Cisco upgrades ancient bug from 'High' to 'Critical' status

By

New attacks found against security appliance bug revealed in March 2018.

Cisco has taken the unusual step of upgrading the severity of a bug it announced in March 2018.

Cisco upgrades ancient bug from 'High' to 'Critical' status

As the Wayback Machine’s cache of Cisco’s advisory reveals, CVE-2018-0296 was originally rated as a “High” severity bug. As well it should have been, because it meant “A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.”

Worse still, Cisco said “It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques.”

Cisco quickly released fixes and urged users to apply them.

But today the networking giant revised its advisory and upgraded it to “Critical” status, and added the following note to its warnings.

“In September 2019, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed Cisco ASA Software release to remediate this vulnerability.”

Cisco’s not detailed the nature of the exploit in its advisory, but attackers don’t usually make an effort to unless they perceive a decent chance of success. Which leads to the question of why anyone will have left this problem in an ASA appliance after 18 months of warnings about the bug?

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

China blamed after cyberattack hits Czech Republic

China blamed after cyberattack hits Czech Republic

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?