Cisco Adaptive Security Appliance RCE (cisco-sa-20191112-asa-ftd-lua-rce)
High Nessus Plugin ID 131228
SynopsisThe remote device is affected by a remote code execution vulnerability
DescriptionA remote code execution vulnerability exists in the Lua interpreter of Cisco Adaptive Security Appliance (ASA) software due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. An authenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges on the underlying Linux operating system of an affected device.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionCisco will release a fixed version in the future. Please refer to Cisco bug ID CSCvr85295.