On Jan. 30, Cisco Systems issued a security advisory that warns customers using its Adaptive Security Appliance (ASA) software to patch a critical VPN vulnerability. Cisco has released software updates that address the vulnerability.
The vulnerability exists in the Secure Sockets Layer VPN functionality of the ASA software, and "could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code," according to Cisco.
"The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device," Cisco says in its advisory. "An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device."
Cybersecurity researcher Cedric Halbronn of the NCC Group discovered and reported the bug, which is considered highly malicious, according to Ars Technica. "Due to the ease of exploitation and the impact, the bug — CVE-2018-0101 — has been given a Common Vulnerability Score System (CVSS) score of 10 out of a possible 10," ZDNet reports.
According to SC Magazine, "some of the products include 3000 Series Industrial Security Appliance (ISA), ASA 5500-X Series Next-Generation Firewalls, ASA 1000V Cloud Firewall, and Firepower Threat Defense Software (FTD)."
Cisco issued the following statement to Ars Technica:
Cisco is committed to responsible coordinated disclosure about vulnerabilities, and maintains a very open relationship with the security research community. As soon as Cisco learned that there was potential public awareness of the issue, we immediately published a security advisory to inform customers what it is, as well as how to assess their network and remediate the issue. A patch, which addresses this vulnerability specifically, has been available since the disclosure.