A critical flaw affecting the devices achieved a vulnerability score of 10/10.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Cisco has issued a patch for a critical vulnerability in the SSL VPN functionality of the Cisco Adaptive Security Appliance Software.
- A Cisco VPN bug achieved a CVSS Score of 10 out of 10, and could have affected as many as 200,000 devices.
Cisco is urging users of its Cisco Adaptive Security Appliance to patch their systems to protect against a critical VPN vulnerability. Addressed in a security advisory, Cisco noted that the flaw received a Common Vulnerability Scoring System (CVSS) score of 10 out of 10—the highest possible rating.
The vulnerability specifically affects devices running the vulnerable version of the appliance software that also have the webvpn feature enabled, the advisory said. In this instance webvpn must be configured globally, but must also "be one enabled interface via the enable <if_name> in the configuration," the advisory said. To determine if that is the case in your organization, an admin must "use the show running-config webvpn command at the CLI and verify that the command returns at least one enable <if_name> line," the advisory said.
Obviously, IT admins at a vulnerable organization should patch their systems immediately. Urgency in patching is especially important now, as a security researcher will be demonstrating how to exploit it this coming weekend, as reported by Liam Tung of our sister site ZDNet.
SEE: System update policy (Tech Pro Research)
According to the advisory, the affected software is running on the following systems:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Exploits of this vulnerability happens when an attacker sends specialized XML packets to the webvpn-configured interface. If successful, the exploit "could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device," the advisory noted.
The vulnerability was first reported by Cedric Halbronn from the NCC Group, and security researcher Kevin Beaumont posited on Twitter that there may now be as many as 200,000 affected devices.
If you're thinking of skipping the patch process, don't. According to Cisco, there are no known workarounds at this time other than simply updating the software. Follow the instructions in the advisory to determine if your software version is vulnerable.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now (ZDNet)
- Zero day exploits: The smart person's guide (TechRepublic)
- For internet privacy, a VPN won't save you (ZDNet)
- How to select a trustworthy VPN (TechRepublic)