Cisco Web Security Appliance Proxy Service Denial of Service Vulnerability

Vulnerability

The vulnerability exists in the proxy service of Cisco AsyncOS for Cisco Web Security Appliance (WSA). It is caused by improper memory management when handling HTTPS connections. An unauthenticated, remote attacker can exploit this by establishing a large number of HTTPS connections to the affected device. Affected versions include Cisco WSA running AsyncOS releases prior to the fixed versions listed in Cisco Security Advisory cisco-sa-wsa-dos-fmHdKswk [1].

Exploitation

An attacker needs no authentication and only network access to the target WSA. The exploitation involves establishing a high volume of HTTPS connections to the proxy service. The attacker does not require any user interaction or special privileges. The memory exhaustion occurs as the proxy service fails to properly release memory resources after processing the connections, leading to system memory depletion [1].

Impact

Successful exploitation causes the system memory to be exhausted, resulting in a denial of service (DoS) condition. The affected device stops processing new connections, disrupting legitimate traffic. The advisory notes that manual intervention may be required to recover from this situation. The impact is limited to availability; no data confidentiality or integrity is compromised [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Customers should upgrade to the fixed versions specified in the Cisco Security Advisory [1]. As of the advisory publication date (October 6, 2021), no workarounds are available. There is no indication that this vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog. Customers without service contracts should contact Cisco TAC to obtain the fix [1].