Cisco: You need to patch our security devices again for dangerous ASA VPN bug

Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was "incomplete".
Written by Liam Tung, Contributing Writer

Video: Top 10 malware threats in 2017

Cisco has released new security updates for the dangerous bug affecting its Adaptive Security Appliance software, after its engineers discovered new ways to attack it that weren't addressed in the original patch.

This development means that even admins who installed a fixed version of ASA before Cisco disclosed the bug in last week's advisory will need to update again. One engineer has pointed out that some fixed versions of ASA were released over two months before the patch.

Cisco was informed of the vulnerability by NCC Group researcher Cedric Halbronn, who presented how he attacked the flaw last weekend.

Cisco's initial fix addressed methods Halbronn used. However, additional research by Cisco engineers turned up new attack vectors and additional denial-of-service conditions.

"After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory," wrote Omar Santos, a principal engineer from Cisco's product security incident response team.

"In addition, it was also found that the original list of fixed releases published in the security advisory were vulnerable to additional denial-of-service conditions. A new comprehensive fix for Cisco ASA platforms is now available."

Free PDF download: Data classification policy

Cisco's updated advisory now also has more details about the vulnerability, how it is exploited, and instructions for how to determine if a system is vulnerable.

The bug could be exploited by an attacker sending a crafted XML packet to a vulnerable interface on an affected ASA device, which could lead to remote-code execution or a denial of service.

ASA systems have a vulnerable interface if they have Secure Sockets Layer services or IKEv2 Remote Access VPN services enabled.

Cisco says there was a vulnerability in ASA's XML parser. The vulnerability also affects Cisco's Firepower Threat Defense software.

NCC Group's Halbronn has now published a detailed explanation of the attack he presented at the conference last weekend.


Additional research by Cisco engineers has turned up new attack vectors and additional denial-of-service conditions.

Image: Getty Images

Previous and related coverage

Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now

The researcher who found the flaw will be telling the world how to exploit it this weekend.

Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.

Cisco rolls out industry-first security features for Spark

The collaboration platform will now, among other things, enable customers to run on-prem key servers for securing cloud content.

Cisco, IBM forge security integration partnership

Both companies will integrate products, research and services as they aim to collaborate on cybersecurity.

Cisco launches open container platform to boost hybrid cloud deployments(TechRepublic)

The new platform will simplify the deployment and management of containers on Kubernetes.

Editorial standards