Cisco Working on Security Appliances Holes

Tuesday, September 15, 2015 @ 11:09 AM gHale

There are denial-of-service (DoS) vulnerabilities in several of Cisco’s security products.

Since software updates are not available for most of the issues, end users should apply workarounds.

Cisco Patches Data Center Holes
Cisco Working on Fix ISE Hole
Attackers Taking Over Cisco Gear
Cisco Patches IOS-XE Vulnerability

Cisco Content Security Management Appliance (SMA) 7.8.0-000 and possibly other versions suffer from an issue an attacker could leverage via a remote, unauthenticated assault to cause a DoS condition on the targeted device, Cisco said.

“The vulnerability is due to inadequate validation of user credentials for incoming HTTP requests, which can cause the device to manipulate an internal log file,” Cisco said.

The flaw, triggered when a log file wraps quickly, can end up exploited by an attacker by sending a specially crafted HTTP request to the targeted device. There is a functional exploit for the bug, but the code is not publicly available, Cisco said.

Cisco Email Security Appliance versions 7.6.0 and 8.0.0 (and possibly others) suffer from a format string flaw that can cause a partial DoS condition or memory override. An unauthenticated attacker can exploit the vulnerability, caused by improper validation of string inputs, by sending specially crafted HTTP requests to the vulnerable device.

A functional exploit exists for this issue as well, but it’s not publicly available, the company said.

Another vulnerability is in the Cisco Web Security Appliance (WSA). The flaw could result in a man-in-the-middle (MitM) attack to supply malformed HTTP server responses to the affected device and cause it to improperly close TCP connections and fail to free memory. This can result in a partial DoS condition, Cisco said.

Cisco confirmed the issue affects Cisco Web Security Appliance version 8.0.7, but later versions of the product might also feel the effects.

Cisco WSA also suffers from a DNS resolution vulnerability that can lead to a partial DoS condition.

“The vulnerability is due to the handling of DNS requests awaiting a DNS response when new, incoming DNS requests are received,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending TCP proxy traffic to the WSA at a high rate. An exploit could allow the attacker to cause a partial DoS condition because DNS name resolution fails, which results in the client receiving a HTTP 503 ’Service Unavailable’ error.”

Cisco released software updates to address the DNS resolution issue impacting WSA, but there are no patches available for the other vulnerabilities.

Until patches release, administrators should enable IP-based access control lists (ACLs) to ensure only trusted systems can access the affected appliances, and implement physical security for production servers.

Based on the CVSS scores assigned by Cisco, all of these vulnerabilities rated as having medium severity. The advisories show the weaknesses, which the company believes are unlikely to see action by attackers, could end up leveraged to cause “mild” damage.