If Your Businesses Uses a Cisco VPN, Patch It Now To Avoid Critical Flaw

• Cisco has issued a patch for a critical vulnerability in the SSL VPN functionality of the Cisco Adaptive Security Appliance Software.
• A Cisco VPN bug achieved a CVSS Score of 10 out of 10, and could have affected as many as 200,000 devices.

Cisco is inviting users of its Cisco Adaptive Security Appliance to patch their systems to protect them from a critical VPN vulnerability. In a security advisory, Cisco noted that the failure received a Common Vulnerability Score System (CVSS) score of 10 out of 10, the highest possible score.

The vulnerability specifically affects devices that are running the vulnerable version of the device software that also has the webvpn feature enabled, says the notice. In this case, webvpn must be configured globally, but it must also be "an enabled interface via enable <if_name> in the configuration", says the notice. To determine if this is the case in your organization, an administrator must "use the show running-config webvpn command in the CLI and verify that the command returns at least one enable line <if_name>," the notice says.

Obviously, IT administrators in a vulnerable organization must immediately patch their systems. The urgency in the patch is particularly important now, as a security researcher will show how to exploit it next weekend, as reported by Liam Tung of our ZDNet site.

SEE: System Update Policy (Tech Pro Research)

According to the notice, the affected software works on the following systems:

3000 Series Industrial Safety Device (ISA)
ASA 5500 Series Adaptive Security Devices
Next-generation ASA 5500-X Series Firewall
ASA Service Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V cloud firewall
Adaptive Security Virtual Appliance (ASAv)
Safety device of the Firepower 2100 series
Safety device Firepower 4110
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
Vulnerabilities in this vulnerability occur when an attacker sends specialized XML packages to the interface configured by webvpn. If successful, the exploit "could allow the attacker to execute arbitrary code and take full control of the system, or cause reloading of the affected device," the notice says.

The vulnerability was reported for the first time by Cedric Halbronn of the NCC group, and security researcher Kevin Beaumont posted on Twitter that there could be up to 200,000 affected devices.

If you are thinking about skipping the correction process, do not do it. According to Cisco, there is no other solution known today than just updating the software. Follow the instructions in the notice to determine if the version of your software is vulnerable.