Bugtraq mailing list archives

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

From: Cisco Systems Product Security Incident Response Team <psirt () cisco com>
Date: Wed, 9 Oct 2013 12:00:16 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Advisory ID: cisco-sa-20131009-asa

Revision 1.0

For Public Release 2013 October 9 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:

    IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
    SQL*Net Inspection Engine Denial of Service Vulnerability
    Digital Certificate Authentication Bypass Vulnerability
    Remote Access VPN Authentication Bypass Vulnerability
    Digital Certificate HTTP Authentication Bypass Vulnerability
    HTTP Deep Packet Inspection Denial of Service Vulnerability
    DNS Inspection Denial of Service Vulnerability
    AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
    Clientless SSL VPN Denial of Service Vulnerability


These vulnerabilities are independent of one other; a release that is affected by one of the vulnerabilities may not be 
affected by the others.

Successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine 
Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of 
Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected 
device, leading to a denial of service (DoS) condition.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN 
Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an 
authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management 
access to the affected system via the Cisco Adaptive Security Device Management (ASDM).

Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust 
available memory, which could result in general system instability and cause the affected system to become unresponsive 
and stop forwarding traffic.

Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the 
vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

Note: The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers 
may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory 
has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iF4EAREKAAYFAlJVVn0ACgkQUddfH3/BbTqWZwD/RwBC6JBngB+veDwlJnE/f0JZ
iuuIjMkJNw/hIWUZBSgA+gMaBfPY40K8ORrja7Tf9cuThC8QxjtRmX/Rkj3Rx2P3
=9LM3
-----END PGP SIGNATURE-----

Current thread:

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software Cisco Systems Product Security Incident Response Team (Oct 09)
- <Possible follow-ups>
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software Cisco Systems Product Security Incident Response Team (Oct 17)