CVE-2010-0149 in PIX 500
Summary
by MITRE
Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.2 before 7.2(4.46), 8.0 before 8.0(4.38), 8.1 before 8.1(2.29), and 8.2 before 8.2(1.5); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (prevention of new connections) via crafted TCP segments during termination of the TCP connection that cause the connection to remain in CLOSEWAIT status, aka "TCP Connection Exhaustion Denial of Service Vulnerability."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
This vulnerability affects Cisco ASA 5500 Series and PIX 500 Series security appliances running specific software versions, creating a critical denial of service condition through improper TCP connection handling. The flaw manifests when attackers craft specific TCP segments during the termination phase of TCP connections, causing the appliance to maintain connections in CLOSEWAIT state indefinitely. This condition prevents the appliance from establishing new connections, effectively exhausting its connection handling capacity and rendering the device unable to process legitimate network traffic. The vulnerability operates at the transport layer protocol level, exploiting fundamental TCP state machine behavior within the firewall's connection tracking mechanisms.
The technical implementation of this vulnerability involves the manipulation of TCP FIN packets and ACK responses during connection teardown processes. When the appliance receives malformed or specially crafted TCP segments, it fails to properly transition connection states, leaving connections in CLOSEWAIT status where they remain indefinitely without proper cleanup. This creates a resource exhaustion scenario where the appliance's connection table fills up with stale entries, preventing the establishment of new legitimate connections. The issue represents a classic state-based denial of service attack that leverages the protocol's own state management to create a persistent service disruption. According to CWE classification, this vulnerability maps to CWE-122: Heap Overflow and CWE-129: Improper Validation of Array Index, though the specific manifestation is more accurately characterized as a state management flaw in network protocol handling.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise network availability and business continuity. Organizations relying on these security appliances for network protection face significant risk of operational downtime, especially in environments where connection limits are already near capacity. The vulnerability affects multiple generations of Cisco security appliances, making it particularly concerning for enterprises with legacy deployments. Attackers can exploit this weakness without requiring authentication, making it an attractive vector for denial of service attacks that can be executed remotely. The impact is particularly severe in high-traffic environments where connection limits are critical for maintaining network performance and security policy enforcement.
Mitigation strategies should include immediate deployment of Cisco's recommended security patches and software updates that address the TCP state handling flaw. Network administrators must prioritize patching affected appliances, particularly those running versions 7.2 before 7.2(4.46), 8.0 before 8.0(4.38), 8.1 before 8.1(2.29), and 8.2 before 8.2(1.5). Configuration changes such as implementing connection rate limiting, adjusting TCP connection timeouts, and enabling connection tracking monitoring can provide additional defensive layers. Organizations should also consider implementing network segmentation and access controls to limit exposure, while establishing monitoring procedures to detect abnormal connection patterns that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1499.004: Endpoint Denial of Service, highlighting its potential for service disruption and resource exhaustion attacks that can significantly impact network availability and operational security posture.