Main Vulnerability Database Vulnerabilities #VU5379

Denial of service in Adaptive Security Appliance (ASA) CX - CVE-2016-9225

Published: January 25, 2017 / Updated: January 26, 2017

Vulnerability identifier: #VU5379

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-9225

CWE-ID: CWE-399

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Adaptive Security Appliance (ASA) CX

Detailed vulnerability description

The vulnerability allows a remote attacker to cause denial of service (DoS).

The vulnerability exists within the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module when processing IP fragments. A remote attacker can send specially crafted fragmented IP traffic across the vulnerable device, exhaust free packet buffers in shared memory (SHM) and trigger denial of service (DoS) conditions.

Successful exploitation of the vulnerability may allow an attacker perform DoS attack against vulnerable device.

How to mitigate CVE-2016-9225

Cisco Adaptive Security Appliance CX Context-Aware Security modules has entered its end-of-life (EoL) process and vendor is not planning to issue security fix to address this vulnerability.

Cisco recommends the following workaround:

Configure ASA to drop any IP fragments it receives as follows:

ASA# conf t
ASA(config)# fragment chain 1
ASA(config)# exit

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas

Denial of service in Adaptive Security Appliance (ASA) CX - CVE-2016-9225

Detailed vulnerability description

How to mitigate CVE-2016-9225

Sources

Please verify you're human