Cisco has released software patches that fix a major vulnerability affecting Cisco devices running Adaptive Security Appliance (ASA) Software.
Cisco ASA Software is the core operating system for the Cisco ASA Family, a class of security-centric networking devices that combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities.
According to a security advisory published today, older versions of Cisco ASA Software are affected by a vulnerability in the operating system's Secure Sockets Layer (SSL) VPN functionality.
The vulnerability —tracked using the CVE-2018-0101 identifier— affects the following Cisco ASA devices —but only if they have the "webvpn" feature is enabled in the OS settings.
— 3000 Series Industrial Security Appliance (ISA)
— ASA 5500 Series Adaptive Security Appliances
— ASA 5500-X Series Next-Generation Firewalls
— ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
— ASA 1000V Cloud Firewall
— Adaptive Security Virtual Appliance (ASAv)
— Firepower 2100 Series Security Appliance
— Firepower 4110 Security Appliance
— Firepower 9300 ASA Security Module
— Firepower Threat Defense Software (FTD)
Cisco says that an attacker can send malformed XML packets to such devices and execute malicious code on the device. Depending on the code's nature, an attacker can gain control over the device.
CVE-2018-0101 has received a CVSS severity score of 10 out of 10, meaning it's easy to exploit (reduced attack code complexity), can be exploited remotely, and requires no authentication on the device.
Cisco said it was aware that details about the vulnerability were recently made public, but that it did not detect any attacks exploiting the flaw just yet.
Cedric Halbronn from the NCC Group discovered the flaw and reported the issue to Cisco. The company has issued several updates. A table with ASA Software version numbers for fixed releases is available in Cisco's CWE-415 security advisory.
The company also said there are no workarounds that address this vulnerability, so customers must either disable the ASA VPN functionality or install updated OS versions.
Vulnerabilities with a 10 out of 10 severity score are rare, but when they appear, they are usually exploited. Oracle was, too, affected by one such issue last year.