Re: Overcoming MGCP and TLS vunrability in ASA

cisco__kaushik · ‎10-25-2007

Cisco PIX/ASA has the following two vunrabilities

1. Crafted MGCP Packet

MGCP is a protocol for controlling media gateways from external call

control elements such as Media Gateway Controllers or Call Agents. Cisco

PIX or ASA security appliance with the Media Gateway Control Protocol

(MGCP) application layer protocol inspection feature enabled may reload

when the device processes a crafted MGCP packet.

2. Crafted TLS Packet

Transport Layer Security (TLS) is the replacement for the Secure Socket

Layer (SSL) protocol. It is a protocol that provides secure communications

between two end-points, via cryptography. The PIX and ASA may be affected

by vulnerability in the handling of the TLS protocol that may lead to

reload the device when specially crafted TLS packets are processed.

Applications affected by this vulnerability are clientless Web-VPN

connections, HTTPS management sessions, cut-through proxy for network

access, and TLS proxy for encrypted voice inspection.

I need to find a workaround for these two vunrabilities.

Pl suggest what would be the accesslist for blocking crafted mgcp packets and tls packets in my asa.It runs on 7.2 code

pjhenriqs · ‎10-25-2007

Hi,

I believe the workarounds can be found on the Cisco vulnerability report for those two.

Basically there is no workaround for the first one. If you are using MGCP protocol inspection, then you should upgrade your vesion. What version of 7.2 do you have? Have you checked if it's affected by this problem?

For the second one the work around is to limit your TLS traffic to only known hosts. Just allow ASDM access to a minimum of hosts that can be "trusted".

Check the Cisco website for a better description.

http://www.cisco.com/warp/public/707/cisco-sa-20071017-asa.shtml