Cisco patched two products that have vulnerabilities in the Firewall Services Module (FWSM) software and Adaptive Security Appliance (ASA) software, officials said.
At least nine separate vulnerabilities exist in ASA, according to the security updates posted.
Five of the nine can either reload an affected device or lead to a denial of service (DoS) condition. Three of the nine can result in an authentication bypass and give an attacker access to a network via remote access VPN or management access via Cisco’s Adaptive Security Device Management (ASDM) tool.
The nine separate ASA vulnerabilities are:
• IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
• SQL *Net Inspection Engine Denial of Service Vulnerability
• Digital Certificate Authentication Bypass Vulnerability
• Remote Access VPN Authentication Bypass Vulnerability
• Digital Certificate HTTP Authentication Bypass Vulnerability
• HTTP Deep Packet Inspection Denial of Service Vulnerability
• DNS Inspection Denial of Service Vulnerability
• AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
• Clientless SSL VPN Denial of Service Vulnerability
ASA is a suite of security solutions that deploy antivirus, antispam, antiphishing, and web filtering services.
Two vulnerabilities exist in Cisco’s FWSM software, software that handles a series of routers and switches for Cisco networks.
One is if an attacker successfully exploits the Command Authorization vulnerability, it can “result in a complete compromise of the confidentiality, integrity and availability of the affected system.”
The second vulnerability in FWSM is also present in ASA and deals with the SQL *Net Inspection functionality. Like some of the ASA vulnerabilities it can also lead to a denial of service condition if exploited.
While Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any attacks targeting the vulnerabilities and workarounds exist for a few of them, patches for all vulnerabilities are available through the regular update channels.