Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability
TL;DR 📌
A critical vulnerability has been identified in the web services of Cisco Secure Firewall ASA, Secure Firewall FTD, IOS, IOS XE, and IOS XR Software. This flaw could allow unauthenticated or authenticated remote attackers to execute arbitrary code on affected devices. Cisco has released fixed software to address this issue, and there are no workarounds available.
What happened 🕵️♂️
A vulnerability in the web services of Cisco Secure Firewall ASA and FTD Software allows unauthenticated remote attackers to execute arbitrary code on affected devices. For IOS, IOS XE, and IOS XR Software, the vulnerability can be exploited by authenticated remote attackers with low user privileges. This vulnerability arises from improper validation of user-supplied input in HTTP requests, potentially leading to complete device compromise.
Affected products 🖥️
The following Cisco products are affected by this vulnerability:
- Cisco Secure Firewall ASA Software
- Cisco Secure Firewall FTD Software
- Cisco IOS Software (with Remote Access SSL VPN feature enabled)
- Cisco IOS XE Software (with Remote Access SSL VPN feature enabled)
- Cisco IOS XR Software (32-bit on ASR 9001 Routers with HTTP server enabled)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 6.8 | ASR 9001 | |
| 6.9 | ASR 9001 | |
| 1.0 | Initial public release. | |
| Cisco Secure Firewall ASA | Not specified | |
| Cisco Secure FMC | Not specified | |
| Cisco Secure FTD | Not specified | |
| Cisco IOS | Not specified | |
| Cisco IOS XE | Not specified | |
| Cisco IOS XR | 6.8 | Earlier than 6.8 |
| Cisco IOS XR | 6.9 | Earlier than 6.9 |
Workarounds 🧯
There are no workarounds available to mitigate this vulnerability.
Risk in context 🎯
This vulnerability has a CVSS score of 9.0, categorizing it as Critical. The exposure risk is significant, as unauthenticated attackers can exploit the vulnerability remotely. The lack of workarounds increases the urgency for organizations to apply the necessary updates promptly.
Fast facts ⚡
- Vulnerability Type: Remote Code Execution
- CVSS Score: 9.0 (Critical)
- Attack Vector: Remote, unauthenticated for ASA/FTD; authenticated for IOS/IOS XE/IOS XR
- Impact: Complete device compromise possible
- Workarounds: None available
For leadership 🧭
This vulnerability poses a Critical risk due to its high CVSS score of 9.0. It allows unauthenticated remote attackers to execute arbitrary code, potentially leading to complete device compromise. The exposure is particularly concerning for internet-facing devices, with no authentication required for exploitation.
Remediation Ask: Upgrade to fixed software within 7 days to mitigate risks.
Operational Impact: Expect a brief maintenance window with no configuration drift anticipated.
Now / Next / Later:
- Now: Assess affected devices and plan for immediate upgrades.
- Next: Implement the necessary software updates.
- Later: Monitor for any signs of exploitation and review security policies to prevent future vulnerabilities.