Cisco Systems on Monday released a second fix for a critical vulnerability in the XML parser of its Adaptive Security Appliance (ASA) after finding additional attack vendors and learning that its previous repair job was insufficient.
Unauthenticated, remote attackers can exploit the flaw, CVE-2018-0101, to trigger remote code execution or a denial of service condition. On 29 January 2018, Cisco originally published a security advisory announcing a software patch for the bug, which possesses a CVSS score of 10.0 and was discovered by Cedric Halbronn, a senior security researcher with NCC Group.
"After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory," explains Omar Santos, principal engineer with the Cisco Product Security Incident Response Team (PSIRT), in a company blog post. "In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions. A new comprehensive fix for Cisco ASA platforms is now available."