lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <201404091205.6.asa@psirt.cisco.com>
Date: Wed,  9 Apr 2014 12:05:46 -0400
From: Cisco Systems Product Security Incident Response Team <psirt@...co.com>
To: bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Vulnerabilities in Cisco ASA Software

Advisory ID: cisco-sa-20140409-asa

Revision 1.0

For Public Release 2014 April 9 16:00  UTC (GMT)

Summary
=======

  Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
  Cisco ASA ASDM Privilege Escalation Vulnerability
  Cisco ASA SSL VPN Privilege Escalation Vulnerability
  Cisco ASA SSL VPN Authentication Bypass Vulnerability
  Cisco ASA SIP Denial of Service Vulnerability

These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system.

Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN.

Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. 

Cisco has released free software updates that address these vulnerabilities. 
Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa

Note: This security advisory does not provide information about the OpenSSL TLS Heartbeat Read Overrun Vulnerability identified by CVE-2014-0160 (also known as Heartbleed).  For additional information regarding Cisco products affected by this vulnerability, refer to the Cisco Security Advisory available at the following link:  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTRW5YAAoJEIpI1I6i1Mx3eL0P/0B7V5l5M5++F8QuYHbKcg85
7Rn1IAOjIWJyWHT5JgGAbNvCfYHe4eTdTvF0ijP8DErhfbxWOA3D7EegJY3dw6fo
fiKHVoxguR8F4GW4jTq8miHFu0rQ8Yke1lGJPGEN6EbNof+MzAihTnwFoh0miz/8
h8PaxUI+XRMh7DgvdWIwdItj0afmsBJ+4Un1XqDw5YuaeVGsl6sxCXgnS2WaaCkA
tJWhtXi0//piAdEKyTmRgV+vUWSCMvm3cmMjl6RaIUNvPgwcryfaLn6HxuOAEYKL
ayAabGJ2WFYJzYdbyyomccJ/5AEApFubdxXC8aQkzVqVXhypbedJCP8v+AVFZFth
s8qNGJc+4XL7F/ZrNPi7qRJy0Ll+eQJ4+wyIXSWv7uPuGDXuWctfXckfFc+DhtJL
z+wWwhsgvXjnzkO8zIqAAY9USXzoJ33U9PztLE6SnP7tuorCS5ls3RMXQylS0DRc
OYzSnRn9p44xvpBldE9TWl9oxo5eWMXyPGqo/pHzU1nBEqXZJesAr+D9PRXZvOHk
7kxIfCAE/6VASiWa4WtQ1Mb1uV99s9KKQhn0fAv5Fg/0WH2Q/9fTtcyHqB4cWXLE
9bM2c26iZGrwuYiUonHwi3bi2gNbF3TLsmxvV+W7/NihdVgJwv+jAxLahSLQ6Vji
9g1oNfty2EMETTgUmjkL
=8YEX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ