Cisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability

Vulnerability

A vulnerability in the SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software allows an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect handling of Base64-encoded strings. Affected versions include multiple releases of Cisco ASA Software prior to fixed releases provided in the Cisco advisory [1]. The attacker must have valid user credentials and open many SSL VPN sessions to trigger the flaw.

Exploitation

To exploit this vulnerability, an attacker needs valid user credentials on the affected device. The attacker then opens numerous SSL VPN sessions, causing the device to overwrite a special system memory location. This overwrite eventually leads to memory allocation errors for new SSL/TLS sessions, preventing successful establishment of new connections.

Impact

Successful exploitation results in a denial of service condition that prevents the creation of new SSL/TLS connections to the device, including management sessions. Established SSL/TLS connections remain unaffected. The device must be reloaded to recover from this condition.

Mitigation

Cisco has released free software updates to address this vulnerability. Refer to the Cisco Security Advisory [1] for specific fixed versions and upgrade instructions. No workarounds are disclosed in the available references.