Cisco ASA Clientless SSL VPN CIFS Denial of Service Vulnerability

ID CISCO-SA-20130417-CVE-2013-1199
Type cisco
Reporter Cisco
Modified 2013-04-17T20:23:34


A vulnerability in the implementation of the rewriter module of the Cisco Adaptive Security Appliance (ASA) Clientless SSL VPN could allow an authenticated, remote attacker to cause a reload of the affected system.

The vulnerability is due to a race condition while accessing resources via the Common Internet File System (CIFS) protocol. An attacker could exploit this vulnerability by creating multiple Clientless SSL VPN sessions and trying to recreate the race condition.

Cisco has confirmed the vulnerability in a security notice and software updates are available.

To exploit the vulnerability, an attacker would need to authenticate to a targeted system to create multiple Clientless SSL VPN sessions. Typically, such devices reside on trusted, internal networks. This access requirement may reduce the likelihood of a successful attack.

Customers are advised to review the bug report in the Vendor Announcements section for a current list of affected versions.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.