CVE-2014-0739

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliance (ASA) Software version 9.1.3 and earlier

Description A race condition in the Phone Proxy component allows remote attackers to bypass sec db authentication and provide certain pass-through services to untrusted devices via a crafted configuration-file TFTP request. This issue could allow an unauthenticated, remote attacker to pass traffic from an untrusted phone through the ASA.

Recommendations For Cisco Adaptive Security Appliance (ASA) Software version 9.1.3 and earlier, consider disabling the Phone Proxy feature until a patch is available to prevent exploitation. Restrict access to the TFTP request function of the Phone Proxy feature to minimize the risk of exploitation. Avoid using crafted configuration-file TFTP requests in the affected Phone Proxy component until the issue is resolved.