CISCO : Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability (cisco-sa-20141008-asa)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.105985

Category: CISCO

Title: Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability (cisco-sa-20141008-asa)

Summary: A vulnerability in the Clientless SSL VPN portal feature could; allow an unauthenticated, remote attacker to access random memory locations. Due to this; vulnerability, the attacker may be able to access the information stored in memory and in some; cases may be able to corrupt this portion of memory, which could lead to a reload of the affected; system.

Description: Summary:
A vulnerability in the Clientless SSL VPN portal feature could
allow an unauthenticated, remote attacker to access random memory locations. Due to this
vulnerability, the attacker may be able to access the information stored in memory and in some
cases may be able to corrupt this portion of memory, which could lead to a reload of the affected
system.

Vulnerability Insight:
The vulnerability is due to insufficient sanitization of
user-supplied input. An authenticated, remote attacker could exploit this vulnerability by
setting random values on parameters passed during access to the Clientless SSL VPN portal.

Vulnerability Impact:
A successful exploit could allow the attacker to access
sensitive information in memory. In some cases, the attacker could corrupt a portion of memory
that could cause the targeted device to reload abnormally. Repeated exploitation could lead to a
sustained DoS condition for legitimate users.

Affected Software/OS:
Cisco ASA version 8.2, 8.3, 8.4, 8.6, 9.0, 9.1, 9.2 and 9.3.

Solution:
See the referenced vendor advisory for a solution.

CVSS Score:
8.3

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-3392
Cisco Security Advisory: 20141008 Multiple Vulnerabilities in Cisco ASA Software
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Copyright Copyright (C) 2015 Greenbone Networks GmbH

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.105985
Category:	CISCO
Title:	Cisco ASA Clientless VPN Information Disclosure and DoS Vulnerability (cisco-sa-20141008-asa)
Summary:	A vulnerability in the Clientless SSL VPN portal feature could; allow an unauthenticated, remote attacker to access random memory locations. Due to this; vulnerability, the attacker may be able to access the information stored in memory and in some; cases may be able to corrupt this portion of memory, which could lead to a reload of the affected; system.
Description:	Summary: A vulnerability in the Clientless SSL VPN portal feature could allow an unauthenticated, remote attacker to access random memory locations. Due to this vulnerability, the attacker may be able to access the information stored in memory and in some cases may be able to corrupt this portion of memory, which could lead to a reload of the affected system. Vulnerability Insight: The vulnerability is due to insufficient sanitization of user-supplied input. An authenticated, remote attacker could exploit this vulnerability by setting random values on parameters passed during access to the Clientless SSL VPN portal. Vulnerability Impact: A successful exploit could allow the attacker to access sensitive information in memory. In some cases, the attacker could corrupt a portion of memory that could cause the targeted device to reload abnormally. Repeated exploitation could lead to a sustained DoS condition for legitimate users. Affected Software/OS: Cisco ASA version 8.2, 8.3, 8.4, 8.6, 9.0, 9.1, 9.2 and 9.3. Solution: See the referenced vendor advisory for a solution. CVSS Score: 8.3 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3392 Cisco Security Advisory: 20141008 Multiple Vulnerabilities in Cisco ASA Software http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Copyright	Copyright (C) 2015 Greenbone Networks GmbH