Summary

• A vulnerability in the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition.
  
  The vulnerability is due to improper handling of IP fragments. An attacker could exploit this vulnerability by sending crafted fragmented IP traffic across the CX module. An exploit could allow the attacker to exhaust free packet buffers in shared memory (SHM), causing the CX module to be unable to process further traffic, resulting in a DoS condition.
  
  Cisco has not released and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas

Affected Products

• Vulnerable Products

  This vulnerability affects all versions of the ASA CX Context-Aware Security module.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• The Cisco ASA CX Context-Aware Security module is an add-on services module that extends the ASA platform with context-aware capabilities for additional visibility and control.
  
  Only user traffic specifically directed toward the Cisco ASA CX by the Modular Policy Framework (MPF) configuration on the parent Cisco ASA is affected by the vulnerability in this advisory.

Workarounds

• There are no workarounds that address this vulnerability. The following mitigation helps limit exposure to this vulnerability.
  
  Configure ASA to drop any IP fragments it receives as follows:
  

  ASA# conf t
  ASA(config)# fragment chain 1
  ASA(config)# exit

  Caution: Please note that this can be configured globally only, so it will affect all user traffic passing across the ASA, not only traffic specifically directed toward the Cisco ASA CX module. This configuration will result in all IP fragments being dropped by the ASA, even if this traffic will not be handled by the ASA CX module.

Fixed Software

• Cisco has not released and will not release software updates that address the vulnerability described in this advisory. The ASA CX module has entered the end-of-life (EoL) process. Please refer to the EoL notice for this product:
  End-of-Sale and End-of-Life Announcement for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager
  

  Customers are encouraged to migrate to Cisco ASA with FirePOWER Services.
  
  When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that new devices will be sufficient for their network needs; new devices contain sufficient memory, and current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact their Cisco account team representative or Cisco partner.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This issue was found during the resolution of a customer support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	—	Final	2017-January-25

  Show Less