On October 22, Cisco announced three vulnerabilities in the Cisco ASA 5500 series and PIX Firewall models running software versions 7.x and 8.x. ( See Cisco Security Advisory) The three security issues identified are the following:
- Windows NT Domain Authentication Bypass Vulnerability
- IPv6 Denial of Service Vulnerability
- Crypto Accelerator Memory Leak Vulnerability
Cisco ASA or PIX security appliances configured for IPSec or SSL-based remote access VPNs using Windows NT Domain Authentication are vulnerable because of a Windows NT Domain authentication issue.
A specially crafted IPv6 packet may cause the Cisco ASA and Cisco PIX security appliances to reload. Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices that are configured only for IPv4. Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. These packets must be destined to an interface configured for IPv6.
The Cisco ASA security appliances may experience a memory leak triggered by a series of packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Only packets destined to the device may trigger this vulnerability.
To fix the above security issues, the following Software releases must be used:
|Vulnerability||Affected Release||First Fixed Version|
|Windows NT Domain Authentication Bypass Vulnerability||7.0||7.0(8)3|
|IPv6 Denial of Service Vulnerability||7.0||Not Vulnerable|
|Crypto Accelerator Memory Leak Vulnerability||7.0||Not Vulnerable|
To upgrade the software image on either the PIX or ASA firewalls, use the copy tftp: flash: command, and then use boot system flash:/filename in Configuration Mode to instruct the firewall to boot from the new software image.
- The Basics and Application of Cisco Packet tracer – a Guide for Beginners
- Cisco VRF Lite Configuration Tutorial with Step-by-Step Example
- All about the Cisco Reload Command – How to Schedule a Cisco Reload
- What will happen to Internet Traffic by 2020 – Some Statistics
- How to Configure Cisco SPAN – RSPAN – ERSPAN (With Configuration Commands)