Main Menu

Home
Search
IT News
Xbox & Playstation
Latest Technologies
Video Games
Mobile Computing
Security Alerts
Development
Entertainment
Wi-Fi Networking
Softwares Update
Animation
Small Business
Nintendo Wii & DS

Related Items

Home arrow Security Alerts arrow Cisco SSL/TLS Certificate and SSH Public Key Validation
Cisco SSL/TLS Certificate and SSH Public Key Validation PDF Print E-mail
Monday, 22 January 2007

Summary

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or Secure Shell (SSH) public keys presented by devices they are configured to connect to. Malicious users may be able to use this lack of certificate or public key validation to impersonate the devices that these affected products connect to, which could then be used to obtain sensitive information or misreport information. 

Credit:
The original article can be found at:
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml 

 Affected Products:
 * Cisco Security Monitoring, Analysis and Response System (CS-MARS) versions prior to 4.2.3.
  To verify the version of CS-MARS software, log into CS-MARS web interface using a web browser and go to the "Help" tab located on the top-right corner of the browser window. Then click on the "About" link. The CS-MARS version will be displayed in the center of the browser window under "CS-MARS Information".

  Alternatively, it is possible to use an SSH connection or a direct serial console connection to verify the version of the CS-MARS software by logging into the system administration command line interface with the pnadmin account and executing the version command:

    shell$ ssh This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
     This e-mail address is being protected from spam bots, you need JavaScript enabled to view it 's password:
    Last login: Mon Jan 8 18:42:45 2007 from 10.0.0.2

      CS MARS - Mitigation and Response System

        ? for list of commands

    [pnadmin]$ version
    4.2.3 (2403)

 * Cisco Adaptive Security Device Manager (ASDM) versions prior to 5.2(2.54) are affected when the ASDM Launcher (the stand-alone version of ASDM) is used.
  If the ASDM Applet is used, i.e. ASDM is launched via a web browser, then it is the web browser's responsibility to verify the certificates presented by the devices that ASDM connects to. The user can instruct the web browser to save devices' root Certificate Authority certificates so a warning is generated if something changes (this can be used as a workaround - please refer to the Workarounds section for details.)

  To verify the version of ASDM software, launch ASDM and look in the "General" tab of the "Device Information" section.

Some Cisco products connect to different devices for configuration or monitoring purposes. The actual connection method used varies depending on the product, but SSL/TLS and SSH are the most prevalent ones due to their use of strong cryptography to ensure the confidentiality and integrity of the communication.

Two examples of these products include the Cisco Security Monitoring, Analysis and Response System (CS-MARS), a security threat mitigation system that talks to devices such as IPS sensors and firewalls, and the Cisco Adaptive Security Device Manager (ASDM), which provides management and monitoring services for the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances and the Firewall Services Modules for the Cisco Catalyst 6500 Switches and the Cisco 7600 Series Routers.

When these products connect to their managed devices via SSL/TLS or SSH, they do not validate the SSL/TLS certificates or SSH public keys presented by these managed devices.

Because the certificates and public keys presented by devices are not validated, in the event that a certificate or public key has changed, the affected products will not be able to determine whether the device they are communicating with is legitimate, or if it is a device impersonating a legitimate one.

The following Cisco Bug IDs are being used to track these vulnerabilities on the affected products:
 * CS-MARS - CSCsf95930 ( registered customers only)
 * ASDM - CSCsg78595 ( registered customers only)

Vulnerability Scoring Details:
Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS).
Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss

Impact:
Successful exploitation of this vulnerability may allow an attacker to obtain sensitive information such as login credentials or submit false data to the affected Cisco product by impersonating a managed device, thus impacting the integrity of the affected Cisco product.

Software Version and Fixes:
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

This vulnerability is fixed in version 4.2.3 (2403) of the CS-MARS software. CS-MARS software can be downloaded from the following location:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2

This vulnerability is fixed in version 5.2(2.54) of ASDM. ASDM can be downloaded from the following location:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2

Note: The ASDM versions for the PIX/ASA and the FWSM are different. A fixed version of the ASDM software for the FWSM is forthcoming. This advisory will be updated when a fixed image for the FWSM version of ASDM is available.

Workarounds:
There are no workarounds for this vulnerability in the case of CS-MARS.

In the particular case of ASDM, using the ASDM Applet, i.e. launching ASDM via a web browser and not via the stand-alone ASDM Launcher, will workaround the vulnerability since the SSL/TLS certificate verification will be performed by the web browser, and in the case that the certificate has changed, the browser will produce a warning. Note that this requires the user to save the root Certificate Authority (CA) certificate as a trusted certificate.

While not a workaround for the affected products, as a security best practice, you should always configure the devices that the affected products connect to so only connections from trusted hosts or networks are accepted. The way to configure this varies depending on the device. Please refer to the documentation of your managed device for details.

For the full article please visit:
http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml
 
< Prev   Next >
[ Back ]

Latest Cyber News