Earlier this week Cisco revealed a major vulnerability affecting devices configured with their WebVPN clientless VPN software. This VPN software is featured in the Secure Sockets Layer (SSL) of numerous Cisco hardware devices. Companies around the world use WebVPN so that their employees can connect to the corporate intranet from the outside. The successful exploitation of this vulnerability could have potentially devastating consequences for an organization.
When WebVPN functionality is enabled, devices are vulnerable to a flaw that allows hackers to “double-free” memory on the system. To accomplish this, an attacker submits custom crafted XML messages to the WebVPN interface of the target device. The messages instruct the system to free a specific memory address multiple times, which may lead to memory leakage, giving an attacker the power to write malicious commands to memory. With this power an attacker has the ability to execute arbitrary code, monitor traffic, and corrupt memory. This flaw can even be exploited for the purposes of a DDoS attack by forcing the system to continuously reboot itself.
Link: http://securityaffairs.co/wordpress/68424/security/cisco-asa-critical-flaw.html
Sources:
• https://arstechnica.com/information-technology/2018/01/cisco-drops-a-mega– vulnerability-alert-for-vpn-devices/
• http://searchsecurity.techtarget.com/news/252434117/Critical-Cisco-ASA– vulnerability-patched-against-remote-attacks
Source CIP report