Cisco Patches Multiple Security Suite Flaws

Cisco has patched vulnerabilities in its Firewall Services Module (FWSM) and Adaptive Security Appliance (ASA) software
Cisco has patched vulnerabilities in its Firewall Services Module (FWSM) and Adaptive Security Appliance (ASA) software

ASA is a security suite with anti-virus, anti-spam, anti-phishing and web filtering services, among other capabilities. Nine separate vulnerabilities were found to exist in ASA:

  • IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
  • SQL*Net Inspection Engine Denial of Service Vulnerability
  • Digital Certificate Authentication Bypass Vulnerability
  • Remote Access VPN Authentication Bypass Vulnerability
  • Digital Certificate HTTP Authentication Bypass Vulnerability
  • HTTP Deep Packet Inspection Denial of Service Vulnerability
  • DNS Inspection Denial of Service Vulnerability
  • AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
  • Clientless SSL VPN Denial of Service Vulnerability

Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability and Clientless SSL VPN Denial of Service Vulnerability could result in a reload of an affected device, leading to a denial of service (DoS) condition, Cisco warned.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN. They could also gain management access to the affected system via the Cisco Adaptive Security Device Management module.

Finally, successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Meanwhile, two vulnerabilities exist in Cisco’s FWSM software, which does firewall management for Cisco Catalyst 6500 series switches and Cisco 7600 series routers inside company LANs.

The first is the Cisco FWSM Command Authorization Vulnerability. If an attacker successfully exploits the Command Authorization vulnerability, it could “result in a complete compromise of the confidentiality, integrity and availability of the affected system.”

The second vulnerability in FWSM is also present in ASA: the SQL*Net Inspection Engine Denial of Service Vulnerability, which could lead to a denial of service condition if exploited.

Cisco’s Product Security Incident Response Team (PSIRT) said that it isn’t currently aware of any attacks targeting the vulnerabilities. Cisco has released free software updates that address them, and said that workarounds are available for some. The IT giant also cautioned that the vulnerabilities are independent of one other; and a release that is affected by one of the vulnerabilities may not be affected by the others.

What’s Hot on Infosecurity Magazine?