Cisco investigation reveals ASA vulnerability is worse than originally thought

The “perfect 10.0” critical vulnerability Cisco announced last week in its Adaptive Security Appliance (ASA) devices has additional attack vectors and affects more features that originally thought, the company said.

A company investigation revealed the original response did not identify or fix the entire problem, so a new patch for Cisco ASA platforms is now available. This means Cisco customers will have additional downtime for security maintenance in order to fix a bug that potentially allows an unauthenticated, remote attacker to execute code and cause system reloads.

The problem is raising small hell on social media from systems and network administrators about additional downtime.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” Cisco’s Omar Santos wrote. “In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions. A new comprehensive fix for Cisco ASA platforms is now available.”

The impacted Cisco products are tools for protecting corporate networks and data centers. There have been no reports of exploitation but Cisco urges customers to patch quickly.