Cisco recently issued an urgent security advisory regarding devices configured with WebVPN. The vulnerability is in the Secure Sockets Layer (SSL) of Cisco Adaptive Security Appliance (ASA) devices. The company has labeled it a critical flaw with a CVSS score of 10 which is as high as the scale goes.
According to Cisco, "The vulnerability is due to an attempt to double free a region of memory when the WebVPN feature is enabled on the Cisco ASA device."
WebVPN is a clientless virtual private network software that allows users to access corporate assets and intranets from any computer connected to the internet. Unfortunately, an attacker can use this feature to attack the devices on the network. By sending a series of XML packets to a WebVPN device, an attacker could cause systems to reload or crash, creating a denial of service or even execute remote code on the affected machine.
Cisco says there is no workaround for this vulnerability and that affected devices should apply the patch it has already issued. Cisco identified the following devices as being affected by the security hole:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Cisco also has instructions on how to identify and track down devices running the vulnerable version of the software in its alert post. If you are an administrator, it is advisable that you check your network for anything that might be running the unpatched software. The version of the Remote Access VPN program is identified as FTD 6.2.2.
If you do not have a service contract with Cisco but need the patched software, you can contact Cisco's Technical Assistance Center.