News

Cisco Warns of ASA, PIX Flaws

Cisco Systems Inc. last week warned of multiple vulnerabilities in its Cisco ASA 5500 Series and Cisco PIX security appliances that could trigger denial of service (DoS) or result in information disclosure.

Cisco identified five flaws, all of which are independent of one another.

An attacker who successfully exploits four of the new issues -- an erroneous SIP processing vulnerability, an IPSec client authentication processing vulnerability, an SSL VPN memory leak vulnerability or an SSL VPN URI processing error vulnerability -- can trigger a device reboot. An attacker who repeatedly causes a device to reboot can effect a DoS attack, Cisco warned.

The information disclosure vulnerability stems from a flaw in the way in which the affected Cisco devices handle clientless SSL VPN sessions. An attacker who successfully exploits this vulnerability could obtain user and group credentials, assuming that he or she somehow turns up a "rogue system or document."

The vulnerabilities were privately reported by customers, according to Cisco.

Cisco has released software updates for both its ASA and PIX platforms.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.