Cisco is advising administrators to
patch their security appliance following the disclosure of
vulnerabilities in the company's Web Security and Email Security
Appliance systems.
The company said that the flaws included
both command injection flaws on denial of service attacks for both of
the security systems.
For the Web Security Appliance, the fix
will bring patches for two authenticated command injection
vulnerabilities. If exploited, the flaws could allow a user to remotely
take control of a targeted appliance and execute arbitrary code. In
order to do so, however, the company noted that the user would need to
have a valid account on he network, thus decreasing the likelihood of a
remote attack.
The remaining flaw, however, could
potentially be exploited by a remote attacker to produce a denial of
service attack. By exploiting a flaw in the handling of HTTP and HTTPS
messages, the attacker could prevent users and administrators from
accessing the targeted appliance.
Meanwhile, the update in the Email
Security Appliance will include two fixes for denial of service errors
and one for an authenticated command injection flaw. Like the Web
Security Appliance update, the command injection flaw requires a valid
account, while the denial of service flaws can be remotely targeted to
take the security appliance offline.
Cisco is also issuing updates to address
code injection and denial of service flaws in its Content Security
Management Appliance and a denial of service issue in the ASA
Next-Generation Firewall platform.
The company is advising that users of the
impacted Cisco appliances apply the fixes or contact their maintenance
providers to check their systems and install the updates if needed.