Cisco security updates for ASA, NX-OS Software, CPU side-channel vulnerabilities

Cisco released new security updates on Friday, two rated high severity and two medium severity, to address ASA, NX-OS and CPU side-channel vulnerablities that impact multiple products. 

One of the high rated patches addresses a vulnerability (CVE-2018-0296) in the web interface of the Cisco Adaptive Security Appliance (ASA) that could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly and result in a denial of service (DoS) condition. 

The other high severity update fixes a vulnerability (CVE-2018-0292) in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software. If unpatched, an unauthenticated attacker could execute arbitrary code and gain full control of an affected system.

Cisco also released two medium rated security updates for five (5) CPU Side-Channel Information Disclosure Vulnerabilities. The first side channel vulnerability (CVE-2018-3639) is also known as Spectre Variant 4 or SpectreNG. The second vulnerability (CVE-2018-3640) is known as Spectre Variant 3a

Both of these side channel attacks are variants of the attacks first disclosed in January 2018 and leverage cache-timing attacks to potentially steal sensitive data.

The last three vulnerabilities adress Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754).

These latest Spectre/Meltdown updates included an updated vulnerable products table, new products under investigation and newly confirmed products not vulnerable to the flaws.