Cisco drops a mega-vulnerability alert for VPN devices [Updated]

On January 29, Cisco released a high-urgency security alert for customers using network security devices and software that support virtual private network connections to corporate networks. Firewalls, security appliances, and other devices configured with WebVPN clientless VPN software are vulnerable to a Web-based network attack that could bypass the devices’ security, allowing an attacker to run commands on the devices and gain full control of them. This would give attackers unfettered access to protected networks or cause the hardware to reset. The vulnerability has been given a Common Vulnerability Scoring System rating of Critical, with a score of 10—the highest possible on the CVSS scale.

WebVPN allows someone outside of a corporate network to connect to the corporate intranet and other network resources from within a secure browser session. Since it requires no client software or pre-existing certificate to access from the Internet, the WebVPN gateway can be generally reached from anywhere on the Internet—and as a result, it can be programmatically attacked. A spokesperson for the Cisco security team said in the alert that Cisco is not aware of any active exploits of the vulnerability right now. But the nature of the vulnerability is already publicly known, so exploits are nearly certain to emerge quickly.

The vulnerability, discovered by Cedric Halbronn of the NCC Group, makes it possible for an attacker to use multiple, specially formatted XML messages submitted to the WebVPN interface of a targeted device in an attempt to “double-free” memory on the system. Executing a command to free a specific memory address more than once can cause memory leakage that allows an attacker to write commands or other data into blocks of the system’s memory. By doing so, the attacker could potentially cause the system to execute commands or could corrupt the memory of the system and cause a crash.

The affected systems are devices running Cisco’s ASA software with WebVPN enabled. These include:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)

Cisco has issued a patch for the vulnerability. But to get the patch, customers without current maintenance contracts will have to contact Cisco’s Technical Assistance Center (TAC) to obtain the patch. Some security professionals Ars communicated with expressed frustration with the slow response they got from Cisco’s TAC.

Update [3:00 PM EST] A Cisco spokesperson provided the following statement: "Cisco is committed to responsible coordinated disclosure about vulnerabilities, and maintains a very open relationship with the security research community. As soon as Cisco learned that there was potential public awareness of the issue, we immediately published a security advisory to inform customers what it is, as well as how to assess their network and remediate the issue. A patch, which addresses this vulnerability specifically, has been available since the disclosure.”