Release date:
Updated on:
Affected Systems:
Cisco ASA <9.1 (. 3)
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2014-0653, CVE-2014-0655
The Cisco ASA 5500 Series Adaptive Security Device is a modular platform for providing security and VPN services. It provides firewall, IPS, anti-X, and VPN services.
A Security vulnerability exists in the implementation of Cisco Adaptive Security Appliance (ASA) 9.1 (. 3) and can cause unauthorized database operations after successful exploitation.
The CVE-2014-0655 vulnerability is caused by an error in the Identity Firewall (IDFW) RADIUS Change of Authorization (CoA) message, which modifies the content cached by the idfw user through a replay attack;
The CVE-2014-0653 vulnerability is caused by an error in the NetBIOS deregister probe function in the Identity Firewall (IDFW) function, which can be exploited to authorize the user.
<* Source: vendor
Link: http://secunia.com/advisories/56366/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Cisco
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.cisco.com/go/psirt
Cisco (cscuj000032, cscuj000040 ):
Http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0653
Http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0655
Http://tools.cisco.com/security/center/viewAlert.x? AlertId = 32362
Http://tools.cisco.com/security/center/viewAlert.x? AlertId = 32363