Reported December 15, 2003 by Cisco.





All Cisco PIX Firewall devices that run the following the software versions:


  • CSCeb20276 (SNMPv3) 6.3.1; 6.2.2 and earlier; 6.1.4 and earlier; 5.x.x and earlier.

  • CSCec20244/CSCea28896 (VPNC) 6.2.3 and earlier (excluding versions 6.1.x and 5.x.x)




Two vulnerabilities in Cisco PIX Firewall devices can result in a Denial of Service (DoS) condition on the vulnerable system. These two vulnerabilities are as follows:


·         The Cisco PIX firewall crashes and reloads while processing a received SNMPv3 message when snmp-server host <ip_addr> is configured on the Cisco PIX firewall. This happens even though the Cisco PIX firewall doesn't support SNMPv3.


·         Under certain conditions, an established VPNC IPSec tunnel connection drops if another IPSec client attempts to initiate an IKE Phase I negotiation to the outside interface of the VPN Client-configured Cisco PIX Firewall.




Cisco has released a security bulletin concerning these vulnerabilities and recommends that affected customers obtain the patch available through normal support channels.




Discovered by Cisco.