Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory:
1. Enhanced Inspection of Malformed HTTP Traffic May Cause Reload
It is possible to mitigate this vulnerability by disabling enhanced
inspection of HTTP traffic. Please note that disabling HTTP enhanced inspection
will prevent the FWSM from protecting against specific attacks and other
threats that may be associated with HTTP traffic. Enhanced inspection of HTTP
traffic is disabled by removing the command inspect http
<appfw> from the configuration, where
appfw is the name of an HTTP map.
For further information about the inspect http
<appfw> command, and the type of checks it performs on HTTP
traffic, please see the documentation for this command at:
Please note that the command inspect http
(without an HTTP map) can be left in the configuration and the device will not
be affected by this vulnerability.
2. Inspection of Malformed SIP Messages May Cause Reload
It is possible to mitigate this vulnerability by disabling deep packet
inspection ("fixup" in software version prior to 3.x or "inspect" in software
version 3.x and later) of SIP messages. In FWSM software 2.x and earlier, it is
necessary to use both no fixup protocol sip and
no fixup protocol sip udp to stop deep packet
inspection of SIP messages over TCP and UDP transport (in FWSM 3.x and later
no inspect sip will stop deep packet inspection of
SIP messages over both TCP and UDP.) Note, however, that this may have negative
impact on devices terminating SIP sessions since SIP traffic will no longer
undergo stateful application inspection, and devices which terminate sessions
for this protocol will be exposed to packets that may cause these devices to
crash or become compromised.
If you are running a 3.x FWSM software release, then the alternative
is to allow traffic only from the trusted hosts. The configuration to
accomplish this is as follows:
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip
match access-list sip-acl
inspect dns maximum-length 512
inspect h323 h225
inspect h323 ras
service-policy global_policy global
In this example SIP endpoints are any host within 10.1.1.0 network
(inside the trusted network) and a host with the IP address of 192.168.5.4
(outside of the trusted network). You would have to substitute these IP
addresses with the ones that are used in your network.
Please note that SIP is an UDP-based protocol, so spoofing SIP
messages is possible.
3. Processing of Packets Destined to the FWSM May Cause Reload
Since this vulnerability only manifests itself when syslog message
710006 is generated, it is possible to workaround the vulnerability either by
disabling generation of syslog message 710006 altogether, or by logging at a
syslog level that is lower than the syslog level at which this message is
By default, syslog message 710006 is generated at syslog level 7
("debugging"), so a viable workaround is to log at level 6 or lower. This can
be accomplished with the command logging <destination>
6. If syslog message 710006 has been moved to a different logging
level, then the logging level in use must be changed accordingly to prevent the
message from being generated.
If logging at the "debugging" level is necessary, the vulnerability
can also be eliminated by disabling this particular syslog message by using the
command no logging message 710006.
4. Processing of Malformed HTTPS Requests May Cause Reload
There are no workarounds for this vulnerability.
5. Processing of Long HTTP Requests May Cause Reload
There are no workarounds for this vulnerability.
6. Processing HTTPS Traffic May Cause a Reload
Since this vulnerability is caused by the HTTPS server on the FWSM
failing to handle certain types of HTTPS traffic, disabling the HTTPS server
through the command no http server enable is a valid
workaround if this functionality is not needed. Please note that this
functionality is used by ASDM, so if configuration of the FWSM is exclusively
done through ASDM disabling the HTTPS server may not be a viable workaround.
Additionally, it is possible to limit the exposure by allowing HTTPS
connections only from trusted IP addresses or networks. This can be
accomplished with the http command. For example, the
FWSM(config)# http 192.168.1.10 255.255.255.255 inside
will only permit HTTPS connections from the IP address 192.168.1.10.
7. Processing of Malformed SNMP Requests May Cause a Reload
This bug can only be triggered by a malformed SNMP message that comes
from a device that is allowed SNMP access on the FWSM. If SNMP is not needed it
can be removed through the command no snmp-server host
<interface name> <IP address of trusted device>,
which will eliminate the vulnerability.
8. Manipulation of ACL May Cause ACL Corruption
There are no workarounds for this vulnerability. However, please note
that the ACL corruption does not occur during normal operation of the device
and it cannot be triggered by some type of traffic. It can only occur if an
administrator makes configuration changes (and more specifically, if an
administrator manipulates an ACL.) For this reason, if ACL changes are made
only during a maintenance window, and the FWSM is reloaded after making those
changes, there should not be any concerns with this vulnerability.