Cisco ASA Software SSL VPN Memory Blocks Exhaustion Vulnerability

ID CISCO-SA-20141126-CVE-2014-3407
Type cisco
Reporter Cisco
Modified 2014-11-26T18:44:21


A vulnerability in the SSL VPN feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the exhaustion of available memory, which could lead to system instability and availability issues on the SSL VPN services.

The vulnerability is due to improper implementation of memory block allocation when processing crafted HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected system. The vulnerability can be exploited if SSL VPN is enabled.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker may need to acquire additional information about the targeted device, such as whether SSL VPN is enabled on the device. This feature must be enabled for an attacker to achieve a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.