Written byPatrick Howell O'Neill
The “perfect 10.0” critical vulnerability Cisco announced last week in its Adaptive Security Appliance (ASA) devices has additional attack vectors and affects more features that originally thought, the company said.
A company investigation revealed the original response did not identify or fix the entire problem, so a new patch for Cisco ASA platforms is now available. This means Cisco customers will have additional downtime for security maintenance in order to fix a bug that potentially allows an unauthenticated, remote attacker to execute code and cause system reloads.
The problem is raising small hell on social media from systems and network administrators about additional downtime.
Heads up: Cisco just updated the advisory on CVE-2018-0101 (ASA webvpn / AnyConnect RCE) with a newer software release to fix additional exploitation vectors not covered in last week's patch. https://t.co/onwRSoXAla
— David Longenecker (@dnlongen) February 5, 2018
For a whole week I have been patching ASAs with CVE-2018-0101. Today Cisco reports that the patches are not doing a good job. We need to patch again folks! https://t.co/4faEXJGd7J https://t.co/LkgPFwhljq
— Dennis Perto (@PertoDK) February 5, 2018
All currently recommended ASA Software versions to fix CVE-2018-0101 were published 2 days ago on Feb 3. If you patched last week, you need to patch again.
— Colin (@EdwardsCP) February 5, 2018
“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” Cisco’s Omar Santos wrote. “In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions. A new comprehensive fix for Cisco ASA platforms is now available.”
The impacted Cisco products are tools for protecting corporate networks and data centers. There have been no reports of exploitation but Cisco urges customers to patch quickly.