On January 29, Cisco released a high-urgency security alert for customers using network security devices and software that support virtual private network connections to corporate networks. Firewalls, security appliances, and other devices configured with WebVPN clientless VPN software are vulnerable to a Web-based network attack that could bypass the devices’ security, allowing an attacker to run commands on the devices and gain full control of them. This would give attackers unfettered access to protected networks or cause the hardware to reset. The vulnerability has been given a Common Vulnerability Scoring System rating of Critical, with a score of 10—the highest possible on the CVSS scale.
WebVPN allows someone outside of a corporate network to connect to the corporate intranet and other network resources from within a secure browser session. Since it requires no client software or pre-existing certificate to access from the Internet, the WebVPN gateway can be generally reached from anywhere on the Internet—and as a result, it can be programmatically attacked. A spokesperson for the Cisco security team said in the alert that Cisco is not aware of any active exploits of the vulnerability right now. But the nature of the vulnerability is already publicly known, so exploits are nearly certain to emerge quickly.
The vulnerability, discovered by Cedric Halbronn of the NCC Group, makes it possible for an attacker to use multiple, specially formatted XML messages submitted to the WebVPN interface of a targeted device in an attempt to “double-free” memory on the system. Executing a command to free a specific memory address more than once can cause memory leakage that allows an attacker to write commands or other data into blocks of the system’s memory. By doing so, the attacker could potentially cause the system to execute commands or could corrupt the memory of the system and cause a crash.