Cisco Security Advisories

Wednesday, October 16, 2013 @ 05:10 PM gHale


Cisco released two security advisories concerning multiple vulnerabilities in its Adaptive Security Appliance (ASA) hardware and Firewall Services Module (FWSM) Software, according to a release on ICS-CERT.

The vulnerabilities are within the software for the following components:
• Cisco Adaptive Security Appliance (ASA) hardware
• Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

RELATED STORIES
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability
Additional Patches for Rockwell
Philips Fixes Buffer Overflow

These devices provide essential network services, including control systems integration and operations. The vulnerabilities, denial of service (DoS) and remote authentication bypass, can directly impact the confidentiality, integrity, and availability of control systems.

Cisco Firewall Services Module (FWSM) software for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers suffers from the following vulnerabilities:
• Cisco FWSM Command Authorization Vulnerability
• SQL*Net Inspection Engine Denial of Service Vulnerability

Cisco Adaptive Security Appliance (ASA) software has the following vulnerabilities:
• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
• SQL*Net Inspection Engine Denial of Service Vulnerability
• Digital Certificate Authentication Bypass Vulnerability
• Remote Access VPN Authentication Bypass Vulnerability
• Digital Certificate HTTP Authentication Bypass Vulnerability
• HTTP Deep Packet Inspection Denial of Service Vulnerability
• DNS Inspection Denial of Service Vulnerability
• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
• Clientless SSL VPN Denial of Service Vulnerability

The vulnerabilities are independent of each other; a software release affected by a particular vulnerability might not have an impact from another.

For the FWSM software for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers, successful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system. Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition.

For the ASA hardware, successful exploitation of the IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability, SQL*Net Inspection Engine Denial of Service Vulnerability, HTTP Deep Packet Inspection Denial of Service Vulnerability, DNS Inspection Denial of Service Vulnerability, and Clientless SSL VPN Denial of Service Vulnerability may result in a reload of an affected device, leading to a DoS condition.

Successful exploitation of the Digital Certificate Authentication Bypass Vulnerability, Remote Access VPN Authentication Bypass Vulnerability, and Digital Certificate HTTP Authentication Bypass Vulnerability may result in an authentication bypass, which could allow the attacker access to the inside network via remote access VPN or management access to the affected system via the Cisco Adaptive Security Device Management (ASDM).

Successful exploitation of the AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability may exhaust available memory, which could result in general system instability and cause the affected system to become unresponsive and stop forwarding traffic.

Go to the Cisco advisories site for additional vulnerability details and mitigation strategies. Cisco released software updates that address these vulnerabilities.

Click here for ASA.

Click here for FWSM.



Leave a Reply

You must be logged in to post a comment.