Lucene search

CiscoCISCO-SA-20130417-CVE-2013-1199

HistoryApr 17, 2013 - 8:23 p.m.

Cisco ASA Clientless SSL VPN CIFS Denial of Service Vulnerability

2013-04-1720:23:45

tools.cisco.com

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:H/Au:S/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

44.3%

JSON

A vulnerability in the implementation of the rewriter module of the Cisco Adaptive Security Appliance (ASA) Clientless SSL VPN could allow an authenticated, remote attacker to cause a reload of the affected system.

The vulnerability is due to a race condition while accessing resources via the Common Internet File System (CIFS) protocol. An attacker could exploit this vulnerability by creating multiple Clientless SSL VPN sessions and trying to recreate the race condition.

Cisco has confirmed the vulnerability in a security notice and software updates are available.

To exploit the vulnerability, an attacker would need to authenticate to a targeted system to create multiple Clientless SSL VPN sessions. Typically, such devices reside on trusted, internal networks. This access requirement may reduce the likelihood of a successful attack.

Customers are advised to review the bug report in the Vendor Announcements section for a current list of affected versions.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Affected configurations

Vulners

Node

ciscoadaptive_security_virtual_applianceMatch8.4

ciscoadaptive_security_virtual_applianceMatch8.4.1

ciscoadaptive_security_virtual_applianceMatch8.4.2

ciscoadaptive_security_virtual_applianceMatch8.4.1.3

ciscoadaptive_security_virtual_applianceMatch8.4.1.11

ciscoadaptive_security_virtual_applianceMatch8.4.2.8

ciscoadaptive_security_virtual_applianceMatch8.4.3

ciscoadaptive_security_virtual_applianceMatch8.4.3.8

ciscoadaptive_security_virtual_applianceMatch8.4.3.9

ciscoadaptive_security_virtual_applianceMatch8.4.4

ciscoadaptive_security_virtual_applianceMatch8.4.4.1

ciscoadaptive_security_virtual_applianceMatch8.4.4.3

ciscoadaptive_security_virtual_applianceMatch8.4.4.5

ciscoadaptive_security_virtual_applianceMatch8.4.4.9

ciscoadaptive_security_virtual_applianceMatch8.4.5

ciscoadaptive_security_virtual_applianceMatch8.4.5.6

ciscoadaptive_security_virtual_applianceMatch8.4.6

CPENameOperatorVersion
cisco adaptive security appliance (asa) softwareeq8.4
cisco adaptive security appliance (asa) softwareeq8.4.1
cisco adaptive security appliance (asa) softwareeq8.4.2
cisco adaptive security appliance (asa) softwareeq8.4.1.3
cisco adaptive security appliance (asa) softwareeq8.4.1.11
cisco adaptive security appliance (asa) softwareeq8.4.2.8
cisco adaptive security appliance (asa) softwareeq8.4.3
cisco adaptive security appliance (asa) softwareeq8.4.3.8
cisco adaptive security appliance (asa) softwareeq8.4.3.9
cisco adaptive security appliance (asa) softwareeq8.4.4

Name	Operator	Version
cisco adaptive security appliance (asa) software	eq	8.4
cisco adaptive security appliance (asa) software	eq	8.4.1
cisco adaptive security appliance (asa) software	eq	8.4.2
cisco adaptive security appliance (asa) software	eq	8.4.1.3
cisco adaptive security appliance (asa) software	eq	8.4.1.11
cisco adaptive security appliance (asa) software	eq	8.4.2.8
cisco adaptive security appliance (asa) software	eq	8.4.3
cisco adaptive security appliance (asa) software	eq	8.4.3.8
cisco adaptive security appliance (asa) software	eq	8.4.3.9
cisco adaptive security appliance (asa) software	eq	8.4.4

Rows per page:

1-10 of 171

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20130417-CVE-2013-1199

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:H/Au:S/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

44.3%

JSON

Related for CISCO-SA-20130417-CVE-2013-1199