Cisco Upgrades CVE-2018-0296 from High to Critical

Cisco has upgraded the severity of a vulnerability (CVE-2018-0296) from 'High' to 'Critical' more than a year after it was first published. The flaw came to light in March 2018 and was rated High because "a vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques." Cisco state that an attacker could take advantage of the vulnerability by "sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic." Patches were released at the time and users told to apply them. The vulnerability has re-emerged in the wild, where it came to the attention of PSIRT - the Cisco Product Security Incident Response Team - in September 2019. The latest Cisco advisory doesn't outline the reasons behind the CVE's upgrading to Critical, but strongly recommends that customers upgrade to a fixed Cisco ASA Software release.