Multiple DoS vulnerabilties in Cisco routers and switches
Cisco has revealed four vulnerabilities in the company's ASA (Adaptive Security Appliance) software which can all allow possible denial-of-service attacks. The ASA 1000V Cloud Firewall, the ASA software on Cisco ASA 5500 appliances, and the ASA services modules for the Cisco Catalyst 6500 series switches and 7600 series routers are all affected by one or more of the vulnerabilities.
The triggers for the errors can be malformed IKE messages (CVE-2013-1149), URLs (CVE-2013-1150), or certificates (CVE-2013-1152), though another bug inside the DNS implementation for processing special DNS messages can also trigger a device restart (CVE-2013-1152). The individual vulnerabilities have CVSS values between 7.1 and 7.8 (where 10 is the highest possible value).
Users of ASA software versions 7.0 or 7.1 will need to migrate to 7.2 to mitigate the problems. Users of 8.0, 8.2, 8.3, 8.4, 8.6, 8.7, 9.0 or 9.1 versions will find updates of those releases are available. Users of 8.1 will need to migrate to 8.2 or later and users of 8.5 will need to migrate to 9.0 or later. Updates are available from the Cisco.com Software Center – details of how to navigate through the tree of options are given in the advisory.
The Firewall Services Module (FWSM) for the 6500 series switches and 7600 series routers is also affected by the IKE messaging flaw and an issue in HTTP Proxy Traceback (CVE-2013-1155), both of which could cause a denial of service. Customers with service contracts should receive updates through their normal channels; customers without will need to contact Cisco's Technical Assistance Center (TAC) to request the fixes.
Cisco says it is not aware of any exploits in the wild for these problems, which it says it found while resolving customer support cases.