Cisco Goes Back To Drawing Board On 'Critical' Security Vulnerability After Fix Deemed 'Incomplete'

Cisco Systems says the initial fix for a recently disclosed software security vulnerability was incomplete, and attackers have more ways to exploit the bug than originally thought.

"After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability," the company said in a security advisory issued Monday. "In addition, it was also found that the original fix was incomplete so new fixed code versions are now available."

Cisco said the new, fixed code is now being made available. There are no workarounds for the vulnerability.

[Related: How Partners Can Benefit From The New Cybersecurity Insurance Offering By Cisco, Apple and Allianz]

The vulnerability and its remedies have proved to be a logistical challenge for TekLinks, a Birmingham, Ala., solution provider that works with Cisco.

"We have hundreds of clients with on-premises equipment, as well as managed services clients that we need to work with to update these platforms, and we have had to go back and update them all multiple times," said Mike Girouard, TekLinks executive vice president.

"Cisco does a really good job of getting us the patches and notifying us, but it is a logistics challenge to schedule multiple platform updates and answer so many clients' questions around the impact of delaying patching," Girouard said.

The San Jose, Calif., networking giant provided more details Monday about the nature of the vulnerability and how attackers could exploit it. The vulnerability is the result of a problem allocating and freeing memory when processing a malicious XML payload, Cisco said in the advisory. "An attacker could exploit this vulnerability by sending a crafted XML packet to a vulnerable interface on an affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests."

A Cisco spokesperson did not immediately respond to a request for comment Thursday.

The vulnerability is in the XML parser code of Cisco's Adaptive Security Appliance [ASA] software and could allow unauthenticated, remote attackers to cause a reload of affected systems or to execute code remotely, Cisco said in the advisory. It is possible, the company said, that the ASA could stop processing incoming VPN authentication requests because of "a low memory condition."

The vulnerability was found in several Cisco firewalls, servers, routers, switches and security software and could allow attackers into VPN devices. The vulnerability was classified as "critical" in Cisco's initial security advisory.

The vulnerability affects 10 Cisco products, including:

• The 3000 Series Industrial Security Appliances.
• The 5500 Series Adaptive Security Appliances.
• Cisco's 5500 X-Series Next-Generation Firewalls.
• The ASA Service Module for Catalyst 6500 Series switches and 7600 Series routers.
• The ASA 1000v Cloud Firewall.
• Cisco's ASAv virtual appliance.
• The Firepower 2100 and 4110 security appliances.
• The Firepower 9300 ASA Security Module.
• Cisco's Firepower Threat Defense software.