Cisco has released new patches for a critical vulnerability in its Adaptive Security Appliance software after further investigation revealed additional attack vectors.
The company first announced the vulnerability, CVE-2018-0101, on Jan. 29. It received a Common Vulnerability Scoring System base score of 10.0, the highest possible, and was initially discovered by Cedric Halbronn from NCC Group.
“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” said Omar Santos, principal engineer with Cisco’s product security incident response team, in a blog post. Cisco also found additional denial of service conditions. A “new comprehensive fix” is now available, Santos said.
The vulnerability is linked to ASA’s XML parser. An attacker could exploit it by crafting a malicious XML file and sending it through a vulnerable interface, whereupon they could “execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests,” Cisco said in its security advisory. Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services must be enabled on an interface for the vulnerability to be exploited.
There are no known incidents of the vulnerability being exploited, but Cisco is urging customers to apply the updated patches. It now affects 15 products that run ASA software, including a wide range of Firepower Security Appliance versions, ASA 5500-X Series Next-Generation Firewalls and ASA 5500 Series Adaptive Security Appliances.
Cisco has come under fire for its handling of the situation. Sysadmin Colin Edwards, who blogs frequently on network and security issues, said far too much time had passed–80 days, by his measure–between when Cisco released its first patches for the vulnerability and when it published the security advisory.
“I can understand some of the challenges that Cisco and their peers are up against,” Edwards wrote. “[But] eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the Internet.”
“Yes, customers need to take responsibility for installing patches in a timely manner,” he added. “However, customers also need to have access to adequate information so that they can appropriately prioritize among myriad workloads.” The Jan. 29 advisory provided information that was “critical for customers to have at their disposal,” Edwards wrote.
Cisco published its security advisory immediately after finding out there was public knowledge of the vulnerability, which falls in line with its disclosure policy, Santos wrote: “Cisco recognizes the technology vendor’s role in protecting customers, and we won’t shy away from our responsibility to constantly be transparent with up-to-date information.”