Multiple Vulnerabilities in Cisco ASA Software

ITS Advisory Number: 
2015-036
Date(s) Issued: 
Thursday, April 9, 2015
Subject: 
Multiple Vulnerabilities in Cisco ASA Software
Overview: 

Multiple vulnerabilities have been discovered in Cisco Adaptive Security Appliance (ASA) Software. The Cisco ASA family provides network security services such as firewall, intrusion prevention system (IPS), endpoint security (anti-x), and VPN.

The exploitation of these vulnerabilities could allow for complete system compromise on the device or may cause denial of service conditions.

Systems Affected: 
  • Versions prior to Cisco Adaptive Security Appliance 9.2(3.3)
  • Versions prior to Cisco Adaptive Security Appliance (ASA) Software 9.1(6)
  • Versions prior to Cisco Adaptive Security Appliance (ASA) Software 9.3(3)
  • Versions prior to Cisco ASA FirePOWER Software 5.3.1.2
  • Versions prior to Cisco ASA CX Software 9.3.2.1-9
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Cisco ASA Software is prone to multiple vulnerabilities that could allow for complete system compromise or denial of service. These vulnerabilities are as follows:

Cisco ASA Software is prone to the following vulnerabilities:

  • A vulnerability in the improper handling of secured failover communication messages when the failover IPsec feature is configured that may allow an unauthenticated, remote attacker to cause a complete system compromise. (CVE 2015-0675)
  • A vulnerability in the improper processing of DNS packets that may allow an unauthenticated, remote attacker the ability to cause denial-of-service conditions. (CVE 2015-0676)
  • A vulnerability in the insufficient hardening of the XML parser configuration that may allow an unauthenticated, remote attacker the ability to cause denial of service conditions. (CVE 2015-0677)

Cisco ASA FirePOWER Services and Cisco ASA CX Services are prone to the following vulnerability:

  • A vulnerability in the improper handling of crafted packets sent at a high rate to the management interface that may allow an unauthenticated, remote attacker the ability to cause denial-of-service conditions. (CVE 2015-0678)
Actions: 

We recommend the following action be taken:

  • Apply software updates provided by Cisco, and workarounds that mitigate these vulnerabilities immediately after appropriate testing.