Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug in the wild against Cisco ASA devices.
Cisco did not provide any details about the exploitation attempts or the techniques hackers used, but only said it was "aware of attempted malicious use of the vulnerability."
The exploited bug is CVE-2018-0101, a vulnerability that became public in late January. The issue got a lot of people's attention because it was a remote code execution flaw that granted attackers an easy way of taking over devices, but also because it received a CVSS severity score of 10 out of 10, meaning it was both easy and remotely exploitable via the Internet.
Initially, it was believed that only Cisco devices running ASA software with the VPN (webvpn) feature enabled were vulnerable, but more components were found to be vulnerable later (more below).
CVE-2018-0101 proof-of-concept code became available soon after news of vulnerability became public, most likely fueling the recent attacks against Cisco ASA devices. Nonetheless, the code only crashed Cisco ASA devices, and did not include the exploitation chain to take over devices.
Companies rushed to patch the issue, but by Monday this week, Cisco reissued security updates to deliver additional patches.
According to a security advisory the company is maintaining, Cisco said engineers discovered that the bug was far more wide-reaching than initially thought.
In an update, the company said that the flaw also affected other internal components of the Cisco ASA operating system, such as:
The update introduced additional exploitation vectors, and Cisco users are advised to update their ASA-based devices again, with Cisco's updated patch.
The company also added four new device models to the list of vulnerable equipment. The list now comprises of:
Updated article to clarify that the PoC code could only be used to crash Cisco ASA devices.