Updates to CISCO-SA-20141008-ASA – Patch now if you run IKE, SSL VPN or DNS inspection!
Updates to my post from yesterday on the ASA vulnerabilities:
I’ve just completed my analysis of Cisco’s releases yesterday, and my conclusion is this: Drop what you are doing and patch your firewalls now if you run any IPSec VPNs or perform any DNS/SunRPC packet inspections.
The VPN risks are especially high if you run firewalls in high availability. The vulnerability could allow FULL COMPROMISE of your firewalls. I haven’t determined just how yet, but the fact that Cisco says it can happen is enough for me.
Another serious risk “Smart Call Home” feature not properly validating digital certificates, which could allow an attacker to completely bypass you firewall and setup an unauthorized VPN connection.
The rest are a smattering of likely easy to exploit DoS, and less likely to exploit information disclosure, cross site scripting, and man-in-the-middle attacks.