Resource exhaustion in Cisco ASA 5500-X Series - CVE-2018-0230
Published: April 23, 2018
Vulnerability identifier: #VU12082
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0230
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco ASA 5500-X Series
Cisco ASA 5500-X Series
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the internal packet-processing functionality due to improper validation of IP Version 4 (IPv4) and IP Version 6 (IPv6) packets after the software reassembles the packets. A remote attacker can send a series of malicious, fragmented IPv4 or IPv6 packets, trigger Snort processes to hang at 100% CPU utilization, which can cause the device to stop processing traffic, and cause the service to crash.
The weakness exists in the internal packet-processing functionality due to improper validation of IP Version 4 (IPv4) and IP Version 6 (IPv6) packets after the software reassembles the packets. A remote attacker can send a series of malicious, fragmented IPv4 or IPv6 packets, trigger Snort processes to hang at 100% CPU utilization, which can cause the device to stop processing traffic, and cause the service to crash.
How to mitigate CVE-2018-0230
Update to versions 201.1(15.2), 201.1(15.1), 201.1(1.110), 201.1(1.96), 101.2(1.53), 99.1(20.134), 99.1(20.127), 99.1(0.2), 98.2(10.4), 98.2(0.9), 9.9(1.77), 9.9(0.152) or 9.8(2.10).