Hackers could run code on VPN box. Cisco has confirmed a critical security vulnerability in its SSL VPN solution, Adaptive Security Appliance (ASA), one of the most widely-deployed SSL VPNs on the market.

According to the advisory, the vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

This represents an immediate and significant vulnerability for many organisations as, through this, an attacker could gain access to the corporate network. 

The firm added that the flaw is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. 

“An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device,” said the advisory.

It said that addition to webvpn being globally configured there must be one enabled interface via the enable <if_name> in the configuration.

“To determine whether webvpn is enabled for at least one interface, administrators can use the show running-config webvpn command at the CLI and verify that the command returns at least one enable <if_name> line,” said the advisory.

Cisco has classified it as critical and there are no workarounds that address this vulnerability. It has also released free software updates that address the vulnerability.

A spokesperson for Cisco told SC Media UK that its Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory. “Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory,” said the spokesperson. “Cisco would like to thank Cedric Halbronn from the NCC Group for finding and reporting this vulnerability.”

Ollie Whitehouse, global chief technical officer at NCC Group, told SC Media UK: “While this is an extremely serious vulnerability, it's important to commend Cisco for how swiftly the company took action when this issue was brought to its attention. The company has responded diligently and in reacting so quickly, has demonstrated best practice to the rest of the industry.
“The threat of cyber-crime is more significant than it has ever been, and is one of the most serious threats affecting the business community. The fact that this vulnerability was found in a firewall designed to prevent unauthorised access only reinforces the fact that nothing can ever be 100 percent secure – spreading this knowledge is crucial.
“The best way businesses can mitigate the majority of these types of threats is by keeping their software, including operating systems and firewalls, up to date.”

Jason Garbis, VP of Cyxtera, told SC Media UK that the fundamental premise of traditional network security – exposing services such as VPNs to unauthorised users – is profoundly flawed and puts the organisation at risk. 

“This kind of vulnerability is why a Software-Defined Perimeter (SDP) model, that dynamically creates one-to-one network connections between the user and the resources they access and effectively cloaks the security system itself from attackers, is needed,” he said.