Tuesday, 2 July 2013

Cisco warns of denial of service and command injection flaws in security appliances

A Cisco logo
Cisco is advising administrators to patch their security appliances following the disclosure of vulnerabilities in the company's Web Security and Email Security Appliance systems.
The company said that the issues included both command injection and denial of service flaws for both of the security systems.
For the Web Security Appliance, the fix will bring patches for two authenticated command injection vulnerabilities. If exploited, the flaws could allow a user to remotely take control of a targeted appliance and execute arbitrary code. In order to do so, however, Cisco noted that the user would need to have a valid account on the network, thus decreasing the likelihood of a remote attack.
The remaining flaw, however, could potentially be exploited by a remote attacker to produce a denial of service attack. By exploiting a flaw in the handling of HTTP and HTTPS messages, the attacker could prevent users and administrators from accessing the targeted appliance.
Meanwhile, the update in the Email Security Appliance will include two fixes for denial of service errors and one for an authenticated command injection flaw. Like the Web Security Appliance update, the command injection flaw requires a valid account, while the denial of service flaws can be remotely targeted to take the security appliance offline.
Cisco is also issuing updates to address code injection and denial of service flaws in its Content Security Management Appliance and a denial of service issue in the ASA Next-Generation Firewall platform.
The company is advising that users of the impacted Cisco appliances apply the fixes or contact their maintenance providers to check their systems and install the updates if needed.

No comments:

Post a Comment