On January 29, Cisco released a CVSS Base 10 security alert for customers using their products that support VPN connections. Cisco Adaptive Security Appliances (Cisco’s Next-Gen Firewall’s), Firepower Appliances (content filtering and IPS/IDS), and other Cisco supported devices configured to use the WebVPN clientless SSL software are now vulnerable to a web-based network attack that could bypass the devices’ security, allowing a remote attacker to run commands that could gain them full control of those devices. This vulnerability would give attackers full access to protected networks. The vulnerability has been given a Common Vulnerability Scoring System rating of CRITICAL, with a base score of 10 – the highest possible on the CVSS scale.
WebVPN is a feature that allows employees that are outside of the network to connect to corporate resources from within a secure browser session. Since WebVPN requires no client software to be installed nor any pre-existing certificates to access from the internet, the gateway can be generally reached from anywhere in the world making it a very easy target for attack. According to a Cisco Spokesperson, there are not any known active exploits at this time. However, due to the nature of the vulnerability and the fact that it is publicly known, exploits are certain to emerge quickly.
Devices that are affected are the following devices with WebVPN enabled:
- 3000 Series Industrial Security Appliance (ISA)
- Adaptive Security Appliance 5500 and 5500-X series Firewalls (ASA)
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 and 4110 Security Appliances
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Cisco has of course released patches for all of the above products. For customers with an active Smart Net getting the released patch is easy, just log into the support site and download it. However, for customers without a valid Smart Net you must contact Cisco TAC and ask for the patched Version of the code.
Current Patch Versions and Code Trees:
The direct link to Cisco’s Public Announcement can be found — here.
What is Williams Innovation Doing?
Williams Innovation’s Partner’s can rest easy know we have already applied the patch to all managed Cisco affected devices. We applied all needed patches after hours over the past weekend at no additional charge for after hours work. We are committed to making sure our Partner’s data is secure and safe.
What if I am not a client, but don’t have IT staff or Smart Net?
Contact Us today so we can help you get patched immediately. This bug is very serious. As a Cisco partner we have easy access to the patched versions and would be happy to help you get patched and secure. Afterwords we can discuss how becoming a Partner with Williams Innovation will help to keep you safe and secure, without any user interaction from you needed.