Atomic Data has recently been made aware of an issue with several versions of Cisco Adaptive Security Appliance (ASA) software. All Cisco devices that run the affected software versions may fail to pass network traffic after 213 days and 12 hours of uptime. The permanent resolution for the issue is a software update and system reboot. If you choose not to upgrade your ASA software there is a chance it will cease to pass network traffic once it reaches the uptime noted above.
In addition, Atomic Data has also recently been made aware of four vulnerabilities within Cisco ASA software. The vulnerabilities may allow authenticated users to conduct denial of service or heap overflow style attacks against the devices. There is no workaround to these vulnerabilities.
Atomic Data strongly recommends a software upgrade to correct the uptime issue and these vulnerabilities, as Cisco has addressed the issues with new software versions. This one upgrade will remediate all these issues. We will be reaching out to Clients with affected software to schedule a time for upgrade and reboot. This billable work will take approximately 90 minutes and include a downtime of approximately 10 minutes while the device reboots.
Below are short descriptions of the vulnerabilities with links to Cisco’s original vulnerability notifications:
Cisco ASA Software IPsec Denial of Service Vulnerability:
A vulnerability in the IPsec code of Cisco ASA Software could allow an authenticated, remote attacker to cause a reload of the affected system.
Cisco ASA Software DNS Denial of Service Vulnerability:
A vulnerability in the DNS code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause an affected device to reload or corrupt the information present in the device's local DNS cache.
Cisco ASA Software SSL/TLS Denial of Service Vulnerability:
A vulnerability in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system.
Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability:
A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software could allow an authenticated, remote attacker to cause a heap overflow.