http://www.cisco.com/en/US/customer/products/sw/voicesw/ps556/products_tech_note09186a0080937324.shtml Hot Issues from Cisco TAC. Please click the link for complete details. en-us wsisk@cisco.com (Wes Sisk) news-at-cisco-rss@cisco.com (Cisco Newsroom) Mon, 13 May 2013 10:01:45 EDT Mon, 13 May 2013 10:01:45 EDT PERL http://www.cisco.com/en/US/customer/products/sw/voicesw/ps556/products_tech_note09186a0080937324.shtml 10080 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr63007 <B>Symptom:</B> Current Firewall Services Module (FWSM) documentation states that downtime cannot be avoided when upgrading from a different major or minor software version in a failover environment. However, it is possible to perform an upgrade from the prior major and minor version combination to the next one with no failover interruption in 3.x and later software. This documentation defect is filed to correct the configuration guide. <br> <B>Conditions:</B> Running 3.x and later software. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr63007 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug45850 <b>Symptoms:</b> The access-list is not effective when configured with a time-range object <br> <b>Conditions:</b> Currently this was noticed when the time-range object is configured with the ''periodic'' command and spanning over two or more consecutive days. Example of affected configuration is: time-range WEEKEND periodic Saturday 0:00 to Sunday 23:59 An access-list configured with the time-range object above will not have any effect. To verify if you are affected by this issue, you can use the show time-range command while the time-range should be effective and verify that the command show the rule as inactive: ciscoasa#show time-range time-range entry: WEEKEND (inactive) periodic Saturday 0:00 to Sunday 23:59 used in: IP ACL entry <br> <b>Workaround:</b> Configuring the time-range object in a different way, may workaround this issue. Example of working configuration are: time-range WEEKEND1 periodic Saturday 0:00 to 23:59 periodic Sunday 0:00 to 23:59 or time-range WEEKEND2 periodic weekend 0:00 to 23:59 <br> <b>Further Problem Description:</b> A vulnerability in the implementation of the time-range object could allow an unauthenticated, remote attacker to by-pass access-list that are using the time-range option. The vulnerability is due to improper implementation of the code for the time-range object, when the periodic command is used. Due to this issue the time-range object will have no effect, thus depending on the access-list statement, (permit or deny), this may allow an attacker to by-pass the access-list statement. An attacker could exploit this vulnerability by sending traffic through the affected system. <b>PSIRT Evaluation:</b> The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are X/Y: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:-/AC:-/Au:-/C:-/I:-/A:-/E:-/RL:-/RC:- CVE ID CVE-2013-1195 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1195 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug45850