Cisco applies plaster to email, Web security appliances

Cisco email and Web security appliance customers have some patching to do to paper over newly revealed denial-of-service and other cracks.

The Borg has issued two advisories for Web security appliances, one covering a DoS bug and the other addressing a problem with DNS resolution.

In the DNS issue, a remote attacker can hose the appliance by sending high-rate TCP proxy traffic, crashing DNS name resolution in the device. Users get a 503 “service unavailable” error (meaning they can't get past the appliance to the internet).

The bug has so far been confirmed on Cisco WSA versions 8.0.6-078 and 8.0.6-115, and others might be vulnerable.

In the second web security appliance vuln, attackers can supply malformed HTTP server responses to the device in a man-in-the-middle attack. This causes two conditions: TCP connections closing improperly and a memory fail-to-free, resulting in what Cisco calls a partial DoS.

Since there's no software update as yet, admins need to use access control lists (ACLs) to restrict access to WSA 8.0.7 units to trusted IP addresses.

The vulnerability in Cisco's Email Security Appliance has been confirmed in versions 7.6.0 and 8.0.0. Once again, crafted HTML from the attacker can override part of the device's memory and cause at least a partial DoS.

While Cisco works on a patch, ACLs are again the best protection. ®