Cisco Warns Of New ASA, PIX Vulnerabilities

Two of the flaws affect the process of setting up a Lightweight Directory Access Protocol (LDAP) authentication server and could enable an attacker to take over an appliance or gain access to the internal network without logging in, Cisco said in a Thursday advisory.

Two additional vulnerabilities affect devices that are used to terminate VPNs, and could give miscreants the ability to arbitrarily disconnect VPN users and clog up VPN traffic, Cisco said.

Cisco has released an update to address the vulnerabilities. Cisco ASA and PIX security appliances that are running software versions 7.1 and 7.2 may be vulnerable, depending on the type of configuration.

Cisco assigned a CVSS base score of 8 to the LDAP authentication flaws, and scores of 3.3 to each of the denial-of-service vulnerabilities.

Cisco in February patched five vulnerabilities affecting its PIX 500 series and ASA 5500 series security appliances, the most serious of which was a privilege escalation flaw to which the vendor assigned a CVSS base score of 6.5.