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCux45179");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12677");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(172);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:adaptive_security_appliance_software");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/show_ver", "Host/Cisco/ASA/model");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

asa_model = get_kb_item_or_exit('Host/Cisco/ASA/model');

if (asa_model !~ '^55(06|06W|06H|08|16|12|45|55|15|25)-X') audit(AUDIT_HOST_NOT, 'an affected Cisco ASA product');

product_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');

vuln_ranges = [
  {'min_ver' : '9.1',  'fix_ver' : '9.1.7.4'},
  {'min_ver' : '9.2',  'fix_ver' : '9.2.4.8'},
  {'min_ver' : '9.3',  'fix_ver' : '9.3.3.9'},
  {'min_ver' : '9.4',  'fix_ver' : '9.4.2.7'},
  {'min_ver' : '9.5',  'fix_ver' : '9.5.2.5'},
  {'min_ver' : '9.6',  'fix_ver' : '9.6.2'}
];

workarounds = make_list(CISCO_WORKAROUNDS['ssl_vpn']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCux45179',
  'cmds'     , make_list("show running-config")
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);