Cisco warned customers using its Adaptive Security Appliance (ASA) software to patch a VPN bug urgently, as an exploit to the vulnerability was recently published.
The ASA operating system for Cisco’s network security devices has a double-free vulnerability in the Secure Sockets Layer VPN feature which could allow an unauthenticated remote attacker to cause a reload or remotely execute code.
Attackers using XML packets can take full control of the system, said Cisco in an advisory. The ASA devices are exposed when the webvpn feature is enabled.
The bug, codenamed CVE-2018-0101, has a Common Vulnerability Score System (CVSS) score of 10 out of a possible 10, due to the ease and impact of the exploitation.
CVE-2018-0101 affects the 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module and Firepower Threat Defence Software (FTD) 6.2.2.
Cisco posted a table featuring versions of ASA and FTD that are vulnerable and fixes.