On October 22, Cisco announced three vulnerabilities in the Cisco ASA 5500 series and PIX Firewall models running software versions 7.x and 8.x. ( See Cisco Security Advisory) The three security issues identified are the following:
- Windows NT Domain Authentication Bypass Vulnerability
- IPv6 Denial of Service Vulnerability
- Crypto Accelerator Memory Leak Vulnerability
Cisco ASA or PIX security appliances configured for IPSec or SSL-based remote access VPNs using Windows NT Domain Authentication are vulnerable because of a Windows NT Domain authentication issue.
A specially crafted IPv6 packet may cause the Cisco ASA and Cisco PIX security appliances to reload. Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices that are configured only for IPv4. Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. These packets must be destined to an interface configured for IPv6.
The Cisco ASA security appliances may experience a memory leak triggered by a series of packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Only packets destined to the device may trigger this vulnerability.
To fix the above security issues, the following Software releases must be used:
Vulnerability | Affected Release | First Fixed Version |
Windows NT Domain Authentication Bypass Vulnerability | 7.0 | 7.0(8)3 |
7.1 | 7.1(2)78 | |
7.2 | 7.2(4)16 | |
8.0 | 8.0(4)6 | |
8.1 | 8.1(1)13 | |
IPv6 Denial of Service Vulnerability | 7.0 | Not Vulnerable |
7.1 | Not Vulnerable | |
7.2 | 7.2(4)11 | |
8.0 | Not Vulnerable | |
8.1 | Not Vulnerable | |
Crypto Accelerator Memory Leak Vulnerability | 7.0 | Not Vulnerable |
7.1 | Not Vulnerable | |
7.2 | Not Vulnerable | |
8.0 | 8.0(4) | |
8.1 | 8.1(2) |
To upgrade the software image on either the PIX or ASA firewalls, use the copy tftp: flash: command, and then use boot system flash:/filename in Configuration Mode to instruct the firewall to boot from the new software image.
Related Posts
- Cisco Embedded Packet Capture (EPC) – Explanation & Configuration
- Introduction to Cisco EEM (Embedded Event Manager)
- Monitoring Cisco Network Infrastructure: What to Look for in an Ideal Cisco Monitoring Tool
- How to Reset Cisco Router or Switch to Factory Settings
- Comparison of LLDP vs CDP on Cisco Networking Devices