Cisco's latest security update patches an Adaptive Security Appliance (ASA) software vulnerability that could allow an attacker to gain complete control of an affected system.
The bug exists in the Secure Sockets Layer (SSL) VPN functionality of the ASA and is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device, according to a 30 January security advisory.
“In addition to webvpn being globally configured there must be one enabled interface via the enable <if_name> in the configuration,” researchers said in the advisory. “To determine whether webvpn is enabled for at least one interface, administrators can use the show running-config webvpn command at the CLI and verify that the command returns at least one enable <if_name> line.”
An unauthenticated, remote attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system causing a reload of the affected system which could ultimately allow the attacker to remotely execute code.
The vulnerabilities affect devices that are running a vulnerable release of Cisco ASA Software where the webvpn feature is enabled. The patches and apply to the FTD 6.2.2 software release, which was the first to support the Remote Access VPN feature.
Some of the products include 3000 Series Industrial Security Appliance (ISA), ASA 5500-X Series Next-Generation Firewalls, ASA 1000V Cloud Firewall, and Firepower Threat Defense Software (FTD).
There aren't any workarounds to patch the vulnerability however, Cisco has released free software updates that address the vulnerabilities although, customers may only install and expect support for software versions and feature sets for which they have purchased a license.
Rod Soto, director of security research at JASK told SC Media the vulnerability is serious because the flaw means VPN devices can be probed from anywhere on the internet without the need of software or pre-existing certificates.
“This is added to the fact that you can run commands via the web interface, which makes it even more dangerous,” Soto said. “Attackers could use this to gather info on accounts, reset passwords or create their own and then access the affected companies' networks, or use routing commands to pivot from these devices or reroute traffic.“
Soto added that many companies likely do not have a contract and have to take extra steps to get the patch meaning longer exposure times and a higher likelihood of exploitation. To combat this, infrastructure companies should be compelled to fix their own devices as they expose the internet to harm, which translates into real-life impact for people, he said.
“This is a great example of why it's so important to move to a zero-trust model like a software-defined perimeter (SDP), which cloaks the security system itself from attackers,” Jason Garbis, vice president of products at Cyxtera Technologies, said. “This is exactly the kind of problem that Single-Packet Authorisation within an SDP solution is designed to solve.”
Garbis said the fundamental premise of traditional network security – exposing services such as VPNs to unauthorised users – is profoundly flawed and puts organisations at risk.