On January 29, Cisco released a red death code alert to its customers using proprietary hardware or software.
All Cisco products using the WebVPN feature that allows you to connect to a corporate network without having to go through a heavy client, but simply using the browser are vulnerable to a web attack.
This attack can bypass security, allowing someone malicious intent to launch commands on the machines and then take full control.
To tell you the importance of the vuln, it has reached the wonderful CVSSscore of 10 (Common Vulnerability Scoring System), which is the maximum in terms of “criticality” as they say in the middle 😉
An XML message specially forged for the occasion and sent to the WebVPN interface allows executing a command releasing a specific memory address. This then causes a memory leak that allows the attacker to write commands or data directly into system memory. Thus, the commands are executed or the memory corrupted, causing a crash of the device.
And what is good with WebVPN is that it allows connecting to corporate networks from anywhere simply with a connection to the net and a browser (not even need a prior certificate).
I let you imagine the cat.
The impacted Cisco products are:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500 Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall Adaptive Virtual Appliance Security (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Cisco recommends everyone to update and if you have Cisco tools without a maintenance agreement, you can get closer to Cisco support, still get the updates. So, do not mess around. 😉
Good luck !