Cisco’s Product Security Incident Response Team pushed out software updates for four different network security products. The fixes contain workarounds that can help users mitigate multiple denial-of-service and command-injection vulnerabilities recently found in Cisco’s software.
The holes exist in Cisco’s ASA Next-Generation Firewall (NGFW) Services, Content Security Management Appliance, Web Security Appliance and the company’s Email Security Appliance, according to security advisories posted on the company’s site.
The ASA NGFW – a Cisco firewall add-on – contains a flaw that could lead to a remote denial of service attack, triggered by handling fragmented traffic. By sending specially crafted fragmented IPv4 or IPv6 packets through the target device, an attacker could crash the program or make it stop processing user traffic. The vulnerability has been fixed in versions 9.1.1.9 or 9.1.2.12 and later of the software.
The other three patches address problems in Cisco’s IronPort AsyncOS operating system. The software runs in the background on three of the previously mentioned security products and ensures the infrastructure on each of the appliances isn’t overwhelmed.
There are three vulnerabilities, an authenticated command injection vulnerability and two DoS vulnerabilities that affect the Content Security Management Appliance that could allow an attacker to execute arbitrary commands with elevated privileges and “make the affected system unstable,” according to a warning yesterday.
Two authenticated command injection vulnerabilities and a management GUI DoS vulnerability also affect the Web Security Appliance software. Two DoS vulnerabilities and a command injection vulnerability affects the company’s Email Security Appliance messaging platform.
All of the bugs are dissected on Cisco’s Advisories, Responses, and Notices page, while updates can be applied through Cisco’s usual distribution channels.