Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability
cisco-sa-20120912-asacx · High · Published · Updated
Cisco ASA-CX Context-Aware Security appliance and Cisco Prime Security Manager (PRSM) contain a denial of service (DoS) vulnerability in versions prior to 9.0.2-103. Successful exploitation of this vulnerability on the Cisco ASA-CX could cause the device to stop processing user traffic and prevent management access to the Cisco ASA-CX. Successful exploitation of this vulnerability on the Cisco PRSM could cause the software to become unresponsive and unavailable. There are no workarounds for this vulnerability, but some mitigations are available. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-asacx
If the vulnerability has been exploited on the Cisco ASA-CX and the traffic is interrupted, as a mitigation, Modular Policy Framework (MPF) configuration on the Cisco ASA that is used to direct the user traffic towards the Cisco ASA-CX can be removed. This will cause all user traffic to bypass Cisco ASA-CX module inspection and allow it to pass through the Cisco ASA.
The following example shows how to disable the redirecting of web traffic to the Cisco ASA-CX from the Cisco ASA firewall:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# no cxsc
There are no similar mitigations available for Cisco Prime Security Manager.