A vulnerability in the file-range request functionality of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an appliance because the appliance runs out of system memory. The vulnerability is due to a failure to free memory when a file range is requested through the Cisco WSA. An attacker could exploit this vulnerability by opening multiple connections that request file ranges through the WSA. A successful exploit could allow the attacker to cause the WSA to stop passing traffic when enough memory is used and not freed. Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is also available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-wsa2
To determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco WSA, administrators can use the version command in the WSA CLI. The following example shows the results for an appliance running Cisco AsyncOS Software version 8.5.3-051:
ciscowsa> version
Current Version
===============
Product: Cisco IronPort S670 Web Security Appliance
Model: S670
Version: 8.5.3-051 . . .
# status detail Connections: Total client connections 99999
AsyncOS for WSA Major Release |
First Fixed Release for This Vulnerability |
First Fixed Release for This Vulnerability and All Vulnerabilities Described in the Companion Advisories |
---|---|---|
7.5 and prior |
Not affected | 7.7.0-761 or later |
7.7 |
Not affected |
7.7.0-761 or later |
8.0 | 8.0.8-113 | 8.0.8-113 or later |
8.1 | Affected; migrate to 8.5.3-051 | Affected; migrate to 8.5.3-051 or later |
8.5 | 8.5.3-051 | 8.5.3-051 or later |
8.6 | Affected; migrate to 8.7.0-171-LD | Affected; migrate to 8.7.0-171-LD or later |
8.7 | 8.7.0-171-LD | 8.7.0-171-LD or later |
8.8 | 8.8.0-085 | 8.8.0-085 or later |
9.0 | Not affected | Not affected |
In most cases a WSA can be updated over the network by using the System Upgrade options in the System Administration GUI. To upgrade a device by using the System Administration GUI:
After the upgrade is complete, the device reboots.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.1 | Added steps for upgrading a device by using the GUI. | Fixed Software | Final | 2015-November-20 |
1.0 | Initial public release. | - | Final | 2015-November-04 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.