CVE-2013-5512

EUVD-2013-5352

13.10.2013, 10:20

Race condition in the HTTP Deep Packet Inspection (DPI) feature in Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(5.5), 8.5.x before 8.5(1.18), 8.6.x before 8.6(1.12), 8.7.x before 8.7(1.4), 9.0.x before 9.0(1.4), and 9.1.x before 9.1(1.2), in certain conditions involving the spoof-server option or ActiveX or Java response inspection, allows remote attackers to cause a denial of service (device reload) via a crafted HTTP response, aka Bug ID CSCud37992.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:N/I:N/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
cisco	adaptive_security_appliance_software	8.2
cisco	adaptive_security_appliance_software	8.2\(1\)
cisco	adaptive_security_appliance_software	8.2\(2\)
cisco	adaptive_security_appliance_software	8.2\(3\)
cisco	adaptive_security_appliance_software	8.2\(3.9\)
cisco	adaptive_security_appliance_software	8.2\(4\)
cisco	adaptive_security_appliance_software	8.2\(4.1\)
cisco	adaptive_security_appliance_software	8.2\(4.4\)
cisco	adaptive_security_appliance_software	8.2\(5\)
cisco	adaptive_security_appliance_software	8.2\(5.35\)
cisco	adaptive_security_appliance_software	8.2\(5.38\)
cisco	adaptive_security_appliance_software	8.3\(1\)
cisco	adaptive_security_appliance_software	8.3\(2\)
cisco	adaptive_security_appliance_software	8.3\(2.34\)
cisco	adaptive_security_appliance_software	8.3\(2.37\)
cisco	adaptive_security_appliance_software	8.4
cisco	adaptive_security_appliance_software	8.4\(1\)
cisco	adaptive_security_appliance_software	8.4\(1.11\)
cisco	adaptive_security_appliance_software	8.4\(2\)
cisco	adaptive_security_appliance_software	8.4\(2.11\)
cisco	adaptive_security_appliance_software	8.4\(3\)
cisco	adaptive_security_appliance_software	8.4\(4.11\)
cisco	adaptive_security_appliance_software	8.4\(5\)
cisco	adaptive_security_appliance_software	8.5
cisco	adaptive_security_appliance_software	8.5\(1\)
cisco	adaptive_security_appliance_software	8.5\(1.17\)
cisco	adaptive_security_appliance_software	8.6
cisco	adaptive_security_appliance_software	8.6\(1\)
cisco	adaptive_security_appliance_software	8.6\(1.3\)
cisco	adaptive_security_appliance_software	8.6\(1.10\)
cisco	adaptive_security_appliance_software	8.7\(1.3\)
cisco	adaptive_security_appliance_software	9.0
cisco	adaptive_security_appliance_software	9.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5512

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5512