Cisco ASA Remote Code Execution & DOS Vulnerability

Release Date (01-29-2018) CVE#-2018-0101

Affected Products - Must have WebVPN enabled to be vulnerable

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)

Vulnerability Details

This vulnerability affects an unknown function of the SSL VPN component within the ASA. The vulnerability is triggered when an attacker attempts to double free a section of memory when the VPN component is active on the ASA. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.

Impact

This vulnerability was discovered by a researcher who will be giving a talk on it on February 2nd, found in the references below. The impact to Cisco ASA platforms can range from the worst case of full control of the system to forcing the device to reboot. There are currently no known POCs or publicly utilized exploits for this vulnerability, therefore it’s important to patch during this time period.

Remediation

There are currently patched versions for the 9.1, 9.2, 9.4, 9.6, 9.7, and 9.8 trains for the affected Cisco ASAs. While the official list from Cisco (seen below) lists 9.9.1.2 as the fix for the 9.9 major release train, this is currently not available and has been pushed back due to failures in regression testing. If you are currently on 9.9, NetWorks Group strongly recommends falling back to the newest available version in the 9.8.2 train, currently 9.8.2-17.

• 8.x Affected Migrate to 9.1.7.20 or later
• 9.0 Affected Migrate to 9.1.7.20 or later 
• 9.1 Affected 9.1.7.20
• 9.2 Affected 9.2.4.25
• 9.3 Affected Migrate to 9.4.4.14 or later
• 9.4 Affected 9.4.4.14
• 9.5 Affected Migrate to 9.6.3.20 or later
• 9.6 Affected 9.6.3.20
• 9.7 Affected 9.7.1.16
• 9.8 Affected 9.8.2.14
• 9.9 Affected 9.9.1.2

Defensive Mitigations

Cisco has identified that there are no defensive mitigations or workarounds for this vulnerability that do not entail hampering features or updating/downgrading the device. Disabling webvpn from access to the Outside or as a whole will mitigate the harm this vulnerability being exploited could cause, however this will also disable webvpn functionality.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1https://vuldb.com/?id.112635https://recon.cx/2018/brussels/talks/cisco.htmlNetWorks Group Managed Service Customers running affected products already have the recommended patch in place. As software fixes are released, NWG will contact each customer to arrange for an upgrade of the managed device.All other customers running an affected product should plan to implement any recommended defensive mitigations as soon as possible to address the issues in this advisory.If you have questions regarding this notice, please call us at 734-827-1400, option 3 or email NetWorks Group support.

‍