Cisco has confirmed a critical security vulnerability in its SSL VPN solution, Adaptive Security Appliance (ASA), which is arguably one of the most widely-deployed SSL VPNs on the market.
Traditional VPNs, like Cisco’s ASA, expose an open port to the Internet which means that any remote user can connect to it. The vulnerability announced yesterday allows an unauthenticated, remote attacker to remotely execute code on the VPN box. This represents an immediate and significant vulnerability for many organisations as, through this, an attacker could gain access to the corporate network. This is why Cisco has classified it as critical – their highest level. Jason Garbis, VP at Cyxtera commented below.
Jason Garbis, VP at Cyxtera:
“The fundamental premise of traditional network security – exposing services such as VPNs to unauthorised users – is profoundly flawed and puts the organisation at risk. This kind of vulnerability is why a Software-Defined Perimeter (SDP) model, that dynamically creates one-to-one network connections between the user and the resources they access and effectively cloaks the security system itself from attackers, is needed.”