Cisco Systems Inc. warned of multiple flaws in its ASA 5500 Series Adaptive Security Appliances and PIX Security Appliances that could be used by an attacker to bypass security controls and gain access to critical systems.
The appliances are used to provide a variety of network security features to address Voice over Internet Protocol (VoIP) security, VPN connections for remote employees and firewall services.
Cisco's advisory warned of a Windows NT domain authentication bypass vulnerability, IPv6 denial of service flaw and crypto accelerator memory leak vulnerability. The vendor released updates correcting the problems and said workarounds are available for some of the vulnerabilities.
Cisco said its ASA and PIX devices could be susceptible to a VPN authentication bypass vulnerability since they support Microsoft Windows server operating systems, which are vulnerable to a Windows NT Domain authentication flaw. Appliances configured for IPSec or SSL-based remote access VPN may be vulnerable, Cisco said.
The IPv6 denial-of-service flaw could cause an IPv6 packet to force ASA and PIX devices to reload. The constant reloading can be exploited by an attacker to force a denial-of-service condition. Cisco said devices running software versions from 7.2(4)9 or 7.2(4)10 that have IPv6 enabled are vulnerable to this issue.
ASA appliances are vulnerable to a crypto accelerator memory leak vulnerability. The accelerator is used for clientless VPN connections, a proxy for encrypted voice inspection, and secure shell access.
Danish vulnerability clearinghouse Secunia gave the flaws a "moderately critical" rating. Secunia said the flaws can be exploited by sending specially crafted packets to an affected device.
In September, Cisco released patches to fix critical flaws in its routers and IOS software. The updates were bundled in a package of 12 security advisories.