Cisco patches five holes in PIX and ASA
Cisco has discovered vulnerabilities in its PIX Appliances and ASA 5500 series. Crafted TCP-ACK and TLS packets can cause units to reboot. According to the security advisory, the this only happens where the device itself is the destination of packets such as management traffic. Forwarded packages do not cause a problem. But if Instant Messaging Inspection is enabled, certain forwarded packages can indeed cause the system to reboot. Under default settings, the function is disabled. An otherwise unexplained scan of port 443 on the PIX and ASA can cause a denial of service.
The fifth hole allows remote access to a system even if an Access Control List (ACL) is defined for the Control Plane. According to the security advisory, the problem occurs after initial configuration. The packets described above can be sent to the device in this manner, but Control Plane ACLs are not enabled by default.
Cisco lists the versions that contain the flaws in its original security advisory. The vendor has also published updates for PIX and ASA to remedy the flaws.
See also:
- Multiple Vulnerabilities in Cisco PIX and Cisco ASA, Cisco security advisory
(mba)