Cisco Issues Five Security Alerts

The Cisco ASA 5500 is a modular platform providing security and VPN services, while the Cisco PIX appliance is a security device protecting Internet connections geared for remote and branch offices.

Altogether, four denial of service vulnerabilities can be found in the Crafted TCP ACK Packet, the Crafted TLS Packet, the Vulnerability Scan and the Instant Messenger inspection, which includes a glitch that could lead to a denial of service attack in the Cisco ASA and Cisco PIX if the inspection engine was enabled.

The fifth error, a Control-Plane Access Control List vulnerability, could potentially enable an attacker to bypass security restrictions on the control-plane access control lists without authorization. Exploiting an error in the Control-Plane Access Control List, which is designed to protect traffic destined to the security appliance, could cause the control plane ACL not to work after it is configured to the device.

Following release of the Cisco advisory, the U.S. Computer Emergency Readiness Team also released an alert on its Web site today, warning users of the flaws.

The error in the Crafted TCP ACK is the only bug that comes with a workaround. The flaw could cause a denial of service condition on ASA and PIX devices running versions 7.1x and 7.2x with WebVPN, SSL VPN or ASDM.

Experts recommend that users update their systems with the appropriate fixes as soon as possible, which can be downloaded for free to users. So far, experts say that there doesn't appear to be a known public attack exploiting these vulnerabilities.