An error in Cisco's ASA software allows attacks via WebVPN. aspectra has closed the corresponding gap.
On January 29, Cisco announced a vulnerability in the Secure Sockets Layer (SSL) effecting their web-based VPN gateway that allows attackers to crash the device or even gain control of the network. This affects devices running the security software ASA (Adaptive Security Appliance) where access via the WebVPN feature is enabled in the OS settings.
This vulnerability can be exploited by sending several special XML packets to the interface. The gap is so critical that it has received a maximum value of 10/10 in the Common Vulnerability Scoring System (CVSS).
At the same time as the advisory was issued, Cisco also released software patches that address the problem. Accordingly, aspectra fixed the vulnerability by patching the affected devices on January 30.