Hackers are actively trying to exploit a high-severity vulnerability in widely used Cisco networking software that can give complete control over protected networks and access to all traffic passing over them, the company has warned.
When Cisco officials disclosed the bug last week in a range of Adaptive Security Appliance products, they said they had no evidence anyone was actively exploiting it. Earlier this week, the officials updated their advisory to indicate that was no longer the case.
"The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory," the officials wrote. "Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory."
The update didn't say how widespread the attacks are, whether any of them are succeeding, or who is carrying them out. On Twitter on Thursday, Craig Williams, a Cisco researcher and director of outreach for Cisco's Talos security team, wrote of the vulnerability: "This is not a drill..Patch immediately. Exploitation, albeit lame DoS so far, has been observed in the field."
This is not a drill..Patch immediately. Exploitation, albeit lame DoS so far, has been observed in the field https://t.co/2IlBkisKex
— Craig Williams (@security_craig) February 9, 2018
The tweet seemed to suggest that effective code-execution attacks had yet to succeed in the active attacks. A separate tweet from independent researcher Kevin Beaumont on Friday shortly before this post stated: "Somebody just tried the Cisco ASA vulnerability on my honeypot.
Somebody just tried the Cisco ASA vulnerability on my honeypot.
— Kevin Beaumont (@GossiTheDog) February 9, 2018
In a follow-up tweet, Beaumont also indicated the attack didn't successfully execute code.
The warning of the in-the-wild exploit attempts came around the same time Cisco warned that the vulnerability—already carrying the maximum severity rating of 10 under the Common Vulnerability Scoring System—posed an even greater threat than originally believed. The revised assessment was based on a detailed investigation Cisco researchers carried out after issuing last week's initial advisory, which was based on findings from outside security firm NCC Group. As a result of the new findings, Cisco issued a new set of patches to replace the ones it released earlier.
"After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory, Cisco officials wrote on Monday. "In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions."
The vulnerability's maximum severity rating results from the relative ease in exploiting it, combined with the extraordinary control if gives successful attackers. Devices running Cisco ASA software typically sit at the edge of a protected network, making them easy for outsiders to locate. Once exploited, the devices allow remote hackers to seize administrative control of networks and to monitor all traffic that passes through them. Affected Cisco products include:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 4120 Security Appliance
- Firepower 4140 Security Appliance
- Firepower 4150 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
- FTD Virtual
People using one of these devices should make sure as soon as possible that they're protected with the latest patches.