Security Experts:

No Patches Available for Flaws in Cisco Security Appliances

Cisco has revealed the existence of denial-of-service (DoS) vulnerabilities in several of its security products. Customers are advised to apply workarounds since software updates are not available for most of the issues.

According to the networking giant, Cisco Content Security Management Appliance (SMA) 7.8.0-000 and possibly other versions are affected by a flaw (CVE-2015-6288) that can be exploited by a remote, unauthenticated attacker to cause a DoS condition on the targeted device.

“The vulnerability is due to inadequate validation of user credentials for incoming HTTP requests, which can cause the device to manipulate an internal log file,” Cisco said.

The flaw, triggered when a log file wraps quickly, can be exploited by an attacker by sending a specially crafted HTTP request to the targeted device. Cisco says it’s aware of the existence of a functional exploit for the bug, but the code is not publicly available.

Cisco Email Security Appliance versions 7.6.0 and 8.0.0 (and possibly others) are plagued by a format string flaw (CVE-2015-6285) that can be exploited to cause a partial DoS condition or memory override on impacted devices. An unauthenticated attacker can exploit the vulnerability, caused by improper validation of string inputs, by sending specially crafted HTTP requests to the vulnerable device.

A functional exploit exists for this issue as well, but it’s not publicly available, the company said.

Another vulnerability has been found in the Cisco Web Security Appliance (WSA). The flaw can be exploited by a man-in-the-middle (MitM) attacker to supply malformed HTTP server responses to the affected device and cause it to improperly close TCP connections and fail to free memory. This can result in a partial DoS condition, Cisco said.

The vendor has confirmed that the issue (CVE-2015-6290) affects Cisco Web Security Appliance version 8.0.7, but later versions of the product might be affected as well.

Cisco WSA is also affected by a DNS resolution vulnerability that can lead to a partial DoS condition (CVE-2015-6287).

“The vulnerability is due to the handling of DNS requests awaiting a DNS response when new, incoming DNS requests are received,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending TCP proxy traffic to the WSA at a high rate. An exploit could allow the attacker to cause a partial DoS condition because DNS name resolution fails, which results in the client receiving a HTTP 503 ’Service Unavailable’ error.”

Cisco has released software updates to address the DNS resolution issue impacting WSA, but there are no patches available for the other vulnerabilities. Until updates are released, administrators are advised to enable IP-based access control lists (ACLs) to ensure that only trusted systems can access the affected appliances, and to implement physical security for production servers.

Based on the CVSS scores assigned by Cisco, all of these vulnerabilities have been rated as having medium severity. The advisories show that the weaknesses, which the company believes are unlikely to be used by malicious actors, can be leveraged to cause “mild” damage.

Related: Cisco Patches Flaw in Data Center Management Products

Related: Attackers Use Stolen Credentials to Hack Cisco Networking Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.