You are here

V-201: Cisco Intrusion Prevention System SSP Fragmented Traffic Denial of Service Vulnerability

July 19, 2013 - 6:00am

Addthis

PROBLEM:

Several vulnerabilities were reported in Cisco Intrusion Prevention System

PLATFORM:

Cisco ASA 5500-X Series Adaptive Security Appliances
Cisco Intrusion Prevention System (IPS) 7.1

ABSTRACT:

A vulnerability in the implementation of the code that processes fragmented traffic could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or cause the affected system to reload.

REFERENCE LINKS:

Secunia Advisory SA54246
SecurityTracker ID:  1028806
Cisco Advisory ID: cisco-sa-20130717-ips 
CVE-2013-1218

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The vulnerability is due to improper handling of fragmented IP packets sent from the Cisco ASA data plane to the Cisco IPS processor for inspection and processing. An attacker could exploit this vulnerability by sending a combination of fragmented and other IP packets through the affected system. An exploit could allow the attacker to cause a reload of the affected system or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.

The vulnerability can be triggered by IPv4 and IPv6 fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS software module will not trigger this vulnerability.

IMPACT:

Denial of service

 SOLUTION:

Vendor recommends updating to version 7.1(7)sp1E4

Addthis