Vulnslist

find the latest Cisco vulnerabilities

Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability

cisco-sa-20170125-cas · High · Published · Updated

A vulnerability in the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of IP fragments. An attacker could exploit this vulnerability by sending crafted fragmented IP traffic across the CX module. An exploit could allow the attacker to exhaust free packet buffers in shared memory (SHM), causing the CX module to be unable to process further traffic, resulting in a DoS condition. Cisco has not released and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability. The following mitigation helps limit exposure to this vulnerability.

Configure ASA to drop any IP fragments it receives as follows:

ASA# conf t
ASA(config)# fragment chain 1
ASA(config)# exit
Caution: Please note that this can be configured globally only, so it will affect all user traffic passing across the ASA, not only traffic specifically directed toward the Cisco ASA CX module. This configuration will result in all IP fragments being dropped by the ASA, even if this traffic will not be handled by the ASA CX module.

CVEsCVE-2016-9225
Cisco Bug IDsCSCva62946
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco ASA CX Context-Aware Security Software

Related Products

Product CVE Evidence
Cisco RV Series Routers CVE-2016-9225 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2016-9225 Cisco OpenVuln
Cisco Adaptive Security Appliance (ASA) Software CVE-2016-9225 Cisco OpenVuln
Cisco ASA CX Context-Aware Security Software CVE-2016-9225 Cisco OpenVuln