Extensive Vulnerability (DoS) on PIX / ASA
I would like to warn the owners of PIX / ASA (until the thunder clap) about a fairly extensive vulnerability (DoS):
www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
(in the part called “Crafted TCP Packet DoS Vulnerability” ).
Vulnerability is very real and reproducible by any script-kiddie, which can not but grieve. The script, shown on milw0rm, brings down (in an insane state) almost any PIX / ASA in literally 5-7 minutes.
The TCP ports of the following services open on the Internet are affected:
- SSL VPNs
- ASDM Administrative Access
- Telnet Access
- SSH Access
- cTCP for Remote Access VPNs
- Virtual Telnet
- Virtual HTTP
- TLS Proxy for Encrypted Voice Inspection
- Cut-Through Proxy for Network Access
- TCP Intercept
Yesterday fixed-version software became available through the official CCO, before that, since the publication of the Security Advisory, they were available only through PSIRT.
www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
(in the part called “Crafted TCP Packet DoS Vulnerability” ).
Vulnerability is very real and reproducible by any script-kiddie, which can not but grieve. The script, shown on milw0rm, brings down (in an insane state) almost any PIX / ASA in literally 5-7 minutes.
The TCP ports of the following services open on the Internet are affected:
- SSL VPNs
- ASDM Administrative Access
- Telnet Access
- SSH Access
- cTCP for Remote Access VPNs
- Virtual Telnet
- Virtual HTTP
- TLS Proxy for Encrypted Voice Inspection
- Cut-Through Proxy for Network Access
- TCP Intercept
Yesterday fixed-version software became available through the official CCO, before that, since the publication of the Security Advisory, they were available only through PSIRT.
')
Source: https://habr.com/ru/post/58599/
All Articles