Cisco has rolled out a bug fix for a security vulnerability affecting its Adaptive Security Appliances (ASA) - a vulnerabilty that was rated 10-out-of-10 for severity.
The remote code execution flaw gives cyber attackers the ability to reload the affected system and, therefore, to run their own code completely compromising the device.
According to Cisco, the bug is caused by "an attempt to double-free a region of memory when the webVPN feature is enabled on the Cisco ASA device".
As a result, hackers can compromise the software by inundating the webVPN-configured interface with multiple, crafted XML packets, gaining "full control" of the system in the process.
The company said that "there are no workarounds that address this vulnerability" and that users should simply update as soon as possible. Vulnerable products include the following:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
"This vulnerability affects devices that are running a vulnerable release of Cisco ASA Software where the webvpn feature is enabled," warned the company in its advisory.
"To determine whether webVPN is enabled, administrators can use the show running-config webVPN command at the CLI and verify that the command returns output."
It explained that the vulnerability also affects the FTD 6.2.2 software release, which was the firm's first update to enable Remote Access VPN feature. "This release contains both Firepower and ASA code," said the firm, adding: "Customers may only install and expect support for software versions and feature sets for which they have purchased a licence."
Microsoft receives a 30 per cent cut of all purchases on the Xbox digital store
Credit card thieves used Apple ID accounts to buy and sell virtual currency for Clash of Clans and Clash Royale and Marvel Contest of Champions
$5.1bn fine further evidence that the EU is anti-US, claims Trump
New cable will connect Virginia to France