14 DAY TRIAL // A security flaw in Cisco’s ASA FirePOWER and Context Aware (CX) Services can be exploited by an attacker to cause the affected system to reload, thus achieving a denial-of-service (DoS) condition.
The glitch lies in the virtualization layer and can be leveraged remotely by a threat actor without having to be authenticated.
ASA FirePOWER Services is designed as a complete solution that provides automated protection against advanced threats all across the timeline of an attack. It is integrated into Cisco’s ASA 5500-X Series Next-Generation Firewall products.
ASA CX Services is a complementary component, whose purpose is to provide identification for the application and user in order to achieve increased visibility in the network and better network traffic control.
Restarting the security appliance
The DoS vulnerability affecting the products can occur because specially crafted packets sent at a high rate are not handled properly.
“An attacker could exploit this vulnerability by sending a high rate of crafted packets to the management interface of the Cisco ASA FirePOWER Services or Cisco ASA CX Services,” the security advisory from the company on Wednesday says.
Successful exploitation can be achieved only if the traffic is aimed at the management interface of the two products. However, the attack works regardless if it is carried out via IPv4 or IPv6.
The flaw has been assigned the tracking number CVE-2015-0678 and it has been marked with a severity score of 7.8 out of 10, as per the CVSS (Common Vulnerability Scoring System).
Updates for the two products have been released by Cisco, with the recommendation that they are applied without delay.
Glitchy ASA
This is not the only glitch affecting ASA (Adaptive Security Appliance). Cisco announced that the software is also impacted by three other flaws.
A failover command injection (CVE-2015-0675) allows an attacker to gain control of active and standby failover units by sending specially crafted UDP packets directed to the failover interface IP address; the severity rating received is 8.3.
A DNS memory exhaustion (CVE-2015-0676, severity rating 7.1) that causes system instability and failure to forward traffic or process it. This condition can occur if a request is sent to a Cisco ASA device, forcing it to generate a DNS request packet. The attack is successful if the request is intercepted and replied to with a malformed DNS packet.
The third vulnerability in ASA is VPN XML parser DoS (CVE-2015-0677) that received a 7.8 severity score. It allows a remote, unauthenticated individual to crash the WebVPN component. Some of the consequences are resetting all secured VPN connection and reloading the affecting system.
These have been explained in a separate advisory on Wednesday.