HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-57
Cisco ASA and Cisco PIX TCP Packet Processing Denial of Service Vulnerability

Original Issue Date:April 21, 2009

Severity Rating: High

Systems Affected

The following Cisco ASA and Cisco PIX software versions are vulnerable:

  • ASA and PIX versions prior to 7.0(8.6)
  • ASA and PIX versions prior to 7.1(2.81)
  • ASA and PIX versions prior to 7.2(4.30)
  • ASA and PIX versions prior to 8.0(4.28)
  • ASA and PIX versions prior to 8.1(2.19)

Overview

A vulnerability has been reported in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliance software that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Description

This vulnerability is due to a memory leak in the Cisco ASA Software while handling malicious TCP packets, if either of the following features is enabled:

  • SSL VPNs
  • Cisco Adaptive Security Device Manager (ASDM) administrative access
  • Telnet access
  • SSH access
  • Cisco Tunneling Control Protocol (cTCP) for remote access VPNs
  • Virtual Telnet
  • Transport Layer Security (TLS) proxy for encrypted voice inspection
  • Cut-through proxy for network access
  • TCP Intercept

An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted malicious TCP packet to the affected device to reload, resulting in denial of service condition.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory

Vendor Information

CISCO
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a994f6.shtml

References

CISCO
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a994f6.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=17927

SecurityTracker
http://securitytracker.com/alerts/2009/Apr/1022015.html

Secunia
http://secunia.com/advisories/34607

VUPEN
http://www.vupen.com/english/advisories/2009/0981

CVE Name
CVE-2009-1157

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003