Patch Cisco ASA ASAP: DNS, DHCPv6, UDP packets will crash them
Network appliance gets fixes for security holes
Cisco has issued a firmware update to address four security flaws in its Adaptive Security Appliance (ASA) that open up the gear to denial-of-service attacks.
By exploiting these bugs, six models in the ASA family can be forced to repeatedly reset, rendering the hardware useless.
Vulnerable products include the Cisco ASA 1000V Cloud Firewall, Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco Adaptive Security Virtual Appliance (ASAv), and the Cisco Firepower 9300 ASA Security Module.
The four issues, each with their own CVE listing, are as follows:
- CVE-2015-6324, a vulnerability present in devices equipped with the DHCPv6 relay feature allowing an attacker to reset the device with a specially-crafted DHCPv6 packet.
- CVE-2015-6325, also a DNS handling error, causing the device to reset when presented with a malformed DNS packet.
- CVE-2015-6326, a denial of service vulnerability related to improper handling of DNS packets.
- CVE-2015-6327, a flaw in the ASA Internet Key Exchange allowing an attacker to send a crafted UDP packet to force a restart on the targeted appliance.
Cisco says network administrators should review the advisories and install the patches as soon as possible. ®