Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability

2015-03-13T00:00:00
ID OPENVAS:1361412562310105985
Type openvas
Reporter This script is Copyright (C) 2015 Greenbone Networks GmbH
Modified 2017-06-29T00:00:00

Description

Cisco ASA Clientless VPN Portal is prone to a Information Disclosure and Denial of Service vulnerability.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_cisco_asa_CSCuq29136.nasl 6486 2017-06-29 09:59:06Z teissa $
#
# Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability
#
# Authors:
# Christian Kuersteiner <christian.kuersteiner@greenbone.net>
#
# Copyright:
# Copyright (c) 2015 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/a:cisco:asa";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105985");
  script_version("$Revision: 6486 $");
  script_tag(name : "last_modification", value : "$Date: 2017-06-29 11:59:06 +0200 (Thu, 29 Jun 2017) $");
  script_tag(name : "creation_date", value : "2015-03-13 13:21:11 +0700 (Fri, 13 Mar 2015)");
  script_tag(name : "cvss_base", value : "8.3");
  script_tag(name : "cvss_base_vector", value : "AV:N/AC:M/Au:N/C:P/I:P/A:C");

  script_tag(name:"qod_type", value:"package");

  script_tag(name:"solution_type", value:"VendorFix");

  script_cve_id("CVE-2014-3392");
  script_bugtraq_id(70306);

  script_name("Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("This script is Copyright (C) 2015 Greenbone Networks GmbH");
  script_family("CISCO");
  script_dependencies("gb_cisco_asa_version.nasl", "gb_cisco_asa_version_snmp.nasl");
  script_mandatory_keys("cisco_asa/version");

  script_tag(name : "summary", value : "Cisco ASA Clientless VPN Portal is prone to a Information
Disclosure and Denial of Service vulnerability.");

  script_tag(name : "vuldetect", value : "Checks the version.");

  script_tag(name : "insight", value : "A vulnerability in the Clientless SSL VPN portal feature could
allow an unauthenticated, remote attacker to access random memory locations. Due to this vulnerability,
the attacker may be able to access the information stored in memory and in some cases may be able to corrupt
this portion of memory, which could lead to a reload of the affected system.
The vulnerability is due to insufficient sanitization of user-supplied input.");

  script_tag(name : "impact", value : "An authenticated, remote attacker could exploit this vulnerability by
setting random values on parameters passed during access to the Clientless SSL VPN portal. A successful exploit
could allow the attacker to access sensitive information in memory. In some cases, the attacker could corrupt
a portion of memory that could cause the targeted device to reload abnormally. Repeated exploitation could lead
to a sustained DoS condition for legitimate users.");

  script_tag(name : "affected", value : "Version 8.2, 8.3, 8.4, 8.6, 9.0, 9.1, 9.2 and 9.3");

  script_tag(name : "solution", value : "Apply the appropriate updates from Cisco.");

  script_xref(name : "URL", value : "http://tools.cisco.com/security/center/viewAlert.x?alertId=35916");

  exit(0);
}

include("host_details.inc");
include("revisions-lib.inc");

if( ! version = get_app_version( cpe:CPE, nofork: TRUE ) ) exit( 0 );
compver = ereg_replace(string:version, pattern:"\(([0-9.]+)\)", replace:".\1");

if ((revcomp(a:compver, b:"8.2.5.51") < 0) &&
    (revcomp(a:compver, b:"8.2") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     8.2(5.51)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"8.3.2.42") < 0) &&
    (revcomp(a:compver, b:"8.3") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     8.3(2.42)\n';
  security_message(port: 0, data:report);
  exit(0);
}
 
if ((revcomp(a:compver, b:"8.4.7.23") < 0) &&
    (revcomp(a:compver, b:"8.4") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     8.4(7.23)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"8.6.1.15") < 0) &&
    (revcomp(a:compver, b:"8.6") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     8.6(1.15)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"9.0.4.24") < 0) &&
    (revcomp(a:compver, b:"9.0") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     9.0(4.24)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"9.1.5.12") < 0) &&
    (revcomp(a:compver, b:"9.1") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     9.1(5.12)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"9.2.2.8") < 0) &&
    (revcomp(a:compver, b:"9.2") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     9.2(2.8)\n';
  security_message(port: 0, data:report);
  exit(0);
}

if ((revcomp(a:compver, b:"9.3.1.1") < 0) &&
    (revcomp(a:compver, b:"9.3") >= 0)) {
  report = 'Installed Version: ' + version + '\n' +
           'Fixed Version:     9.3(1.1)\n';
  security_message(port: 0, data:report);
  exit(0);
}

exit(0);