Cisco Security Advisory http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml en-us 1992-2010 Cisco Systems, Inc. All rights reserved. Security Advisories Cisco Systems, Inc. 15 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=OpenSSL%20Heartbeat%20Extension%20Vulnerability%20in%20Multiple%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.<br /> <br /> The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.<br /> <br /> Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected. <br /> <br /> This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a> Fri, 18 Apr 2014 18:38:52 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Multiple Vulnerabilities in Cisco ASA Software http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20ASA%20Software&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco ASA Software" border='0' height='0' width='0'></img>Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:<br /> <ul> <li>Cisco ASA ASDM Privilege Escalation Vulnerability</li> <li>Cisco ASA SSL VPN Privilege Escalation Vulnerability</li> <li>Cisco ASA SSL VPN Authentication Bypass Vulnerability</li> <li>Cisco ASA SIP Denial of Service Vulnerability </li> </ul> These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.<br /> <br /> Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system.<br /> <br /> Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN.<br /> <br /> Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. <br /> <br /> Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa</a><br /> <br /> <strong>Note:</strong>&nbsp;This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160 (also known as <em>Heartbleed</em>). For additional information regarding Cisco products affected by this vulnerability, refer to the Cisco Security Advisory at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a> Fri, 18 Apr 2014 15:52:25 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Session%20Initiation%20Protocol%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.<br /> <br /> Cisco has released free software updates that address this vulnerability. <br /> <br /> There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Mon, 31 Mar 2014 13:46:38 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%207600%20Series%20Route%20Switch%20Processor%20720%20with%2010%20Gigabit%20Ethernet%20Uplinks%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks models RSP720-3C-10GE and RSP720-3CXL-10GE could allow an unauthenticated, remote attacker to cause the route processor to reboot or stop forwarding traffic. The vulnerability is due to an issue in the Kailash field-programmable gate array (FPGA) versions prior to 2.6.<br /> <br /> Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Wed, 26 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE Cisco IOS Software Network Address Translation Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Network%20Address%20Translation%20Vulnerabilities&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Network Address Translation Vulnerabilities" border='0' height='0' width='0'></img>The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition.<br /> <br /> Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Wed, 26 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Crafted%20IPv6%20Packet%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.<br /> <br /> Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Wed, 26 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6 Cisco IOS Software SSL VPN Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20SSL%20VPN%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software SSL VPN Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.<br /> <br /> The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.<br /> <br /> Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Wed, 26 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Internet%20Key%20Exchange%20Version%202%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.<br /> <br /> The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.<br /> <br /> Although IKEv2 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software devices when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.<br /> <br /> Only IKEv2 packets can trigger this vulnerability.<br /> <br /> Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2</a><br /> <br /> <p><strong>Note:</strong> The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. </p> <p>Individual publication links are in <em>Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication</em> at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html</a></p> Wed, 26 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2 Cisco AsyncOS Software Code Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20AsyncOS%20Software%20Code%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco AsyncOS Software Code Execution Vulnerability" border='0' height='0' width='0'></img>Cisco AsyncOS Software for Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) contain a vulnerability that could allow an authenticated remote attacker to execute arbitrary code with the privileges of the <em>root</em> user.<br /> <br /> Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos</a> Wed, 19 Mar 2014 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos Undocumented Test Interface in Cisco Small Business Devices http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Undocumented%20Test%20Interface%20in%20Cisco%20Small%20Business%20Devices&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Undocumented Test Interface in Cisco Small Business Devices" border='0' height='0' width='0'></img>A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain <em>root</em>-level access to an affected device.<br /> <br /> Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link: <br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd</a> Fri, 14 Mar 2014 21:18:05 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd Cisco Prime Infrastructure Command Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Prime%20Infrastructure%20Command%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Prime Infrastructure Command Execution Vulnerability" border='0' height='0' width='0'></img>A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with <em>root</em>-level privileges.<br /> <br /> The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with <em>root</em>-level privileges.<br /> <br /> Cisco has released free software updates that address this vulnerability. A software patch that addresses this vulnerability in all affected versions is also available. Workarounds that mitigate this vulnerability are not available.<br /> <br /> This advisory is available at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi</a> Thu, 13 Mar 2014 19:31:36 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Resource%20Reservation%20Protocol%20Interface%20Queue%20Wedge%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability" border='0' height='0' width='0'></img><span>A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.</span><br /> <br /> The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP port 1698 RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions.<br /> &nbsp;<br /> Cisco has released free software updates that address this vulnerability.<br /> <br /> Workarounds that mitigate this vulnerability are available.<br /> <br /> This advisory is available at the following link:&nbsp;<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp</a><br /> <p>Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication. </p> <p>Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: </p> <p><a href="http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html">http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html</a></p> Wed, 12 Mar 2014 12:54:33 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp