Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco SSL/TLS Certificate and SSH Public Key Validation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco SSL/TLS Certificate and SSH Public Key Validation
Date: 21 Jan 2007 19:53:08 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco SSL/TLS Certificate and SSH Public Key Validation
------------------------------------------------------------------------


SUMMARY

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and 
the Cisco Adaptive Security Device Manager (ASDM) do not validate the 
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or 
Secure Shell (SSH) public keys presented by devices they are configured to 
connect to. Malicious users may be able to use this lack of certificate or 
public key validation to impersonate the devices that these affected 
products connect to, which could then be used to obtain sensitive 
information or misreport information.

DETAILS

Affected Products:
 * Cisco Security Monitoring, Analysis and Response System (CS-MARS) 
versions prior to 4.2.3.
  To verify the version of CS-MARS software, log into CS-MARS web 
interface using a web browser and go to the "Help" tab located on the 
top-right corner of the browser window. Then click on the "About" link. 
The CS-MARS version will be displayed in the center of the browser window 
under "CS-MARS Information".

  Alternatively, it is possible to use an SSH connection or a direct 
serial console connection to verify the version of the CS-MARS software by 
logging into the system administration command line interface with the 
pnadmin account and executing the version command:

    shell$ ssh pnadmin@10.0.0.1
    pnadmin@10.0.0.1's password:
    Last login: Mon Jan  8 18:42:45 2007 from 10.0.0.2

      CS MARS - Mitigation and Response System

        ? for list of commands

    [pnadmin]$ version
    4.2.3 (2403)

 * Cisco Adaptive Security Device Manager (ASDM) versions prior to 
5.2(2.54) are affected when the ASDM Launcher (the stand-alone version of 
ASDM) is used.
  If the ASDM Applet is used, i.e. ASDM is launched via a web browser, 
then it is the web browser's responsibility to verify the certificates 
presented by the devices that ASDM connects to. The user can instruct the 
web browser to save devices' root Certificate Authority certificates so a 
warning is generated if something changes (this can be used as a 
workaround - please refer to the Workarounds section for details.)

  To verify the version of ASDM software, launch ASDM and look in the 
"General" tab of the "Device Information" section.

Some Cisco products connect to different devices for configuration or 
monitoring purposes. The actual connection method used varies depending on 
the product, but SSL/TLS and SSH are the most prevalent ones due to their 
use of strong cryptography to ensure the confidentiality and integrity of 
the communication.

Two examples of these products include the Cisco Security Monitoring, 
Analysis and Response System (CS-MARS), a security threat mitigation 
system that talks to devices such as IPS sensors and firewalls, and the 
Cisco Adaptive Security Device Manager (ASDM), which provides management 
and monitoring services for the Cisco ASA 5500 Series Adaptive Security 
Appliances, Cisco PIX 500 Series Security Appliances and the Firewall 
Services Modules for the Cisco Catalyst 6500 Switches and the Cisco 7600 
Series Routers.

When these products connect to their managed devices via SSL/TLS or SSH, 
they do not validate the SSL/TLS certificates or SSH public keys presented 
by these managed devices.

Because the certificates and public keys presented by devices are not 
validated, in the event that a certificate or public key has changed, the 
affected products will not be able to determine whether the device they 
are communicating with is legitimate, or if it is a device impersonating a 
legitimate one.

The following Cisco Bug IDs are being used to track these vulnerabilities 
on the affected products:
 * CS-MARS -  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsf95930> 
CSCsf95930 ( registered customers only)
 * ASDM -  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg78595> 
CSCsg78595 ( registered customers only)

Vulnerability Scoring Details:
Cisco is providing scores for the vulnerabilities in this advisory based 
on the Common Vulnerability Scoring System (CVSS).
Cisco will provide a base and temporal score. Customers can then compute 
environmental scores to assist in determining the impact of the 
vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are 
encouraged to apply the bias parameter when determining the environmental 
impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys vulnerability 
severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at 
 <http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html> 
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the 
environmental impact for individual networks at  
<http://intellishield.cisco.com/security/alertmanager/cvss> 
http://intellishield.cisco.com/security/alertmanager/cvss

Impact:
Successful exploitation of this vulnerability may allow an attacker to 
obtain sensitive information such as login credentials or submit false 
data to the affected Cisco product by impersonating a managed device, thus 
impacting the integrity of the affected Cisco product.

Software Version and Fixes:
When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to determine 
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") or your contracted maintenance provider for 
assistance.

This vulnerability is fixed in version 4.2.3 (2403) of the CS-MARS 
software. CS-MARS software can be downloaded from the following location:
 <http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2> 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2

This vulnerability is fixed in version 5.2(2.54) of ASDM. ASDM can be 
downloaded from the following location:
 <http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2> 
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2

Note: The ASDM versions for the PIX/ASA and the FWSM are different. A 
fixed version of the ASDM software for the FWSM is forthcoming. This 
advisory will be updated when a fixed image for the FWSM version of ASDM 
is available.

Workarounds:
There are no workarounds for this vulnerability in the case of CS-MARS.

In the particular case of ASDM, using the ASDM Applet, i.e. launching ASDM 
via a web browser and not via the stand-alone ASDM Launcher, will 
workaround the vulnerability since the SSL/TLS certificate verification 
will be performed by the web browser, and in the case that the certificate 
has changed, the browser will produce a warning. Note that this requires 
the user to save the root Certificate Authority (CA) certificate as a 
trusted certificate.

While not a workaround for the affected products, as a security best 
practice, you should always configure the devices that the affected 
products connect to so only connections from trusted hosts or networks are 
accepted. The way to configure this varies depending on the device. Please 
refer to the documentation of your managed device for details.

For the full article please visit:
 <http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml


ADDITIONAL INFORMATION

The original article can be found at:
 <http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco SSL/TLS Certificate and SSH Public Key Validation, SecuriTeam <=
Previous by Date:  [NEWS] Sun Microsystems Java GIF File Parsing Memory Corruption (ZDI-07-005), SecuriTeam
Next by Date:  [EXPL] Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit), SecuriTeam
Previous by Thread:  [NEWS] Sun Microsystems Java GIF File Parsing Memory Corruption (ZDI-07-005), SecuriTeam
Next by Thread:  [EXPL] Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]