Cisco Patches Denial-of-Service Flaws Across Three Products

Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week.

Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week.

According to a series of security advisories issued on Wednesday, three of the five vulnerabilities exist in Cisco’s Wireless LAN Controller (WLC) devices, commonly used to manage and secure wireless networks in the enterprise.

The most pressing WLC vulnerability, marked critical, stems from improper handling of HTTP traffic, meaning an attacker could send a request to a device and from there trigger a buffer overflow condition, and subsequently, a denial of service condition.

The issue affects a wide spectrum of Cisco WLC devices, including those running 7.2, 7.3, 7.4 prior to 7.4.140.0(MD), 7.5, 7.6, and 8.0, prior to 8.0.115.0(ED).

The other vulnerabilities in WLC deal with an issue in the device’s web-based device management interface and another in the Bonjour task manager.

The web interface issue only applies to devices running select versions (4.1 through 7.4.120.0, 7.5, and 7.6.100.0) of the company’s AireOS software. An attacker could trick a user into visiting a URL that’s not supported by the interface, and in turn prompt the device to reload.

The Bonjour issue stems from the fact that WLC fails to properly handle traffic emanating from the task manager. If an attacker sent Bonjour traffic, they could get the device to reload, and like the rest of these vulnerabilities, trigger a DoS situation.

The two other issues exist in the company’s Adaptive Security Appliance (ASA) software and its Secure Real-Time Transport Protocol (SRTP) library.

The ASA issue, which stems from insufficient validation of DHCPv6 packets, only affects users running 9.4.1 of the software that have that feature configured.

The issue with the library exists in an encryption processing subsystem the library uses – the system fails to validate some fields, leaving it open to attack.

Almost 20 different Cisco products incorporate a vulnerable version of the library, including Webex Meetings and a number of voice/communications devices the company makes. The vulnerability technically exists in the source code the library uses and affects all versions prior to 1.5.3. While Cisco has updated most of the products that use the library, some including three versions of the company’s IP Phone product and one version of Webex Meetings won’t be updated until August and June.

The company’s Product Security Incident Response Team claims it isn’t aware of any of the vulnerabilities being exploited in the wild but nonetheless is urging users to update.