Recently announced two errors CVE-2016-1379, a vulnerability VPN memory block exhaustion; and CVE-2016-1385, a problem with the ASA XML parser.The memory exhaustion vulnerability affects software versions 9.0 ASA later, and can be exploited remotely.
The program has a flaw in the way it handles ICMP errors in IPsec packets and packages designed to be sent via LAN to LAN VPN remote access tunnels can "use the available memory".
This results in a denial of service or because the system becomes unstable or stops the transfer of traffic.
The software is vulnerable if the user using IKEv1 or IKEv2 remote access to LAN-to-LAN VPN or VPN using Layer 2 Tunneling Protocol and IPSec; and if the system is to validate ICMP errors.
The vulnerability of the XML parser is less serious because it can only be exploited by an authenticated user.
A local administrator can lock the system by encouraging ASA to analyze a malicious XML file; while someone with an SSL VPN clientless access can send an XML file manually when connecting.
In both cases, because the XML parser has not cured sufficiently, the malicious file can force a reload of the system.
