Cisco: No Security Update Yet for RCE Vulnerability in Firewall and VPN Manager

Last month, Cisco issued a warning about a vulnerability in the Adaptive Security Device Manager (ASDM) that allows remote code execution (RCE), but in an update to the security advisory, the network company reports that no security update is available yet.

The Adaptive Security Device Manager is a solution for managing Cisco Adaptive Security Appliance (ASA) firewalls and the Cisco AnyConnect Secure Mobility vpn client. Administrators install the ASDM launcher on their system and can manage the ASA firewalls and AnyConnect VPN. A vulnerability prevents proper verification of the digital signature of the code exchanged between the launcher and ASDM.

An attacker with a man-in-the-middle position between the launcher and ASDM could run arbitrary code on the system where the launcher is installed. In order for the attack to be possible, there must be a connection from the user to the ASDM. The security advisory for this vulnerability was published on July 7. Last week, Cisco reported that there is still no security update available for it. There are also no workarounds that organizations can apply. It is unknown when the patch will be released.

Previous Post Next Post