In association with heise online

05 June 2008, 10:29

Cisco patches five holes in PIX and ASA

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cisco has discovered vulnerabilities in its PIX Appliances and ASA 5500 series. Crafted TCP-ACK and TLS packets can cause units to reboot. According to the security advisory, the this only happens where the device itself is the destination of packets such as management traffic. Forwarded packages do not cause a problem. But if Instant Messaging Inspection is enabled, certain forwarded packages can indeed cause the system to reboot. Under default settings, the function is disabled. An otherwise unexplained scan of port 443 on the PIX and ASA can cause a denial of service.

The fifth hole allows remote access to a system even if an Access Control List (ACL) is defined for the Control Plane. According to the security advisory, the problem occurs after initial configuration. The packets described above can be sent to the device in this manner, but Control Plane ACLs are not enabled by default.

Cisco lists the versions that contain the flaws in its original security advisory. The vendor has also published updates for PIX and ASA to remedy the flaws.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit