CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
62.0%
According to its banner, the version of the Cisco ASA software on the remote device is affected by a vulnerability in the SSL VPN feature due to improper implementation of memory blocks allocation when processing crafted HTTP packets. A remote, unauthenticated attacker can exploit this issue by sending specially crafted HTTP requests designed to exhaust memory to cause a denial of service.
#TRUSTED a1d45399152b389433d9118cef9b199d7c78eb110f027ef508a42382518ee7e30e8ac9d5e507e8d551c255cf651cb6ae8df037a3aabcc30ba5282c6dc623be345f7e0c5fd8b099857a05df85b643863fe54406cac422a9e6e8379799036be80b65a9ed8194448e37a73057aa62af634663cc49494326e273098d79c3c356e312bff93927475ba75a906a3162aef49c3ad950d7826cd764af06cd339adfcc476e560fcfea40151a52c6ecadaba1119260e2c975658f6e27c6339ac93cf310f9a3f8a0ca9c596bd332416e5b7e3817022753b744ccbafcd3ed6ab7ef3bbe74d44ccc50e51a23e95391ec4906a60c1ea4a96b4716e18d449c2ba722449ab6802c7206a9837d383f1ee62c8d17e629f535840369f53d811262a14c639ab828976e68434b8332abfd56e260316ded5f6042744a1657c3ecccbfa3f224b5ff2f6d6920f5ab87ae91a9c8930f0047cc8b820b4344931f147a82162f9e6b690a889b6267420f1a2f20d130549affa11875cd8e7ad250c41acd34eeac4409bf61cae15b9150429e7d73456caa34d1002501212446ad4dcdc519c7f39e1fac4f5c7d5892fcd2601e61ab5dd885b0a3dac5c56c418c4ae48a365270a93ae8924d9ecc9784dc3ba7fb3273fdfd846de9cf1e754bde2815995ae411c58504d78a51bcded153d66b4eb533725e91b4977d5d377274f7dd6003dbf0ac3fb1b49dd6e097fd1b0517
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(79803);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");
script_cve_id("CVE-2014-3407");
script_bugtraq_id(71317);
script_xref(name:"CISCO-BUG-ID", value:"CSCuq68888");
script_name(english:"Cisco ASA SSL VPN Memory Blocks Exhaustion DoS (CSCuq68888)");
script_summary(english:"Checks the ASA version.");
script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of the Cisco ASA software on the
remote device is affected by a vulnerability in the SSL VPN feature
due to improper implementation of memory blocks allocation when
processing crafted HTTP packets. A remote, unauthenticated attacker
can exploit this issue by sending specially crafted HTTP requests
designed to exhaust memory to cause a denial of service.");
# https://tools.cisco.com/security/center/viewAlert.x?alertId=36542
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c8e2a24c");
script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=36542");
script_set_attribute(attribute:"solution", value:"Apply the relevant patch referenced in the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/26");
script_set_attribute(attribute:"patch_publication_date", value:"2014/11/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/08");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
script_family(english:"CISCO");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/Cisco/ASA");
exit(0);
}
include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');
fixed_ver = NULL;
# Affected version list from advisory
versions = make_list(
"8.4.1",
"8.4.1.3",
"8.4.1.11",
"8.4.2",
"8.4.2.1",
"8.4.2.8",
"8.4.3",
"8.4.3.8",
"8.4.3.9",
"8.4.4",
"8.4.4.1",
"8.4.4.3",
"8.4.4.5",
"8.4.4.9",
"8.4.5",
"8.4.5.6",
"8.4.6",
"8.4.7",
"8.4.7.3",
"8.4.7.15",
"8.4.7.22",
"8.4.7.23",
"8.6.1",
"8.6.1.1",
"8.6.1.2",
"8.6.1.5",
"8.6.1.10",
"8.6.1.12",
"8.6.1.13",
"8.6.1.14",
"9.0.1",
"9.0.2",
"9.0.2.10",
"9.0.3",
"9.0.3.6",
"9.0.3.8",
"9.0.4",
"9.0.4.1",
"9.0.4.5",
"9.0.4.7",
"9.0.4.17",
"9.0.4.20",
"9.0.4.24",
"9.1.1",
"9.1.1.4",
"9.1.2",
"9.1.2.8",
"9.1.3",
"9.1.3.2",
"9.1.4",
"9.1.4.5",
"9.1.5",
"9.1.5.10",
"9.1.5.12",
"9.2.1",
"9.2.2",
"9.2.2.4",
"9.2.2.7",
"9.2.3",
"9.3.1",
"9.3.1.1",
"9.3.2"
);
foreach version (versions)
{
if (cisco_gen_ver_compare(a:ver, b:version) == 0)
{
if (ver =~ "^8\.") fixed_ver = "Refer to the vendor.";
else if (ver =~ "^9\.0[^0-9]" && check_asa_release(version:ver, patched:"9.0(4.25)"))
fixed_ver = "9.0(4.25)";
else if (ver =~ "^9\.1[^0-9]" && check_asa_release(version:ver, patched:"9.1(5.15)"))
fixed_ver = "9.1(5.15)";
else if (ver =~ "^9\.2[^0-9]" && check_asa_release(version:ver, patched:"9.2(2.100)"))
fixed_ver = "9.2(2.100)";
else if (ver =~ "^9\.3[^0-9]" && check_asa_release(version:ver, patched:"9.3(1.99)"))
fixed_ver = "9.3(1.99)";
break;
}
}
if (isnull(fixed_ver))
audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);
flag = FALSE;
override = FALSE;
# Check if SSL VPN is configured
if (get_kb_item("Host/local_checks_enabled"))
{
buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_webvpn", "show running-config webvpn");
if (check_cisco_result(buf))
{
if (preg(multiline:TRUE, pattern:"enable", string:buf)) flag = TRUE;
}
else if (cisco_needs_enable(buf)) override = TRUE;
}
if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");
if (report_verbosity > 0)
{
report =
'\n Installed version : ' + ver +
'\n Fixed version : ' + fixed_ver +
'\n';
security_warning(port:0, extra:report+cisco_caveat(override));
}
else security_warning(port:0, extra:cisco_caveat(override));