Cisco ASA CX Context-Aware Security software and Cisco Prime Security Manager contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.
Cisco ASA CX Context-Aware Security software and Cisco Prime Security Manager (PRSM) contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted device.
The vulnerability is due to improper log management by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending a high rate of packets to the management interface of the Cisco ASA CX or Cisco PRSM device. A successful exploit of a Cisco ASA CX device could allow the attacker to cause the device to stop processing legitimate user traffic and affect user access to the management interface. A successful exploit of a Cisco PRSM device could cause the device to become unresponsive to legitimate user traffic and unavailable for managing Cisco ASA CX devices.
Cisco has confirmed this vulnerability and released software updates.
Cisco ASA CX Context-Aware Security and PRSM software versions prior to 9.0.2-103 are vulnerable.
Attackers do not require authentication to exploit this vulnerability, but may require access to trusted, internal networks to establish a connection with the affected device. This access requirement may reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
The Cisco ASA CX Context-Aware Security add-on services module extends the ASA platform with context-aware capabilities. The Cisco Prime Security Manager (PRSM) is the management platform for managing multiple Cisco ASA CX devices.
If a customer device has been affected by this vulnerability and /var/log is 100 percent utilized, the customer should contact the Cisco Technical Assistance Center; applying the software updates will not be sufficient to restore service.
An unauthenticated, remote attacker could exploit this vulnerability to cause the Cisco ASA CX or PRSM device to stop responding to legitimate user traffic and affect user access to the management interface and tool for managing ASA CX devices.
The vulnerability exists because the affected software improperly manages log retention, allowing the /var/log partition to grow until it is 100 percent utilized.
An unauthenticated, remote attacker could exploit this
vulnerability by sending a high rate of packets to the management
interface of the Cisco ASA CX or Cisco PRSM device. When the packets are processed by the affected software, the /var/log partition could completely fill. This condition could cause the device to become unresponsive to legitimate user traffic and affect user access to the management interface of an ASA CX device, or it could cause a PRSM device to become unresponsive and unavailable for managing an ASA CX device. Successful exploitation could allow an attacker to consume excessive system resources, resulting in a DoS condition.
Administrators are advised to apply the appropriate updates.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor critical systems.
If customers have been impacted by this vulnerability on a Cisco
ASA CX device and user traffic has been interrupted, administrators may consider removing the Modular Policy Framework (MPF)
configuration on the Cisco ASA that directs user traffic to the ASA CX module. Removing the MPF configuration will cause user traffic to bypass the ASA CX module and flow though the Cisco ASA, restoring user service.
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco.
Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at email@example.com.
The security vulnerability applies to the following combinations of products.
Cisco ASA-CX Software
9.0.1-40, .2-68 | 9.0.1-40, .2-68
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.