Cisco Warns Of Appliance Vulnerabilities

Tom Jowitt,
cisco

Cisco warns customers of potential denial of service and DNS vulnerabilities in its kit

Networking giant Cisco has issued warnings about potential vulnerabilities in its email security appliance and Web security appliances.

The company did issue a patch for one appliance, hours after Microsoft delivered its monthly Patch Tuesday update, which is sure to add to the workload of IT management teams.

One Patch

The first vulnerability concerns the DNS resolution function of the Cisco Web Security Appliance (WSA). This flaw could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to DNS name resolution failing through the device.

appleCisco blamed this vulnerability on the handling of DNS requests awaiting a DNS response when new, incoming DNS requests are received. “An attacker could exploit this vulnerability by sending TCP proxy traffic to the WSA at a high rate. An exploit could allow the attacker to cause a partial DoS condition because DNS name resolution fails, which results in the client receiving a HTTP 503 ‘Service Unavailable’ error,” said the networking giant.

A patch is available to fix this flaw.

The second vulnerability is a bit more problematic, as Cisco says there are currently no available software updates.

No Patches

This flaw has to do with the Cisco Email Security Appliance (ESA), which apparently “contains a vulnerability that could allow an unauthenticated, remote attacker to impact the integrity and availability of services and data on the affected device. The impact includes a partial denial of service (DoS). In addition, the attacker could override part of the memory of the affected device.”

Cisco blamed this flaw on an improper validation of string input in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. As there are no fixes as of yet, the company advises administrators to contact Cisco directly, and also to consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

The third vulnerability also has no software updates to tackle it. This flaw is located in the web interface of the Cisco Web Security Appliance (WSA). It could potentially allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to memory management failures during processing of TCP connections.

“The vulnerability is due to the improper handling of a malformed HTTP server responses,” said Cisco. “An unauthenticated, remote attacker with a privileged network position could exploit the vulnerability by conducting a man-in-the-middle (MitM) attack and supplying malformed HTTP server responses to the vulnerable device.”

A successful exploit could allow the attacker to cause the device to improperly close TCP connections and fail to free memory resources, resulting in a partial DoS condition.

Again, Cisco said that administrators should consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems. It also said that physical security measures should be implemented for production servers.

Earlier in the summer, Cisco released a patch for three of its virtual appliances after it was discovered they contain default, authorised SSH keys that could allow an attacker virtually complete access to compromised systems.

That vulnerability affected all of Cisco’s Web Security Virtual Appliances (WSAv), Email Security Virtual Appliances (ESAv), and Content Security Management Virtual Appliances (SMav), and was found by Cisco during internal tests.

Take our hacking and viruses quiz here!