Cisco patches security appliance bugs
ASA can be DoSsed by XML, VPN attacks
It's Borg Bug Day, and this week Cisco's issued patches of interest to users of its Adaptive Security Appliances (ASAs).
The two newly-announced bugs are CVE-2016-1379, a VPN block memory exhaustion vulnerability; and CVE-2016-1385, a problem with the ASA XML parser.
The memory exhaustion vulnerability affects ASA software releases later than 9.0, and can be exploited remotely.
The software has a bug in how it handles ICMP errors in IPsec packets, and crafted packets sent either through LAN-to-LAN or remote access VPN tunnels can “deplete available memory”.
That results in a denial-of-service, either because the system becomes unstable or it stops forwarding traffic.
The software is vulnerable if the user's using IKEv1 or IKEv2 for LAN-to-LAN VPNs, or remote access VPNs using Layer 2 Tunnelling Protocol and Ipsec; and if the system is validating ICMP errors.
The XML parser vulnerability is less serious, because it can only be exploited by an authenticated user.
A local admin can crash the system by tricking the ASA into parsing a malicious XML file; while someone with Clientless SSL VPN access can send a crafted XML file over their connection.
In either case, because the XML parser isn't sufficiently hardened, the malicious file can force a system reload.
All ASA releases are affected, and Cisco has released patches. ®