Cisco has taken the unusual step of upgrading the severity of a bug it announced in March 2018.
As the Wayback Machine’s cache of Cisco’s advisory reveals, CVE-2018-0296 was originally rated as a “High” severity bug. As well it should have been, because it meant “A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.”
Worse still, Cisco said “It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques.”
Cisco quickly released fixes and urged users to apply them.
But today the networking giant revised its advisory and upgraded it to “Critical” status, and added the following note to its warnings.
“In September 2019, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed Cisco ASA Software release to remediate this vulnerability.”
Cisco’s not detailed the nature of the exploit in its advisory, but attackers don’t usually make an effort to unless they perceive a decent chance of success. Which leads to the question of why anyone will have left this problem in an ASA appliance after 18 months of warnings about the bug?