Cisco ASA SSL VPN Memory Blocks Exhaustion DoS (CSCuq68888)

2014-12-08T00:00:00
ID CISCO-SN-CVE-2014-3407-ASA.NASL
Type nessus
Reporter Tenable
Modified 2017-05-16T00:00:00

Description

According to its banner, the version of the Cisco ASA software on the remote device is affected by a vulnerability in the SSL VPN feature due to improper implementation of memory blocks allocation when processing crafted HTTP packets. A remote, unauthenticated attacker can exploit this issue by sending specially crafted HTTP requests designed to exhaust memory to cause a denial of service.

                                        
                                            #TRUSTED 9c2846e4f370eb03ca3c15e7efd77ad0e4d0f4d825677d460f401a3342b55607ba744bb96c2c2e4d4fcd4043736bbfaab91fbbbaf4f2d01c1d1debba4390f8c8a0fc04956c187bf442e7bff7bd6486642519f93b9be798e99e6fa078ef15e1571f7c9a29c547aeca46f14e3d1f83b24c82c66b7fcbf5f419b5eb69081d513adcb78d496f3d54b5ba8c95bde10cafa2b05e88c922c4387748c02ccf84312521820ab5fe3c92709dcd8e6b09cafd37548667bc3ec5737592bc2051dc288758f8704a69250f7c5efdf6c7322d3af9f9e21817a0ab0a8d143eab5fffdba8569430f6d7368f9c796b1f4bf6a5a9aa309e7d72b34fa188e08e0c00e9e5729e25b3a07e7467d0d187a38af899db9b821c05ce4680614b3f71c4f035a64834e9aa4def065f71ae89bcc62638cf58dd3cef6d77da92a1d276edfb77f8a3d252228451f32dc0a2a060827f184419a5925693d7b6990b62bc5eb04a2db6595fda90448d5d90fc2ac7e5ea9cf631bc5d4ecc2ae5784d176b88b13dcb118ed55888dd683d6c363fcde3e86944d382f01d888b2a12633a7a69fa034e7c1c9879d62e630ecd4d14405f26364179cecc0373c4511301e2e189a808dbbb951f6b8ebe13876c10fd9abdeb9c4d305da297714c9c4849bcabc64c9eee83c795b428bc77bb83b2dcc2345bb3dde2bc916afce1355de0b3e0dbee1fdcbf2361ee43e9b251eb37ad85e244
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(79803);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/05/16");

  script_cve_id("CVE-2014-3407");
  script_bugtraq_id(71317);
  script_osvdb_id(115107);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq68888");

  script_name(english:"Cisco ASA SSL VPN Memory Blocks Exhaustion DoS (CSCuq68888)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of the Cisco ASA software on the
remote device is affected by a vulnerability in the SSL VPN feature
due to improper implementation of memory blocks allocation when
processing crafted HTTP packets. A remote, unauthenticated attacker
can exploit this issue by sending specially crafted HTTP requests
designed to exhaust memory to cause a denial of service.");
  # http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3407
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5aa44457");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=36542");
  script_set_attribute(attribute:"solution", value:"Apply the relevant patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/08");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

fixed_ver = NULL;

# Affected version list from advisory
versions = make_list(
  "8.4.1",
  "8.4.1.3",
  "8.4.1.11",
  "8.4.2",
  "8.4.2.1",
  "8.4.2.8",
  "8.4.3",
  "8.4.3.8",
  "8.4.3.9",
  "8.4.4",
  "8.4.4.1",
  "8.4.4.3",
  "8.4.4.5",
  "8.4.4.9",
  "8.4.5",
  "8.4.5.6",
  "8.4.6",
  "8.4.7",
  "8.4.7.3",
  "8.4.7.15",
  "8.4.7.22",
  "8.4.7.23",
  "8.6.1",
  "8.6.1.1",
  "8.6.1.2",
  "8.6.1.5",
  "8.6.1.10",
  "8.6.1.12",
  "8.6.1.13",
  "8.6.1.14",
  "9.0.1",
  "9.0.2",
  "9.0.2.10",
  "9.0.3",
  "9.0.3.6",
  "9.0.3.8",
  "9.0.4",
  "9.0.4.1",
  "9.0.4.5",
  "9.0.4.7",
  "9.0.4.17",
  "9.0.4.20",
  "9.0.4.24",
  "9.1.1",
  "9.1.1.4",
  "9.1.2",
  "9.1.2.8",
  "9.1.3",
  "9.1.3.2",
  "9.1.4",
  "9.1.4.5",
  "9.1.5",
  "9.1.5.10",
  "9.1.5.12",
  "9.2.1",
  "9.2.2",
  "9.2.2.4",
  "9.2.2.7",
  "9.2.3",
  "9.3.1",
  "9.3.1.1",
  "9.3.2"
);

foreach version (versions)
{
  if (cisco_gen_ver_compare(a:ver, b:version) == 0)
  {
    if (ver =~ "^8\.") fixed_ver = "Refer to the vendor.";
    else if (ver =~ "^9\.0[^0-9]" && check_asa_release(version:ver, patched:"9.0(4.25)"))
      fixed_ver = "9.0(4.25)";
    else if (ver =~ "^9\.1[^0-9]" && check_asa_release(version:ver, patched:"9.1(5.15)"))
      fixed_ver = "9.1(5.15)";
    else if (ver =~ "^9\.2[^0-9]" && check_asa_release(version:ver, patched:"9.2(2.100)"))
      fixed_ver = "9.2(2.100)";
    else if (ver =~ "^9\.3[^0-9]" && check_asa_release(version:ver, patched:"9.3(1.99)"))
      fixed_ver = "9.3(1.99)";
    break;
  }
}

if (isnull(fixed_ver))
  audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);

flag     = FALSE;
override = FALSE;

# Check if SSL VPN is configured
if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_webvpn", "show running-config webvpn");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"enable", string:buf)) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");

if (report_verbosity > 0)
{
  report =
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + fixed_ver +
    '\n';
  security_warning(port:0, extra:report+cisco_caveat(override));
}
else security_warning(port:0, extra:cisco_caveat(override));