Cisco has released security updates for several products to include Web Security Appliance (WSA), Unified Communications Manager IM & Presence Service and Adaptive Security Appliance (ASA).
The High severity vulnerabilities fixed include (with summary of each):
- Web Security Appliance Web Proxy Memory Exhaustion Denial-of-Service Vulnerability (CVE-2018-0410): “The vulnerability exists because the affected software improperly manages memory resources for TCP connections to a targeted device. An attacker could exploit this vulnerability by establishing a high number of TCP connections to the data interface of an affected device via IPv4 or IPv6. A successful exploit could allow the attacker to exhaust system memory, which could cause the system to stop processing new connections and result in a DoS condition.”
- Unified Communications Manager IM & Presence Service Denial-of-Service Vulnerability (CVE-2018-0409): “The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service.”
- Adaptive Security Appliance Web Services Denial-of-Service Vulnerability (CVE-2018-0296): “The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.”
A number of other Medium severity vulnerabilities were also addressed in Cisco’s Security Advisories and Alerts.
One of those released Thursday impact Cisco’s IP Phone and Wireless IP Phone products (DOS vulnerability CVE-2018-0325).