ICS-CERT Publishes Cisco Advisory

The earlier problem has now been corrected and the ICS-CERT link now takes one to the current multiple vulnerability advisory affecting either the Firewall Service Module (FWSM) Software or the Adaptive Security Appliance (ASA) software for Cisco switches and routers. These vulnerabilities are self-reported vulnerabilities identified during customer support operations.

The FWSM vulnerabilities include:

• Cisco FWSM Command Authorization Vulnerability (CVSS Base Score – 6.8); and

• SQL*Net Inspection Engine Denial of Service Vulnerability (CVSS Base Score – 7.1)

The ASA vulnerabilities include:

• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability (CVSS Base Score – 7.1);

• SQL*Net Inspection Engine Denial of Service Vulnerability (CVSS Base Score – 7.1);

• Digital Certificate Authentication Bypass Vulnerability (CVSS Base Score – 10.0);

• Remote Access VPN Authentication Bypass Vulnerability (CVSS Base Score – 5.0);

• Digital Certificate HTTP Authentication Bypass Vulnerability (CVSS Base Score – 10.0);

• HTTP Deep Packet Inspection Denial of Service Vulnerability (CVSS Base Score – 7.8);

• DNS Inspection Denial of Service Vulnerability (CVSS Base Score – 7.1);

• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability (CVSS Base Score – 7.1); and

• Clientless SSL VPN Denial of Service Vulnerability (CVSS Base Score – 7.8)

It is odd that ICS-CERT combines the vulnerabilities for these two separate software packages into the same advisory, especially since Cisco provides two separate advisories (FWSM and ASA). Also, neither ICS-CERT nor Cisco provide some of the details that we have come to expect from ICS-CERT advisories; CVE links for example.  The CVSS base scores for the vulnerabilities are missing from the ICS-CERT document. This makes it more difficult to assess the relative severity of these vulnerabilities.

The Cisco advisories provide much more detail than this unusually brief ICS-CERT advisory. ICS-CERT simply advises that the exploitation of the various vulnerabilities could result in either a denial of service or authentication bypass. Missing is the usual assessment of the skill level necessary to exploit the vulnerabilities or even a statement of whether or not the vulnerabilities are remotely accessible. Furthermore, ICS-CERT fails to mention that Cisco has developed work-arounds for a number of the vulnerabilities

ICS-CERT does note that Cisco has provided software updates that address the vulnerabilities. Since these are self-reported vulnerabilities there is indication of whether or not some outside agency has validated the efficacy of the updates.

BTW: It is interesting to note that ICS-CERT does report the vulnerabilities in these security devices (and are not actually control systems) but fails to report the more numerous Check Point vulnerabilities that I discussed in an earlier blog. Just another hole in the coverage of control system security by ICS-CERT.