CISCO : Cisco ASA VPN Failover Command Injection Vulnerability (cisco-sa-20141008-asa)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.105982

Category: CISCO

Title: Cisco ASA VPN Failover Command Injection Vulnerability (cisco-sa-20141008-asa)

Summary: A vulnerability in the VPN code of Cisco ASA Software could; allow an authenticated, remote attacker to submit configuration commands to the standby unit via; the failover interface. As result, an attacker could be able to take full control of both the; active and standby failover units.

Description: Summary:
A vulnerability in the VPN code of Cisco ASA Software could
allow an authenticated, remote attacker to submit configuration commands to the standby unit via
the failover interface. As result, an attacker could be able to take full control of both the
active and standby failover units.

Vulnerability Insight:
The vulnerability is due to improper implementation of the
internal filter for packets coming from an established VPN tunnel. An attacker could exploit this
vulnerability by sending crafted packets directed to the failover interface IP address.

Vulnerability Impact:
An authenticated, remote attacker could exploit this
vulnerability by connecting to a targeted device and sending malicious configuration requests
through the failover interface to the standby unit. The attacker could modify the configuration
to take control over both the standby and active units, resulting in complete device compromise.

Affected Software/OS:
Cisco ASA version 7.2, 8.2, 8.3, 8.4, 8.6, 9.0, 9.1, 9.2 and
9.3.

Solution:
See the referenced vendor advisory for a solution.

CVSS Score:
9.0

CVSS Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-3389
Cisco Security Advisory: 20141008 Multiple Vulnerabilities in Cisco ASA Software
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Copyright Copyright (C) 2015 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.105982
Category:	CISCO
Title:	Cisco ASA VPN Failover Command Injection Vulnerability (cisco-sa-20141008-asa)
Summary:	A vulnerability in the VPN code of Cisco ASA Software could; allow an authenticated, remote attacker to submit configuration commands to the standby unit via; the failover interface. As result, an attacker could be able to take full control of both the; active and standby failover units.
Description:	Summary: A vulnerability in the VPN code of Cisco ASA Software could allow an authenticated, remote attacker to submit configuration commands to the standby unit via the failover interface. As result, an attacker could be able to take full control of both the active and standby failover units. Vulnerability Insight: The vulnerability is due to improper implementation of the internal filter for packets coming from an established VPN tunnel. An attacker could exploit this vulnerability by sending crafted packets directed to the failover interface IP address. Vulnerability Impact: An authenticated, remote attacker could exploit this vulnerability by connecting to a targeted device and sending malicious configuration requests through the failover interface to the standby unit. The attacker could modify the configuration to take control over both the standby and active units, resulting in complete device compromise. Affected Software/OS: Cisco ASA version 7.2, 8.2, 8.3, 8.4, 8.6, 9.0, 9.1, 9.2 and 9.3. Solution: See the referenced vendor advisory for a solution. CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3389 Cisco Security Advisory: 20141008 Multiple Vulnerabilities in Cisco ASA Software http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Copyright	Copyright (C) 2015 Greenbone Networks GmbH