Cisco PIX and ASA TCP Traffic Inspection Denial of Service Vulnerability

Cisco PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances (ASA) contain a vulnerability that could allow an unauthenticated, remote attacker to crash an affected device, causing a denial of service (DoS) condition.

This vulnerability exists due to insufficient handling of malformed TCP packet streams. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted series of packets to the affected device. This could allow an attacker to crash the device, resulting in a DoS condition.

Cisco confirmed this vulnerability in a security advisory and released updated software.

For a system to be vulnerable, it must be configured for inspection of a TCP-based protocol. This is done using the inspect command and specifying any application that uses the TCP protocol. This would include FTP and HTTP, which are both TCP based and are configured for inspection by default. Affected devices are vulnerable in their default configurations.

Because the affected devices are typically deployed along the perimeter of a corporate site, they may be vulnerable to attack if they have ports open for traffic from untrusted users. This would include allowing traffic in to access a web or FTP server. Fortunately, there is a workaround that fixes this problem. All administrators are advised to configure this workaround
at their earliest convenience.