Cisco Fixes Remote Code Execution Bug Rated 10 Out of 10 on Severity Scale

[LASER_oneXM]

Cisco has released software patches that fix a major vulnerability affecting Cisco devices running Adaptive Security Appliance (ASA) Software.

Cisco ASA Software is the core operating system for the Cisco ASA Family, a class of security-centric networking devices that combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities.

According to a security advisory published today, older versions of Cisco ASA Software are affected by a vulnerability in the operating system's Secure Sockets Layer (SSL) VPN functionality.

Vulnerability rated 10/10
CVE-2018-0101 has received a CVSS severity score of 10 out of 10, meaning it's easy to exploit (reduced attack code complexity), can be exploited remotely, and requires no authentication on the device.

Cisco said it was aware that details about the vulnerability were recently made public, but that it did not detect any attacks exploiting the flaw just yet.

Cedric Halbronn from the NCC Group discovered the flaw and reported the issue to Cisco. The company has issued several updates. A table with ASA Software version numbers for fixed releases is available in Cisco's CWE-415 security advisory.

The company also said there are no workarounds that address this vulnerability, so customers must either disable the ASA VPN functionality or install updated OS versions.

Vulnerabilities with a 10 out of 10 severity score are rare, but when they appear, they are usually exploited. Oracle was, too, affected by one such issue last year.

 

[LASER_oneXM]

..more news about this volnerability:

source(bleepingcomputer.com): Hackers Pounce on Cisco ASA Flaw (CVE-2018-0101)

Hackers Pounce on Cisco ASA Flaw (CVE-2018-0101)

Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug to take over Cisco ASA devices.

Cisco did not provide any details about the exploitation attempts or the techniques hackers used, but only said it was "aware of attempted malicious use of the vulnerability."

CVE-2018-0101 allows full device takeover
The exploited bug is CVE-2018-0101, a vulnerability that became public in late January. The issue got a lot of people's attention because it was a remote code execution flaw that granted attackers an easy way of taking over devices, but also because it received a CVSS severity score of 10 out of 10, meaning it was both easy and remotely exploitable via the Internet.

Initially, it was believed that only Cisco devices running ASA software with the VPN (webvpn) feature enabled were vulnerable.

At the time, experts put the number of vulnerable machines available online to between 120,000 to 200,000.

CVE-2018-0101 proof-of-concept code became available soon after news of vulnerability became public, most likely fueling the recent attacks against Cisco ASA devices.

Cisco reissues initial patch. New update is necessary.

Companies rushed to patch the issue, but by Monday this week, Cisco reissued security updates to deliver additional patches. According to a security advisory the company is maintaining, Cisco said engineers discovered that the bug was far more wide-reaching than initially thought. In an update, the company said that the flaw also affected other internal components of the Cisco ASA operating system, such as:
...
......
...
.........

The update introduced additional exploitation vectors, and Cisco users are advised to update their ASA-based devices again, with Cisco's updated patch.
The company also added four new device models to the list of vulnerable equipment. The list now comprises of:

..
....
..
.......
...