After Linux DoS alerts, Cisco warns security devices can be remotely attacked too

Cisco is telling customers to install a patch for a bug that allows a remote attacker to knock web security appliances that use its AsyncOS software.

Cisco today warned that an remote attacker could use the flaw to “exhaust system memory and cause a denial of service (DoS) condition on an affected system”, no passwords needed. 

The vulnerability affects Cisco web security appliance devices running on Cisco AsyncOS software. 

Assuming a network admin notices such an attack, an admin could recover memory by rebooting the device or restarting web proxy access, according to Cisco. 

Nonetheless, knocking out a security appliance, even for a few hours, would be nifty way for a remote attacker to soften a target before a raid.

Virtual and physical appliances running AsyncOS releases 9.1, 10.1, 10.5, and 11.0 can be exploited, however Cisco says the HTTPS Proxy feature must be enabled to be vulnerable and is disabled by default. Cisco has released patched versions prior to today's disclosure.  

The appliances are vulnerable because of the way AsyncOS handles memory resources for TCP connections when receiving IP packets, be they IPv4 or IPv6. 

“An attacker could exploit this vulnerability by establishing a high number of TCP connections to the data interface of an affected device via IPv4 or IPv6. A successful exploit could allow the attacker to exhaust system memory, which could cause the system to stop processing new connections and result in a DoS condition,” according to Cisco.

Cisco has tagged the bug as CVE-2018-0410 and rated it as a “high” severity issue with a CVSS score of 8.6 out of 10. 

The company says it found the flaw during internal testing, and told CSO Australia that they were unrelated to warnings from CERT/CC and RedHat over the past two weeks about two DoS vulnerabilities called SegmentSmack (CVE-2018-5390) FragmentSmack (CVE-2018-5391).

Both flaws stemmed from the network stack in the Linux kernel potentially affected almost every major network, computer, and mobile device makers, including Cisco. 

The bugs allowed attackers to trigger a DoS with low-rate attacks using specially crafted IP and TCP packets.  

CERT/CC isn't aware of any products that are vulnerable to FragmentSmack,however, since it flagged SegmentSmack on August 6, a handful of network vendors have confirmed products are vulnerable to FragmentSmack, including Akamai, Arista Networks, and Juniper. 

Available patches can be found on CERT/CC’s pages for the flaws here and here. 

SegmentSmack affects systems using versions of Linux kernel 3.9 and up, while FragmentSmack affects Linux kernel 4.9 and above. 

Cisco also posted an advisory about a DoS vulnerability affecting the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS). 

RedHat's write-up on the two bugs are available here.