Cisco ASA Multiple Vulnerabilities (cisco-sa-20130410-asa)

2013-04-11T00:00:00
ID CISCO-SA-20130410-ASA.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host (Cisco ASA 5500 series or 1000V Cloud Firewall) is missing a security patch. It, therefore, could be affected by the following issues :

  • An unspecified vulnerability in the IKE version 1 implementation. (CVE-2013-1149)

  • An unspecified vulnerability in the URL processing code of the authentication proxy feature. (CVE-2013-1150)

  • An unspecified vulnerability in the implementation to validate digital certificates. (CVE-2013-1151)

  • An unspecified vulnerability in the DNS inspection engine. (CVE-2013-1152)

A remote, unauthenticated attacker could exploit any of these vulnerabilities to cause a device reload.

                                        
                                            #TRUSTED 553a5cf4417ca71f1ae23d149c60f94df80f88db37519e3ea7162596a47836bab7538180b58d2008cc98a6f6feefd95c6935b566ca824b89e5a749e65bd7f34d13c15a2426067a5945457ed899ba05d85bd11755a315a47fd4d52f6bdf91549a3409697609d1466638a552dafff56f37a8253174764549b5cba9bc3c61ce134039e6695d127099b7de117d7155c54cf3795cec5d55c7a1fcc4ce31371ab286523a9d02967b14735d91442e95e0e30f01af6cd0fa3435e0372e4f55ff61a101645e5fcc8580da979cde1dbf57813a4b8111e7ebc4a218874056a27644976d4f013695b0e21cb380af7d9a6c66abfd911b621cb8ce87f970f2b23a6adae983ffb13685b056ab36639db2f611919aed63a08fb1c077e9247063b3edbf5801190709074d4032ec9ce6ad58433822665dade06e68bf19b067f879a6a9480e0cf293ebdba2643090d905e9d5a3fd467df4ae86dbf25da4c9038833755d755139a87f130291699a1fbc09e1ef2e49e570b09565dfa75f5b9e80ce451d3a62177268d70aff7a478583a2627b68e036aa3c37bfde8a5f0db58ec717d8362798eb4a4a605cbaaa44fb69ef3c007b1dc84e0c03761250a10e001f39f6778e4622f35579b908b26c0d3efe79ff7a564f29b5cdbacf36bab01f68b709941bead2cab09333a468de25537b9028ccfde19dbbb16b86793f72606e3af770713b1d6161edce96db14
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(65931);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id(
    "CVE-2013-1149",
    "CVE-2013-1150",
    "CVE-2013-1151",
    "CVE-2013-1152"
  );
  script_bugtraq_id(59001, 59004, 59005, 59012);
  script_xref(name:"CISCO-BUG-ID", value:"CSCub85692");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuc72408");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuc80080");
  script_xref(name:"CISCO-BUG-ID", value:"CSCud16590");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20130410-asa");

  script_name(english:"Cisco ASA Multiple Vulnerabilities (cisco-sa-20130410-asa)");
  script_summary(english:"Check ASA model and version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote security device is missing a vendor-supplied security
patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host (Cisco ASA 5500 series or 1000V Cloud Firewall) is
missing a security patch.  It, therefore, could be affected by the
following issues :

  - An unspecified vulnerability in the IKE version 1
    implementation. (CVE-2013-1149)

  - An unspecified vulnerability in the URL processing code
    of the authentication proxy feature. (CVE-2013-1150)

  - An unspecified vulnerability in the implementation to
    validate digital certificates. (CVE-2013-1151)

  - An unspecified vulnerability in the DNS inspection
    engine. (CVE-2013-1152)

A remote, unauthenticated attacker could exploit any of these
vulnerabilities to cause a device reload."
  );
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?999a3389");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20130410-asa."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model");
  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

if (model !~ '^55[0-9][0-9]' || model != '1000V' || model !~ '^65[0-9][0-9]' || model !~ '^76[0-9][0-9]')
  audit(AUDIT_HOST_NOT, 'ASA 5500 6500 7600 or 1000V series');

# perform 3 checks against the system, if one if vuln - flag the asset

dos_chk = cisco_command_kb_item(
  "Host/Cisco/Config/show_crypto_ca_certificate",
  "show crypto ca certificates"
);

aaa_chk = cisco_command_kb_item(
  "Host/Cisco/Config/aaa_authentication_listener",
  "aaa authentication listener"
);

dns_chk = cisco_command_kb_item(
  "Host/Cisco/Config/service-policy_dns",
  "show service-policy | include dns"
);

flag = 0;


if (check_cisco_result(dos_chk) || check_cisco_result(aaa_chk) || check_cisco_result(dns_chk))
{
  if (
      preg(pattern:"Associated Trustpoints:", multiline:TRUE, string:dos_chk) 
       || !empty_or_null(aaa_chk) 
       || preg(pattern:"Inspect:", multiline:TRUE, string:dns_chk)
     ) 
  { 
   flag = 1; 
  }
}


# for 7.0 and 7.1 the recommendation is to migrate to 7.2 and upgrade
if ((ver =~ '^7\\.0($|[^0-9])' || ver =~ '^7\\.1($|[^0-9])') && flag )
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 7.2.x (7.2(5.10) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# for 8.1 the recommendation is to migrate to 8.2 and upgrade
if ((ver =~ '^8\\.1($|[^0-9])') && flag )
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 8.2.x (8.2(5.38) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# for 8.5 the recommended fix for CSCud16590 is to migrate to 9.x and upgrade
if ((ver =~ '^8\\.5($|[^0-9])') && flag ) 
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : migrate to 9.x (9.0(1.2) / 9.1(1.2) or later)\n';
  security_hole(port:0, extra:report);
  exit(0);
}

# compare the ASA version versus all fixed releases.  The comparison is only made if the major versions match up
fixed_releases = make_list(
  '7.2(5.10)',
  '8.0(5.31)',
  '8.2(5.38)',
  '8.3(2.37)',
  '8.4(5.3)',
  '8.6(1.10)',
  '8.7(1.4)',
  '9.0(1.2)',
  '9.1(1.2)'
);
foreach fix (fixed_releases)
{
  if (check_asa_release(version:ver, patched:fix))
  {
    report =
      '\n  Installed release : ' + ver +
      '\n  Fixed release     : ' + fix + '\n';
    security_hole(port:0, extra:report);
    exit(0);
  }
}

audit(AUDIT_INST_VER_NOT_VULN, 'ASA', ver);