7 New Cisco Vulnerabilities in ASA 5500 Devices
GSA Reference Number: AD100217-01
Simply Put: Cisco has released an advisory for multiple vulnerabilities with Cisco ASA 5500 devices. This advisory identifies six new denial of service vulnerabilities and one new authentication bypass vulnerability. An update from Cisco is available to address these issues and should be applied as soon as possible. Gladiator will be testing this update for compatibility and stability and will then notify affected clients if an update is necessary.
Attack Details: Cisco has identified the following vulnerabilities in its ASA 5500 series devices (from the Cisco Advisory):
- TCP Connection Exhaustion Denial of Service Vulnerability
- Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
- Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
- WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
- Crafted TCP Segment Denial of Service Vulnerability
- Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
- NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
Denial of service vulnerabilities are quite serious for firewalls, as this could bring down an institution’s access to the Internet. More detailed information can be found in the Cisco advisory linked below.
Countermeasures: Cisco has released a free update to address these vulnerabilities. Gladiator will be testing this update for compatibility and stability and will then begin rolling it out to affected clients as soon as possible. We will review all of our monitored devices to determine if an update is required and will then notify clients, as necessary, to schedule the roll out. If you are not a Gladiator customer, we recommend that you examine all Cisco ASA devices to determine if this update is necessary. If applicable, roll out this update after-hours when users are not accessing the Internet.
Reference Links: