Vigil@nce - Cisco ASA: denial of service via Secondary Flows Lookup
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can open several connections through Cisco ASA, in
order to trigger a denial of service.
Impacted products: ASA
Severity: 2/4
Creation date: 12/04/2013
DESCRIPTION OF THE VULNERABILITY
The Cisco ASA firewall uses a connections table to store
information on current sessions.
A hash algorithm is used to quickly find entries in this table.
However, an attacker can generate hash collisions, in order to
overload CPU resources of the firewall.
An attacker can therefore open several connections through Cisco
ASA, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-ASA-denial-of-service-via-Secondary-Flows-Lookup-12663