Double-free bug affects numerous devices running ASA software

Cisco Systems has patched a critical vulnerability in its Adaptive Security Appliance (ASA) software that could enable an unauthenticated attacker to remotely execute code.

A security advisory released yesterday by the networking solutions group provides an outline of the flaw that was found in the Secure Sockets Layer (SSL) VPN functionality of its ASA software.

Assigned a CVSS rating of 10.0, Cisco said the vulnerability is due to “an attempt to double free a region of memory when the webvpn feature is enabled” on security devices running the software.

“An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system,” the company stated.

“An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

The vulnerability affects ASA software running on numerous Cisco products, including the 3000 Series Industrial Security Appliance; ASA 5500 Series Adaptive Security Appliances; ASA 5500-X Series Next-Generation Firewalls; and Firepower Threat Defense Software.

A full list of affected devices – along with instructions to help admins determine whether webvpn is enabled – can be found here.

The bug was spotted by NCC Group security researcher Cedric Halbronn, who will discuss the architecture of the fuzzer used to find the double-free vulnerability at Recon Brussels on February 2.

According to Cisco, over the past 15 years more than one million security appliances running ASA software have been deployed around the world.