Several vulnerabilities were reported in Cisco Intrusion Prevention System
Cisco ASA 5500-X Series Adaptive Security Appliances
Cisco Intrusion Prevention System (IPS) 7.1
A vulnerability in the implementation of the code that processes fragmented traffic could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or cause the affected system to reload.
The vulnerability is due to improper handling of fragmented IP packets sent from the Cisco ASA data plane to the Cisco IPS processor for inspection and processing. An attacker could exploit this vulnerability by sending a combination of fragmented and other IP packets through the affected system. An exploit could allow the attacker to cause a reload of the affected system or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.
The vulnerability can be triggered by IPv4 and IPv6 fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS software module will not trigger this vulnerability.
Denial of service
Vendor recommends updating to version 7.1(7)sp1E4