How to trigger DoS flaws in CISCO WSA. Apply fixes asap

This is part of my automatic Tech Feed that aggregates my favorite tech site articles.


Cisco issued a series of patches for the AsyncOS operating on CISCO WSA that fix multiple high severity Denial-of-Service (DoS) vulnerabilities.

Cisco has released security patches for the AsyncOS operating system that run on the Web Security Appliance, also called CISCO WSA. The security updates fix multiple high severity Denial-of-Service (DoS) vulnerabilities.

CISCO WSA

Below the details of the flaws in the CISCO WSA fixed by the last series of patches:

CVE-2016-1380 is a flaw ranked as high that is triggered when parsing an HTTP POST request with Cisco AsyncOS for Cisco WSA, it could be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the proxy process becoming unresponsive.
The flaw is caused by the lack of proper input validation of the packets that compose an HTTP POST request.

CVE-2016-1381 resides in the cached file-range request functionality implemented by Cisco AsyncOS. A remote, unauthenticated attacker can trigger it to cause a denial of service (DoS) condition. The flaw, is ranked as high, could exploit by opening multiple connections that request file ranges through the affected device. When the memory is saturated to attack causes the WSA to stop passing traffic.

CVE-2016-1382 is a vulnerability that resides in the HTTP request parsing in Cisco AsyncOS for the Cisco WSA. The flaw could allow a remote, unauthenticated attacker to trigger a denial of service (DoS) condition when the proxy process unexpectedly restarts.

In order to exploit the flaw, the attacker just needs to send a specifically crafted HTTP request to the vulnerable device, the OS will not properly allocate the sufficient space for the HTTP header and any expected HTTP payload.

CVE-2016-1383 is a flaw ranked as high that resides in the way the operating system handles certain HTTP response code. The flaw could be exploited by an unauthenticated, remote attacker to cause a DoS condition by simply sending to the device a specially crafted HTTP request causing it to run out of memory.

Cisco confirmed that the security issues affect various versions of the AsyncOS running on CISCO WSA on both hardware and virtual appliances.

Cisco confirmed that it isn’t aware that the flaw has been exploited by hackers in the wild.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

Pierluigi Paganini

(Security Affairs – CISCO WSA, hacking)

The post How to trigger DoS flaws in CISCO WSA. Apply fixes asap appeared first on Security Affairs.


Go to Source
Author: Pierluigi Paganini

Powered by WPeMatico

OneCore to rule them all: How Windows Everywhere finally happened

Everywhere Windows 10 can be. And on the server, too, though there it gets a different branding. (credit: Microsoft)

The Windows 10 Anniversary update, due later this summer, represents a major landmark for Microsoft. As well as being a significant update for Windows 10 on the desktop and Windows 10 Mobile on phones, the release is also coming to the Xbox One. For the first time, the Xbox One will be running essentially the same operating system as desktop Windows. Critically, it will also be able to run many of the same applications as desktop Windows.

In a lot of ways, this represents the realization of a vision that Microsoft has been promoting for more than 20 years: Windows Everywhere. Always important to Microsoft’s ambitions for Windows as a platform, the Windows Everywhere ideal has a renewed significance with Windows 10 and CEO Satya Nadella’s promise that Windows 10 will have one billion users within the first three years of its availability. The purpose of that promise is to send a message to developers that Windows is a big platform, a platform that they should still think about and create software for.

But if it is to have a hope of hitting that one billion target, Microsoft needs more than just PC users to get on board, which makes it important for Windows to run on more than just PCs. Hence the need for Windows Everywhere.

Read 83 remaining paragraphs | Comments

Go to Source
Author: Peter Bright
This is part of my automatic Tech Feed that aggregates my favorite tech site articles.

Powered by WPeMatico

New Oculus Store update breaks HTC Vive compatibility project

Oculus-Store
A recent patch for the Oculus Store has killed the Revive compatibility project for the HTC Vive. While the games themselves still run, the Oculus Store itself now contains DRM checks that check to ensure an Oculus Rift is connected to the system.
Go to Source
Author: Joel Hruska
This is part of my automatic Tech Feed that aggregates my favorite tech site articles.

Powered by WPeMatico