STE WILLIAMS

A programming slip in Cisco VPN software has created a critical vulnerability hitting ten different Adaptive Security Appliance and Firepower Threat Defense Software products.

The bug scores a perfect ten CVSS rating and is present in the products’ SSL VPN functionality. That’s bad news because if you’re using the VPN, the interface has to be exposed to the Internet. If you’re lucky, an attacker might just trigger a reload and denial-of-service attack.

From Switchzilla’s advisory: “The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.”

The problem affects the 3000 series industrial firewall, the ASA 5500 and 5500-X firewalls, a firewall module for Catalyst 6500 switches and 7600 Series routers, the virtual ASA 1000V and ASAv products, three Firepower appliances (2100, 4110, and the 9300 ASA module), and the Firepower Thread Defense (FTD) Software.

The bug was introduced in Firepower Threat Defense 6.2.2, which introduced the remote access VPN feature, Cisco said. FTD 6.2.2 was released in September last year.

Fixes for both the Adaptive Security Appliance software and Firepower Threat Defense software are available – if you have a Cisco service contract, or your reseller can provide the patches. If not, you’ll have to ask the Cisco Technical Assistance Center really nicely. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/cisco_asa_and_firepower_cvss_10_0_bug_patch_asap/