Cisco ASA-CX Context-Aware Security appliance and Cisco Prime Security Manager (PRSM) contain a denial of service (DoS) vulnerability in versions prior to 9.0.2-103. Successful exploitation of this vulnerability on the Cisco ASA-CX could cause the device to stop processing user traffic and prevent management access to the Cisco ASA-CX. Successful exploitation of this vulnerability on the Cisco PRSM could cause the software to become unresponsive and unavailable. There are no workarounds for this vulnerability, but some mitigations are available. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-asacx
Vulmon
asacx> show version
Cisco ASA CX Platform 9.0.1 (40)
Cisco Prime Security Manager 9.0.1 (40)
Customers using Cisco PRSM to manage Cisco ASA-CX devices can locate the software version of Cisco ASA-CX in the Device > Devices part of the Cisco Prime Security Manager window. prsm> show version
Cisco Prime Security Manager 9.0.1 (40) Multi Device prsm-vm
asacx>show diskusage
FILESYSTEM SIZE AVAILABLE USE%
/ 3.0G 2.0G 28%
/boot 407.2M 307.2M 20%
/var 9.8G 9.2G 2%
/var/data 498.1G 466.6G 1%
/var/packages 9.8G 8.7G 7%
/var/config 1.1G 1004.5M 3%
/var/db 3.9G 3.6G 4%
/var/log 3.9G 0 100%
/var/local 3.9G 3.6G 4%
/var/data/diagnostics 15.7G 14.8G 1%
/var/data/cores 15.7G 14.8G 1%
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# no cxsc
There are no similar mitigations available for Cisco Prime Security Manager.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
This vulnerability has been fixed in Cisco ASA-CX Context-Aware Security and Cisco Prime Security Manager Software versions 9.0.2-103 and later.
Cisco ASA-CX Context-Aware Security Software can be downloaded at the following link:
http://www.cisco.com/cisco/pub/software/portal/select.html?&mdfid=284325223&softwareid=284399944
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
The vulnerability described in this security advisory was found during the resolution of a customer service request.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Revision 1.0 | 2012-September-12 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.