What Are They?
The vulnerabilities are to be found in different parts of the ASA software – VPN, two in DHCPv6 relay and two in DNS. In each case an attacker could use specially crafted packets to cause an ASA to reload (reboot). Assuming the running configuration of the ASA had been saved to memory then there would be no data loss; the device will simply reboot. However, during the reboot process the device would not function, likely causing network or internet access issues.
What’s the risk?
In all cases these vulnerabilities can be exploited by a remote, unauthenticated attacker, simply by sending specially crafted UDP, DNS or DHCP packets to the ASA. The impact is relatively low, although repeated attacks could be used to create an effective Denial of Service attack by repeatedly reloading your ASA device.
Which ASAs are affected?
The following models of ASA have the potential to be affected, depending on the exact version of the ASA software they are running:
- Cisco ASA 1000V Cloud Firewall
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco FirePOWER 9300 ASA Security Module
Please refer to the table below to work out whether your ASA is affected. For each major release of the ASA software listed in the left-hand column, the right hand column details which minor releases are affected by one or more of these vulnerabilities.
What do I need to do?
Waterstons would highly recommend the migrating or upgrading of all affected ASA software versions as soon as possible. The table below details the action recommended by Cisco based on which major release the ASA is currently running.
Waterstons will be contacting all of our affected Managed Services clients in due course to arrange remediation work and any outage windows required as a result of this.
If you have any queries or concerns then please don’t hesitate to make contact with either the Service Desk or the main office.
More information about the vulnerabilities can be found at the links below:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150115-asa-dhcp http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dhcp1 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns1 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns2 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-ike