Cisco: IT must patch ASA VPN bug again, first fix was 'incomplete'

Apparently Cisco missed a few attack vectors when it initially patched a dangerous bug in its Adaptive Security Appliance software.

SMBs and enterprise companies need to implement a Zero Trust model
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A critical security bug affecting Cisco's Adaptive Security Appliance software has been patched again, after the first fix was found to be missing certain attack vectors.
  • Companies that use the SSL VPN functionality of the Cisco Adaptive Security Appliance Software should patch their software immediately to avoid potential risk.

Cisco users need to patch their Cisco Adaptive Security Appliance (ASA) software again, after an initial patch to protect against a VPN vulnerability was found lacking. As noted in an updated security advisory Monday, the first patch does not account for additional attack vectors and features found by Cisco researchers.

According to the advisory, Cisco "found that the original fix was incomplete so new fixed code versions are now available."

IT leaders at organizations that use a Cisco ASA should update their systems immediately, especially given that the flaw received a Common Vulnerability Scoring System (CVSS) score of 10 out of 10--the highest possible rating--when it was first discovered.

SEE: Incident response policy (Tech Pro Research)

As reported by our sister site ZDNet, the additional vulnerability was first discovered by NCC Group researcher Cedric Halbronn. This highlights the value of third-party security researchers and white hat hackers in keeping the enterprise safe.

The specific vulnerability exists in the XML parser of the Cisco ASA software, the advisory said. This means that an attackers could stop VPN authentication requests, remotely execute code, and more.

"An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests," the advisory said.

The Cisco ASA must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface to be considered vulnerable to these kinds of attacks, the advisory said.

"The risk of the vulnerability being exploited also depends on the accessibility of the interface to the attacker," the advisory said.

Users can find a list of vulnerable Cisco products here. There are currently no known workarounds for fixing the vulnerability--IT must patch if it wants to remain safe.

At the time of this writing, Cisco wasn't aware of any malicious uses of this vulnerability, the advisory said.

Also see

Image: iStockphoto/wutwhanfoto