Cisco Systems implemented multiple patches today in order to address major denial-of-service vulnerabilities for a variety of services and devices. The list of affected products includes those that utilize the Cisco Adaptive Security Appliance (ASA) software, Wireless LAN Controller (WLC) software, and the Secure Real-Time Transport Protocol library. Employed by most Cisco devices, the fixes are considered to be of critical and high priority.
The most critical of the fixes applies to the Cisco WLC Software to close up a potential denial-of-service vulnerability found during Cisco’s internal testing. Prior to the fix, this exploit could allow for an unauthenticated, remote attacker to send crafted HTTP requests to the system. These requests could then create a buffer overflow condition, which would result in a denial of service condition as the scripts overwhelm the system or force the device to reload.
In order to prevent a DoS attack through the exploitation of Apple’s Bonjour service, used to share music and video, a second WLC fix was implemented to close the vulnerability. Rated as a high priority, the vulnerability could allow for an unauthenticated attacker to cause a denial-of-service condition by exploiting how the system handled Bonjour traffic. The attacker could send false Bonjour requests, causing the receiving device to reload and interrupting service.
Also included in the update is a high priority fix for the AireOS Software that runs on certain Cisco Wireless LAN Controller devices. Again implemented to fix a denial-of-service exploit, the fix will prevent remote attackers from exploiting the AireOS system by accessing a URL that is otherwise unsupported by the software’s management interface. The exploit would also allow the attacker to reload the system resulting in a denial of service.
The Real-Time Transport Protocol Library received a fix as well to prevent attack from crafted SRTP packets send to devices that rely on the library to access some features. Included in the long list of affected devices are the Cisco Jabber, Cisco Adaptive Security Appliance Software, IOS XE Software and WebEx Meetings Server.
Devices that use the Cisco ASA software Cisco ASA 5500-X Series Firewalls, Catalyst 6500 Series Switches, 7600 Series Routers, and Adaptive Security Virtual Appliance, was patched to close a vulnerability opened when the software received invalid DHCPv6 packets. The exploit was only available on devices that were configured to support DHCPv6 compatibility.