Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.
Written by Liam Tung, Contributing Writer

Video: Top 10 malware threats in 2017

A sysadmin has criticized Cisco for releasing software that fixed a high-severity bug 80 days before telling customers just how dangerous it was.

As ZDNet reported this week, Cisco published an advisory that detailed a bug in its Adaptive Security Appliance (ASA) software with a CVSS score of 10 out of a possible 10.

ASA devices with the webvpn feature enabled could be owned by a remote attacker, Cisco warned.

Cisco's advisory also included a table showing which versions of ASA were affected and the first release that had a fix. It was not immediately clear from Cisco's table when it released the first fixed version.

However, Colin Edwards, a system administrator, filled in the blanks in his own table with the release date for fixed versions of ASA, which shows Cisco actually rolled-out its first fixed version way back on November 10.

As Edwards points out, Cisco decided to fix a super-critical bug in some products but then waited 80 days before it told sysadmins they needed to update now.

"Eighty days. Eighty days is the amount of time that passed between the earliest software version that fixed the vulnerability being released, and the advisory being published. Eighty days."

Download now: Intrusion detection policy

While the severity of the bug itself suggested urgent action, as ZDNet reported, the urgency was heightened because the researcher who reported the bug to Cisco was just days away from giving a talk explaining how to exploit the flaw. He'll be presenting his work this weekend at a security conference in Brussels.

As Edwards and other researchers have pointed out, a search on Shodan shows there are almost 200,000 internet-connected Cisco ASA devices with WebVPN enabled.

Edwards argues that Cisco should be informing customers earlier, particularly for such a critical bug, which affects devices that generally sit on the edge of the network and are accessible from the internet.

"I can understand some of the challenges that Cisco and their peers are up against. But even with that, I'm not sure that customers should be willing to accept that an advisory like this can be withheld for 80 days after some fixes are already available," wrote Edwards.

"Eighty days is a long time, and it's a particularly long time for a vulnerability with a CVSS score of 10 that affects devices that are usually directly connected to the internet."

While customers could have installed the update before the advisory, the advisory itself is what helps customers decide how to allocate resources among competing tasks.

"Yes, customers need to take responsibility for installing patches in a timely manner. However, customers also need to have access to adequate information, so that they can appropriately prioritize among myriad workloads," writes Edwards.

A Cisco spokesperson told ZDNet it published the advisory immediately after learning that details of the vulnerability would be made public. Recon, the conference the researcher will detail the ASA vulnerability, announced its content line-up on December 15.

The spokesperson said Cisco is committed to responsible coordinated disclosure about vulnerabilities, and maintains a very open relationship with the security research community.

"As soon as Cisco learned that there was potential public awareness of the issue, we immediately published a security advisory to inform customers what it is, as well as how to assess their network and remediate the issue. The coordinated timing of the disclosure with the researcher ensured we had protection in place across the many affected platforms to best protect our customers. This approach is in line with our commitment in the security vulnerability policy."

Details about Cisco's policy are available here: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html#cp

Previous and related coverage

Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now

The researcher who found the flaw will be telling the world how to exploit it this weekend.

Cisco rolls out industry-first security features for Spark

The collaboration platform will now, among other things, enable customers to run on-prem key servers for securing cloud content.

Cisco, IBM forge security integration partnership

Both companies will integrate products, research and services as they aim to collaborate on cybersecurity.

Cisco launches open container platform to boost hybrid cloud deployments (TechRepublic)

The new platform will simplify the deployment and management of containers on Kubernetes.

Editorial standards