Cisco patched vulnerabilities affecting the company’s Web Security Appliance devices that affect how the web filtering devices process traffic.
Two vulnerabilities (CVE-2016-1380, CVE-2016-1382) allow remote attackers to cause a denial of service (DoS) vulnerability by interfering with the device’s operating system, Cisco AsyncOS. The flaws could cause the AsyncOS operating system to become unable to parse HTTP POST requests, resulting in the proxy process becoming unresponsive. Cisco gave the DoS vulnerability a 7.8 CVSS rating. There are no workarounds that address the flaw, Cisco said in its security advisory.
Cisco also patched flaws (CVE-2016-1381, CVE-2016-1383) that affect the AsyncOS operating system’s ability to handle a specific HTTP response code. An attacker could cause an appliance to run out of system memory by sending an HTTP request in order to cause a denial of service (DoS). A workaround for the vulnerability is available. The flaw affects Cisco AsyncOS versions for Cisco WSA, the company said in a security advisory. Cisco granted the CVE-2016-1381 vulnerability a 7.8 CVSS rating, while CVE-2016-1383 received a 7.1 CVSS rating.
The vulnerabilities are unrelated to a separate denial-of-service flaw affecting the company’s Adaptive Security Appliance (ASA) Software, which was patched by Cisco earlier this week.