Cisco security software needs security patch

Cisco's ASA FirePOWER services and ASA CX Services are vulnerable to a denial of service (DoS) bug in the virtualisation layer.

The just-updated ASA FirePOWER threat-detection platform and ASA CX (which adds application and user ID awareness to the system) could be forced to reload by an attacker hosing their management interfaces with a high rate of crafted packets.

As well as a DoS condition, Cisco says user traffic sent from ASA to FirePOWER and CX could be dropped. If FirePOWER or CX are configured to run in high availability mode, the company adds, exploitation could also lead to “a sustained failover condition”.

Patched software is already available, the notice states.

In a separate advisory, Cisco has also announced that it's moved quickly to patch the latest vulnerabilities in the venerable Network Time Protocol (NTP).

The twinned vulnerabilities, CVE-2015-1798 and CVE-2015-1799, arise from faults in how the daemon, ntpd, behaves when using symmetric key authentication.

In the first, the daemon can be tricked into accepting packets without a message authentication code; while in the second, a bit of timestamp-crafting would let an attacker prevent systems from synchronising.

Cisco has the daemon in a whole bunch of its products, but has released a patch. ®