This development means that even admins who installed a fixed version of ASA before Cisco disclosed the bug in last week's advisory will need to update again. One engineer has pointed out that some fixed versions of ASA were released over two months before the patch.
Cisco was informed of the vulnerability by NCC Group researcher Cedric Halbronn, who presented how he attacked the flaw last weekend.
Cisco's initial fix addressed methods Halbronn used. However, additional research by Cisco engineers turned up new attack vectors and additional denial-of-service conditions.
"After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory," wrote Omar Santos, a principal engineer from Cisco's product security incident response team.
"In addition, it was also found that the original list of fixed releases published in the security advisory were vulnerable to additional denial-of-service conditions. A new comprehensive fix for Cisco ASA platforms is now available."