Cisco issues new, complete fixes for critical flaw in enterprise security appliances

Cisco researchers have identified additional attack vectors and features that are affected by the “perfect 10” remote code execution and denial of service vulnerability they attempted to patch last Tuesday. This discovery also means that the fix they pushed out at the time is incomplete, and administrators now have to update the vulnerable software again.

Initially, they thought that the vulnerability (CVE-2018-0101) only affected the webvpn feature of the Cisco Adaptive Security Appliance (ASA) software. As it turns out, the number of vulnerable features is much larger and depends on their configuration. The scope of the vulnerability is also more extensive: aside from potentially allowing unauthenticated, remote attackers to cause a reload of the affected system or to execute code remotely, they might also make the ASA stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.

Read more about the Cisco ASA vulnerability and which devices are affected by it, on Help Net Security.

Track the strategic threats to your business with the Threat Brief, delivered to your email daily.

Subscribe Here