Cisco ASA Multiple Vulnerabilities (cisco-sa-20130410-asa)

2013-04-11T00:00:00
ID CISCO-SA-20130410-ASA.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

The remote host (Cisco ASA 5500 series or 1000V Cloud Firewall) is missing a security patch. It, therefore, could be affected by the following issues :

  • An unspecified vulnerability in the IKE version 1 implementation. (CVE-2013-1149)

  • An unspecified vulnerability in the URL processing code of the authentication proxy feature. (CVE-2013-1150)

  • An unspecified vulnerability in the implementation to validate digital certificates. (CVE-2013-1151)

  • An unspecified vulnerability in the DNS inspection engine. (CVE-2013-1152)

A remote, unauthenticated attacker could exploit any of these vulnerabilities to cause a device reload.

                                        
                                            #TRUSTED 56c310ba8d320d5bd7cc574e667574d044a8489e0d1717add31481ae302992daf1c68c8c18063b68cea397e2de562e1fe58ca9c70c44a0914454b39af841c6191a8c3ac6b246a85caa366df8d0c3038dc288067bd3416b09448614e558c824c03d3ee00ae6232aaf3851285f1ab1dfc0b43d423ba002d473caba2a36c2def845d408cb8d91a64b016de04b0c453eca47e376ff6b731efb4d8059b91cf9a7db8acefcc3dbced232083d8f1fb05522f97db8cdd28ed15ab3d067e7bd1bc5d283137598b63b09cf2d147f4c339e4a4e2828a6302d18fcb355df1e5357734b4293936aeb8e7c615f1dabcf23310371c78e36108f96f59e0466d842bed1908784b06111b2949a795568f78c690947bb855cffc805223e66020575d00dd12ae8121960527ad960004468ba79e487b85bb96a5578e451ba1c9fd2a02bd96bf1b0cf5bff7dff2115c252d53fc434cd2f92a741b32cd967dd879b8cb804bffc207568edfb41951754465e42327065ea3aaedb121a5b41e1a9fc38b50723b8224a555a96a3cbe6873a054c1ab1bf4fb06bbbbeaee30edbd5212ac0d825b820690bf76031dfa2b105d009fb577aca9b97dbcdc5d948c03587169b2151a01d9e749b99d1196dd5e3a6623730802d0a20c7ed96bbdbda28302b118219aa4ba4e8f6e89450b6f9843abfd4ce31840dd30d02deaba0cf9d084f6f3cf88a0f33fb27695bde5c2710
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(65931);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/06");

  script_cve_id(
    "CVE-2013-1149",
    "CVE-2013-1150",
    "CVE-2013-1151",
    "CVE-2013-1152"
  );
  script_bugtraq_id(59001, 59004, 59005, 59012);
  script_xref(name:"CISCO-BUG-ID", value:"CSCub85692");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuc72408");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuc80080");
  script_xref(name:"CISCO-BUG-ID", value:"CSCud16590");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20130410-asa");

  script_name(english:"Cisco ASA Multiple Vulnerabilities (cisco-sa-20130410-asa)");
  script_summary(english:"Check ASA model and version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote security device is missing a vendor-supplied security
patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host (Cisco ASA 5500 series or 1000V Cloud Firewall) is
missing a security patch.  It, therefore, could be affected by the
following issues :

  - An unspecified vulnerability in the IKE version 1
    implementation. (CVE-2013-1149)

  - An unspecified vulnerability in the URL processing code
    of the authentication proxy feature. (CVE-2013-1150)

  - An unspecified vulnerability in the implementation to
    validate digital certificates. (CVE-2013-1151)

  - An unspecified vulnerability in the DNS inspection
    engine. (CVE-2013-1152)

A remote, unauthenticated attacker could exploit any of these
vulnerabilities to cause a device reload."
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c7d11a4");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20130410-asa."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model");
  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

if (model !~ '^55[0-9][0-9]' || model != '1000V' || model !~ '^65[0-9][0-9]' || model !~ '^76[0-9][0-9]')
  audit(AUDIT_HOST_NOT, 'ASA 5500 6500 7600 or 1000V series');

# perform 3 checks against the system, if one if vuln - flag the asset

dos_chk = cisco_command_kb_item(
  "Host/Cisco/Config/show_crypto_ca_certificate",
  "show crypto ca certificates"
);

aaa_chk = cisco_command_kb_item(
  "Host/Cisco/Config/aaa_authentication_listener",
  "aaa authentication listener"
);

dns_chk = cisco_command_kb_item(
  "Host/Cisco/Config/service-policy_dns",
  "show service-policy | include dns"
);

flag = 0;


if (check_cisco_result(dos_chk) || check_cisco_result(aaa_chk) || check_cisco_result(dns_chk))
{
  if (
      preg(pattern:"Associated Trustpoints:", multiline:TRUE, string:dos_chk) 
       || !empty_or_null(aaa_chk) 
       || preg(pattern:"Inspect:", multiline:TRUE, string:dns_chk)
     ) 
  { 
   flag = 1; 
  }
}


# for 7.0 and 7.1 the recommendation is to migrate to 7.2 and upgrade
if ((ver =~ '^7\\.0($|[^0-9])' || ver =~ '^7\\.1($|[^0-9])') && flag )
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 7.2.x (7.2(5.10) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# for 8.1 the recommendation is to migrate to 8.2 and upgrade
if ((ver =~ '^8\\.1($|[^0-9])') && flag )
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 8.2.x (8.2(5.38) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# for 8.5 the recommended fix for CSCud16590 is to migrate to 9.x and upgrade
if ((ver =~ '^8\\.5($|[^0-9])') && flag ) 
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 9.x (9.0(1.2) / 9.1(1.2) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# compare the ASA version versus all fixed releases.  The comparison is only made if the major versions match up
fixed_releases = make_list(
  '7.2(5.10)',
  '8.0(5.31)',
  '8.2(5.38)',
  '8.3(2.37)',
  '8.4(5.3)',
  '8.6(1.10)',
  '8.7(1.4)',
  '9.0(1.2)',
  '9.1(1.2)'
);
foreach fix (fixed_releases)
{
  if (check_asa_release(version:ver, patched:fix))
  {
    report =
      '\n  Installed release : ' + ver +
      '\n  Fixed release     : ' + fix + '\n';
    security_hole(port:0, extra:report);
    exit(0);
  }
}

audit(AUDIT_INST_VER_NOT_VULN, 'ASA', ver);