Bugtraq mailing list archives

Cisco Security Advisory: Cisco Web Security Appliance HTTP Length Denial of Service Vulnerability

From: Cisco Systems Product Security Incident Response Team <psirt () cisco com>
Date: Wed, 18 May 2016 12:20:38 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Web Security Appliance HTTP Length Denial of Service Vulnerability

Advisory ID: cisco-sa-20160518-wsa3

Revision 1.0

For Public Release 2016 May 18 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in HTTP request parsing in Cisco AsyncOS for the Cisco Web Security Appliance (WSA) could allow an 
unauthenticated, remote attacker to cause a denial of service (DoS) condition when the proxy process unexpectedly 
restarts.

The vulnerability occurs because the affected software does not properly allocate space for the HTTP header and any 
expected HTTP payload. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected 
device. An exploit could allow the attacker to cause a DoS condition when the proxy process unexpectedly reloads, which 
can cause traffic to be dropped.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this 
vulnerability.
 
This advisory is available at the following link:

 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160518-wsa3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVzI0bK89gD3EAJB5AQJ3NRAA3fZtmhQZ1CLM9wpu08Oe1/xETVXNB7Es
YPIeZk/7rNcZe0RjrvXxQoJcZrNkq6hnExNwRaGeiKSulCAmXHU46v2gB2mbhYdx
FB7AYVXOHDKHZyEhCeZXRvq3sbIZu4A/AVPLZSADl3v35Jdwwo8G/pDt7lTQma6o
+qvLYXhToSTZuJM2IOxY63TSwSD8rVueZYvcPOAbD5w529tHwhIhmJ/OM6mqdJks
FcQ+p3qBhuJpv/UB3ffWrlVXCQgukW5al/6tYHUFNYETp/b7PqixWz/Xs5Ob7GRg
Pa8JE6ggkdwUn0Z5LNbHpU46wZyUMaQMLGTMwVlpiBlz5dxbq41Llo/vu9//ozNu
eFohMTKSR/l48u34gzeca6ffIkOmLv++nsM4xAnvJSnF4ooTOLoyqqEjghxIRAkR
BRrvLiy6SWKTuimpP0fhwGgGio7gDFP+nwdbgqXvx6JrEFCuc2rmHILLGH9CHWzH
/sKzWekfJOXRN+w/m2aIRqJ0tj//2MLOYldxtX4G61MdhKgnGk/f9DyEuUP65+iu
Kru4HMw8V+/OX5t+X0E02LfpKgMmOFKf3ZF00FvTLTOsi92ybBqw+OtuI+zY/x58
H9CZOTgqtreHpSiq2ItkUHOLIG5/d7oObop/Yk6ZvsYBsApXQfr+IU4WfdMaRstp
CcNZWjXOX10=
=Jy8r
-----END PGP SIGNATURE-----

Current thread:

Cisco Security Advisory: Cisco Web Security Appliance HTTP Length Denial of Service Vulnerability Cisco Systems Product Security Incident Response Team (May 18)