Cisco has patched five vulnerabilities affecting its PIX 500 series and ASA 5500 series security appliances, the most serious of which could enable an attacker to elevate their user privileges and gain administrative access to an affected device.
The PIX 500 and ASA 5500 series appliances are susceptible to crashing while inspecting malformed HTTP requests or processing a stream of malformed packets in a TCP-based protocol, according to a Cisco advisory issued Wednesday. Cisco assigned CVSS base scores of 3.0 on a 10-point scale to these vulnerabilities.
However, the most serious of the flaws could allow a miscreant to boost their access privileges to administrator level and take complete control over the device, although the attacker would have to be defined in the local database and be able to log in to the affected device in order to take advantage, according to Cisco.
Cisco gave the bug a CVSS base score of 6, while Symantec's Deepsight Threat Management System rated the severity of the flaw as 6.5 on its own proprietary 10 point scale.
The ASA 5500 appliance line combines firewall, VPN and IPS, and has gained a large following among companies seeking to consolidate management of multiple security functions within a single box. Last July, Cisco added two new ASA models, including the ASA 5505, an entry-level appliance for small businesses, branch and home office use.
Cisco also issued fixes for eight denial of service vulnerabilities in its Firewall Services Module (FWSM), which provides stateful packet filtering and deep packet inspection for Cisco's Catalyst 6500 switches and 7600 Series routers.
The DoS flaws stem from the way the devices process certain types of HTTP, Secure HTTP (HTTPS), Session Initiation Protocol (SIP), and Simple Network Management Protocol (SNMP) traffic, according to a separate Cisco advisory issued Wednesday.
Cisco issued CVSS base scores in a range between 2.7 and 3.3 for seven of the vulnerabilities, but assigned a score of 10 to a bug that occurs while processing long URLs, which could potentially happen during normal Web browsing, the San Jose, Calif.-based vendor noted. Symantec Deepsight gave the flaws a blanket severity rating of 6.7 on a 10-point scale.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Cisco UTM Appliances Protect Home Office, Enterprise Networks
- Cisco Expands Adaptive Security Appliance Line
- Microsoft Shows Its Love In Valentine's Day Patch Release
- Worker Abuse Protest Targets Apple, Supplier Foxconn
- Cisco Restructuring Pays Off: Q2 Profit Jumps, More M&A Expected
- VARs Say VCE To Target SMBs With Entry-Level Vblocks
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
