Cisco Security Advisory

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances

Cisco Systems has recently released a Security Advisory regarding the ASA 5500 Series Adaptive Security Appliance (ASA), more commonly known as your firewall. This firewall device is a security appliance that sits between your private network and the Internet, protecting you from would-be attackers and other malicious activity.  On rare occasions however, even an extremely robust security appliance such as the Cisco ASA can suffer from vulnerabilities.

This Security Advisory applies to the Cisco ASA 5500 Series firewalls and the Cisco Firewall Services Module (used in the Cisco Catalyst 6500 Series switch chassis) only. None of Cisco’s other firewalls are affected by any of the vulnerabilities. These vulnerabilities are:

• Three SunRPC Inspection Denial of Service Vulnerabilities
• Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability

What is a Denial of Service Vulnerability?

Simply put, a Denial of Service vulnerability is a weakness in the operating system of a server or network appliance. When these vulnerabilities are exploited by a Denial of Service attack, the resource are unavailable to its intended users. As the firewall is the gateway to the Internet for your users and servers, a Denial of Service attack on this device would cause a loss of Internet connectivity, an inability to send and receive email, loss of connectivity to remote offices via VPN, and would render web and other application servers inaccessible from the outside.  From the inside of the private or corporate network, file/print, application and other local resources would still be available.

Having described this, please do not hit the panic button! Denial of Service attacks are rarely carried out against the Small and Medium Businesses around the world.  Typical targets of Denial of Service attacks are high-profile web servers such as banks, e-commerce sites, and credit card payment gateways. That said, it is still a best practice to remediate known vulnerabilities to avoid said risks.

Is My Network Affected?

For specific details on each vulnerability, click here to view the complete Security Advisory.  However, if your network employs a Cisco ASA 5500 series firewall, it is highly likely that one or more of these vulnerabilities applies and remediation action should be taken.   Of the vulnerabilities listed in the Security Advisory, only the SunRPC Inspectionvulnerability affects the Firewall Services Module (FWSM).

What Action Should be Taken?

There are two options for remediating the vulnerabilities.  The Security Advisory lists workarounds for each of the vulnerabilities or you can upgrade the operating system of the device to the recommended version containing the fixes for each threat.  In most cases, the workarounds are not a viable option and it is recommended that you upgrade your operating system.

The complete CISCO Security Advisory can be found by clicking here or visiting Cisco.com.

Comments

About Author