Critical Cisco flaw under active exploit

Hackers are actively exploiting a critical flaw in Cisco's Adaptive Security Appliance (ASA) that allows them to run code remotely and take full control of vulnerable systems.

Cisco first warned of the vulnerability late last month. The flaw lives within the XML parser component of the ASA device, which is used for remote access.

It allows unauthenticated, remote attackers to send data packets containing specially crafted XML files to ASA devices that use the WebVPN interface.

They could execute the code to "obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests", Cisco said.

The flaw affects devices that have the WebVPM feature enabled. It was first discovered by Cedric Halbronn, a researcher with NCC Group.

The vulnerability has been given the highest possible common vulnerability scoring system (CVSS) score of 10 out of 10. There is no known workaround.

At the time it first reported the flaw, Cisco said it had no knowledge of attackers exploiting the vulnerability.

It has now updated its advice to report that the flaw is under active exploit, and is urging customers to patch immediately.

Proof-of-concept code has been published on Pastebin. The Australian Cyber Security Centre said the PoC code only results in a denial of service on vulnerable devices, but "it is likely that this will develop into code that can achieve remote code execution". 

Cisco did not detail how widespread or successful the attacks were, nor did it comment on the source.

"This is not a drill..Patch immediately. Exploitation, albeit lame DoS so far, has been observed in the field," Cisco security researcher Craig Williams said late last week.

The company has also issued a new patch for the flaw after discovering new attack vectors.

"After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by NCC Group," Cisco said last week.

"In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions."

A list of vulnerable Cisco products and steps for determining risk is available here.