To be affected, the Cisco ASA Software should have SSL VPN enabled and the Because this vulnerability is triggered when receiving a crafted authentication challenge-response, Cisco ASA Software is not affected when configured to use the AAA protocol that does not support the challenge option or with the challenge option disabled.
Cisco ASA Software configured as an IPsec VPN Server, IPsec/L2TP VPN Server or IKEv2 An圜onnect VPN server is not affected. This vulnerability may affect Cisco ASA Software configured for Clientless or An圜onnect SSL VPN. SSL VPN Authentication Denial of Service Vulnerability
DHCP server is disabled by default on Cisco Catalyst 6500 Series ASA Services Module.ĭHCP relay feature is not enabled by default on any Cisco ASA 5500 Series Adaptive Security Appliances and CiscoĬatalyst 6500 Series ASA Services Module platforms. Note: By default, DHCP server is enabled on the inside interface of the Cisco ASA 5505 and on the management interface of all other Cisco ASA 5500 Series Adaptive Security Appliances. Interface inside, Configured for DHCP RELAY Interface outside, Configured for DHCP RELAY SERVER The following example shows the Cisco ASA Software with DHCP relay enabled. Show dhcprelay state command and verify that DHCP relay is active. To determine whether the DHCP relay feature is enabled on Cisco ASA Software use the Interface inside, Configured for DHCP SERVER Server enabled on the inside interface ciscoasa# show dhcpd state The following example shows the Cisco ASA Software with DHCP Show dhcpd state command and verify that at least one interface is configuredįor DHCP server. To determine whether the DHCP server feature is enabled on Cisco ASA Software use the If either feature is enabled, the Cisco ASA Software may be vulnerable. DHCP relay and DHCP server features will trigger the DHCP request packet process. This vulnerability is triggered when the Cisco ASA Software processes a DHCP request. The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.įor specific version information, refer to the "Software Versions and Fixes" section of this advisory.ĭHCP Memory Allocation Denial of Service Vulnerability Vulnerabilities that affect the Cisco FWSM. Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above.Ī separate Cisco Security Advisory has been published to disclose the This advisory is available at the following link: Workarounds are available for some of these vulnerabilities. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands.Ĭisco has released software updates that address these vulnerabilities. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. These vulnerabilities are independent of each other a release that isĪffected by one of the vulnerabilities may not be affected by the
SSL VPN Authentication Denial of Service Vulnerability.DHCP Memory Allocation Denial of Service Vulnerability.You need to migrate to new hardware to continue to have up to date protection against not only software defects, but also to have protection against current threats.Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and CiscoĬatalyst 6500 Series ASA Services Module (ASASM) may be affected by the Any software defect identified after that date will not be patched. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.ĪSA 9.1(7)32 was released on 12 September 2018 and ASA 9.2(4)33 on, fulfilling the announcement terms.
The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. Please refer to the ASA 9.1 and 9.2 EoS/EoL announcements: ASA software was only developed for the ASA 5505 though version 9.2. The product hardware is still supported but that does not mean that software updates will be available until the last day of hardware support.