Ugly, perfect ten-rated bug hits Cisco VPNs

Patch your Adaptive Security Appliance and Firepower Threat Defense code before they're utterly p0wned

By Richard Chirgwin

Posted in Security, 30th January 2018 01:41 GMT

A programming slip in Cisco VPN software has introduced a critical vulnerability hitting ten different Adaptive Security Appliance and Firepower Threat Defense Software products.

The bug scores a perfect ten CVSS rating, and is present in the products' SSL VPN functionality. That's bad news because if you've deployed the VPN – specifically, webvpn – for staff to use in the field, the interface will be exposed to the Internet. If you're lucky, an attacker may just trigger a reload and denial-of-service attack. If you're unlucky, the miscreant will be able to execute arbitrary evil code on your network firewall.

From Switchzilla's advisory: “The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.”

The problem affects the 3000 series of industrial firewalls, the ASA 5500 and 5500-X firewalls, a firewall module for Catalyst 6500 switches and 7600 Series routers, the virtual ASA 1000V and ASAv products, three Firepower appliances (2100, 4110, and the 9300 ASA module), and the Firepower Thread Defense (FTD) Software.

The programming flaw appears to have been introduced at least as far back as ASA 8.x, which was released five or so years ago. Cisco has published a table of affected ASA builds and the patched versions in the aforementioned advisory. The bug also affects Firepower Threat Defense 6.2.2, which was released last year, and later versions up to the fixed release, 6.2.2.2-4 or 6.2.2.2-6 depending on your hardware.

Fixes for both the Adaptive Security Appliance software and Firepower Threat Defense software are available – if you have a Cisco service contract, or your reseller can provide the patches. If not, you'll have to ask the Cisco Technical Assistance Center really nicely. ®

Sign up to our NewsletterGet IT in your inbox daily

33 Comments

More from The Register

Former Cisco CEO John Chambers says insects are the new lobsters

Only a venture capitalist could say something like that – but that’s what Chambers is now

Outgoing Cisco exec chair John Chambers joins Sprinklr board

There is life after the Borg... in social media management platforms apparently

Cisco's John Chambers: Robot farmers will feed bloated cricket thoraxes to our children

'US is the worst for startups'

Cisco's John Chambers to quit as exec chair

Southern drawler to fly off into sunset on back of a drone

Smut site offers VPN so you don't bare all online

If someone asks how you heard about it, tell them you read it at El Reg to save embarrassment

Private Internet Access VPN opens code-y sarong, starting with Chrome extension

All client-side app code to be released over next six months

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

VPN tests reveal privacy-leaking bugs

Hotspot Shield patched; Zenmate and VPN Shield haven't ... yet?

Apple removes VPN apps in China as Russia's Putin puts in the boot with VPN banlaw

Banned and yanked from Apple's App Store

Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses

WebRTC flaw still dogs so-called 'secure' providers