Cisco Adaptive Security Appliance Non-DCERPC Traffic Bypass Vulnerability

A vulnerability in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) Inspection feature of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to send traffic that is not DCERPC between hosts configured only for DCERPC inspection. The DCERPC traffic should be allowed only on TCP port 135.

The vulnerability is due to an internal access control list (ACL), which is used to allow DCERPC traffic but is incorrectly programmed to allow all traffic types and not restricted to DCERPC TCP port 135. An attacker could exploit this vulnerability by sending non-DCERPC traffic between hosts configured for DCERPC inspection that would normally be dropped. An exploit could allow the attacker to access hosts that should normally be restricted through the ASA.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160111-asa[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160111-asa”]