Cisco appliances vulnerable to DoS attack
Cisco has discovered vulnerabilities its 500 series PIX appliances 5500 series Adaptive Security Appliances (ASA) that attackers can exploit for denial-of-service attacks. The manufacturer also says that Application Velocity Systems (AVS) that have outdated software versions do not require a new password to be set when the administrator is set up.
In its security advisory Cisco explains that if the optional Time-to-Live (TTL) countdown feature is enabled on the device, the PIX and ASA appliances can be forced to reboot by crafted IP packets. Attackers can mount an extended denial of service attack on devices configured this way by bombarding them with such packets. Administrators can determine whether the feature is running by using the
show running-config command and searching for the
set connection decrement-ttl command, which is off by default.
A separate issue affects Cisco's Application Velocity System (AVS) web application accelerators. Their management consoles are shipped with a known default password, and outdated versions of the system software do not force users to set a new one when the devices are configured. This means attackers can get complete access to appliances which still use the default password. Products AVS 3110, 3120, 3180 and 3180A are affected.
Cisco provides links in their advisories to updated software that should fix the flaws. AVS version 5.10 requires you to change the system passwords when you login for the first time after installation. Software versions 7.2(3)6 and 8.0(3) and subsequent versions for ASA and PIX appliances handle IP packets properly when the TTL decrement option is enabled. Administrators are advised to install the updates as soon as possible and change passwords on AVS products.
- Cisco PIX and ASA Time-to-Live Vulnerability, Cisco security advisory
- Default Passwords in the Application Velocity System, Cisco security advisory