Unpatched Cisco ASA firewalls targeted by hackers

Network vendor Cisco is urging customers to patch their Adaptive Security Appliance firewalls as soon as possible, after discovering a serious vulnerability is currently being exploited by hackers.

Cisco ASA 5505

Cisco incident manager Stefano de Crescenzo said users with customised Clientless Secure Sockets Layer Virtal Private Networking portals should review a security advisory to check if their ASAs have been compromised.

The vulnerability is caused by poor authentication and permission checking that allows attackers to remotely modify objects in an in-memory cache file system.

This is also applies to the DfltCustomisation customisation object, which allows administrators to create new templates to change the look of the Clientless SSL VPN portal, used for secure remote access to corporate networks.

A successful exploit may allow unauthenticated attackers to modify the content of the Clientless SSL VPN portal and inject malicious code. This in turn could be used for several types of attacks, de Crescenzo said, including credentials stealing, malware dissemination and cross-scripting.

De Crescenzo said that as the attack makes permanent changes to the customisation object, reloading or applying a fixed version of the ASA software will not remove the compromise.

Any compromised customisation objects should be deleted, de Crescenzo advised. The default customisation object cannot be deleted he said, but compromised templates can be overwritten by importing the system DfltCustomisation object.

Researcher Alec Stuart-Muirk reported the vulnerability to Cisco in October 2014.