ID

VAR-200608-0339

CVE

CVE-2006-4312

TITLE

Cisco PIX Firewall Vulnerabilities that prevent authentication in the configuration process

DESCRIPTION

Cisco PIX 500 Series Security Appliances and ASA 5500 Series Adaptive Security Appliances, when running 7.0(x) up to 7.0(5) and 7.1(x) up to 7.1(2.4), and Firewall Services Module (FWSM) 3.1(x) up to 3.1(1.6), causes the EXEC password, local user passwords, and the enable password to be changed to a "non-random value" under certain circumstances, which causes administrators to be locked out and might allow attackers to gain access. Cisco PIX Firewall In the case where the configuration process is incomplete, the software crashes or the password stored in the startup configuration is unintentionally specified by the user when multiple users change the configuration in parallel. There is a vulnerability that changes to the value of.There is a possibility of unauthorized access to the target device using the changed password. Multiple Cisco Firewall appliances are prone to an authentication-bypass vulnerability. The vulnerability occurs because the firmware fails to properly handle certain configuration errors, resulting in unintended password changes to non-random specific passwords. This issue allows remote attackers to gain unauthorized access to the affected network appliances with administrative or local user privileges. These issues are tracked by Cisco Bug IDs CSCse02703 and CSCsd81487. Cisco PIX, ASA, and FWSM are very popular firewall devices that provide firewall services capable of stateful packet filtering and deep packet inspection. There are only two situations that can trigger this software bug: * Software crashes, usually caused by software bugs. Note that not all software crashes lead to the undesirable results described above. * Two or more users make configuration changes simultaneously on the same device. The vulnerability is triggered regardless of the method used to access the device (Command Line Interface [CLI], Adaptive Security Device Manager [ASDM], Firewall Management Center, etc.). Note that when saving the configuration to a stable medium that stores the startup configuration via the write memory or copy running-config startup-config commands, the password in the startup configuration is changed. In normal operation, the password in the startup configuration is not changed without saving the running configuration. If an AAA server (RADIUS or TACACS+) is used for authentication, regardless of whether LOCAL authentication is configured as fallback, only changing the password in the startup configuration when the AAA server is unavailable will cause the above undesirable results. This prevents administrators from being able to log in to the device if authentication is configured to use a password stored in the launch configuration. If a malicious user is able to guess the new password and restarts the device, whether it is an automatic restart caused by a software crash or a manual restart by a network administrator, unauthorized access to the device is possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Products Unintentional Password Modification SECUNIA ADVISORY ID: SA21616 VERIFY ADVISORY: http://secunia.com/advisories/21616/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ Cisco Firewall Services Module (FWSM) 2.x http://secunia.com/product/5088/ Cisco Firewall Services Module (FWSM) 1.x http://secunia.com/product/2273/ DESCRIPTION: A security issue has been reported in various Cisco Firewall products, which may allow malicious people to bypass certain security restrictions. The error may happen during a software crash or multiple users configuring a device at the same time. This may result in users being locked out or lead to unauthorised access to an affected device. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Terje Bless, Helse Nord IKT. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

Design Error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Terje Bless

SOURCES

LAST UPDATE DATE

2024-08-14T14:47:54.206000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE