A user interface programming error in Cisco VPN software has generated a serious vulnerability smashing ten diverse Adaptive Security Appliance and Firepower Threat Defense Software products.
The critical flaw scores a seamless ten CVSS rating and is existing in the products’ SSL VPN capable of serving. That’s unpleasant news for the reason that if you’re consuming the VPN, the interface has to be made accessible to the Internet. If you’re occurring by chance, a cyberpunk might simply prompt a reload and denial-of-service attack.
From Switchzilla’s advisory: “The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.”
The issue marks the 3000 series industrial firewall, the ASA 5500 and 5500-X firewalls, a firewall module for Catalyst 6500 switches and 7600 Series routers, the simulated ASA 1000V and ASAv products, three Firepower appliances (2100, 4110, and the 9300 ASA module), and the Firepower Thread Defense (FTD) Software.
The flaw was announced in Firepower Threat Defense 6.2.2, which presented the distant acquire VPN attribute, Cisco said. FTD 6.2.2 was announced last year in September. Patches for both the Adaptive Security Appliance software and Firepower Threat Defense software are obtainable; if you own a Cisco service a binding agreement, or your reseller can deliver the fixes. If not, you will have to inquire the Cisco Technical Assistance Center indeed pleasantly.