Cisco has released new security updates for the dangerous bug affecting its Adaptive Security Appliance software, after its engineers discovered new ways to attack it that weren’t addressed in the original patch.
This development means that even admins who installed a fixed version of ASA before Cisco disclosed the bug in last week’s advisory will need to update again. One engineer has pointed out that some fixed versions of ASA were released over two months before the patch.
Cisco was informed of the vulnerability by NCC Group researcher Cedric Halbronn, who presented how he attacked the flaw last weekend.
Cisco’s initial fix addressed methods Halbronn used. However, additional research by Cisco engineers turned up new attack vectors and additional denial-of-service conditions.
“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” wrote Omar Santos, a principal engineer from Cisco’s product security incident response team.
“In addition, it was also found that the original list of fixed releases published in the security advisory were vulnerable to additional denial-of-service conditions. A new comprehensive fix for Cisco ASA platforms is now available.”
Cisco’s updated advisory now also has more details about the vulnerability, how it is exploited, and instructions for how to determine if a system is vulnerable.
The bug could be exploited by an attacker sending a crafted XML packet to a vulnerable interface on an affected ASA device, which could lead to remote-code execution or a denial of service.
ASA systems have a vulnerable interface if they have Secure Sockets Layer services or IKEv2 Remote Access VPN services enabled.
Cisco says there was a vulnerability in ASA’s XML parser. The vulnerability also affects Cisco’s Firepower Threat Defense software.
NCC Group’s Halbronn has now published a detailed explanation of the attack he presented at the conference last weekend.