The VPN bug scored a 10 on the Common Vulnerability Scoring System, the highest possible score, further highlighting the severity of the problem and the need for affected customers to download the patch to protect against it as soon as possible.
Cisco VPN Bug: What Does It Do?
According to a security advisory released by Cisco, the bug is found in the WebVPN feature of the company's Adaptive Security Appliance software. If exploited, hackers will be able to force a reload, execute an arbitrary code, and even take full control of the compromised system.
Cisco's WebVPN allows users to remotely access enterprise resources such as internal webpages, web-powered apps, and email through an internet browser. The feature does not need any proprietary software or certificate from the company for employees to access the online resources.
The bug, however, will allow hackers to bypass the security of the networking devices involved, giving them unlimited access to secure networks with the capability to do a full reset on the hardware.
The critical VPN bug was found by NCC Group researcher Cedric Halbronn, who is set to discuss his discovery this weekend at the Recon Brussels 2018 conference.
How To Protect Against The Cisco VPN Bug
With Halbronn planning to divulge the details of the bug very soon, Cisco customers who may be affected by the vulnerability should follow the necessary steps to protect their networks.
Clients should first check the security advisory released by Cisco for the list of products that are vulnerable to the exploit. Customers who own one of the affected devices and have WebVPN enabled can download the free software updated that Cisco has rolled out to patch the bug. However, companies that currently have no maintenance contracts with Cisco will need to contact the company's Technical Assistance Center to acquire the necessary patches.
Cisco said that it is not aware of any hacking attacks that exploit the dangerous VPN bug, but it is always better to be safe than sorry.
"Cisco is committed to responsible coordinated disclosure about vulnerabilities, and maintains a very open relationship with the security research community," said a spokesperson for Cisco in a statement. The spokesperson added that Cisco immediately published the security advisory after learning about the VPN bug and subsequently released a patch to address the problem.