CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
-
A vulnerability in the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper handling of IP fragments. An attacker could exploit this vulnerability by sending crafted fragmented IP traffic across the CX module. An exploit could allow the attacker to exhaust free packet buffers in shared memory (SHM), causing the CX module to be unable to process further traffic, resulting in a DoS condition.
Cisco has not released and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas
-
The Cisco ASA CX Context-Aware Security module is an add-on services module that extends the ASA platform with context-aware capabilities for additional visibility and control.
Only user traffic specifically directed toward the Cisco ASA CX by the Modular Policy Framework (MPF) configuration on the parent Cisco ASA is affected by the vulnerability in this advisory.
-
There are no workarounds that address this vulnerability. The following mitigation helps limit exposure to this vulnerability.
Configure ASA to drop any IP fragments it receives as follows:
ASA# conf t ASA(config)# fragment chain 1 ASA(config)# exit
-
Cisco has not released and will not release software updates that address the vulnerability described in this advisory. The ASA CX module has entered the end-of-life (EoL) process. Please refer to the EoL notice for this product:
End-of-Sale and End-of-Life Announcement for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager
Customers are encouraged to migrate to Cisco ASA with FirePOWER Services.
When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that new devices will be sufficient for their network needs; new devices contain sufficient memory, and current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact their Cisco account team representative or Cisco partner.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This issue was found during the resolution of a customer support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. — Final 2017-January-25
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.