Cisco ASA Firewall Critical vulnerability for arbitrary code execution remotely

Cisco ASA firewalls are susceptible to the critical vulnerability CVE-2018-0101 , which could allow attackers to remotely execute arbitrary code. In addition, an error can lead to a denial of service and provoke a system reboot.

The security problem was discovered by researcher Cedric Halbronn of the NCC Group, he plans to present technical details at the Recon 2018 conference, which will be held in Brussels on February 2.

What is the problem

Vulnerability was discovered in the Cisco ASA Firewalls Secure Sockets Layer (SSL) VPN module. According to the information published by the company, with the webvpn option turned on, the error led to attempts to double free the memory region.

For exploitation, an attacker needs to generate special XML packages and send them to the interface on which webvpn is configured - this will open the possibility of executing arbitrary code and give the cracker full control over the system or lead to a reboot of the device. The vulnerability received the highest criticality score of CVSS.

Among the vulnerable Cisco ASA products:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense (FTD)

The vulnerability first appeared in Firepower Threat Defense 6.2.2 in September 2017 - this tool implements remote VPN access functionality.

How to protect yourself

Cisco has published a security bulletin listing recommended security measures. First of all, device administrators are advised to check their version, and if it is in the list of vulnerable ones, install released patches. According to the Cisco Product Security Incident Response Team (PSIRT), there are currently no attacks detected using the detected vulnerability.

Positive Technologies experts also recommend using specialized tools to detect vulnerabilities, for example, a monitoring system for security and compliance with MaxPatrol 8 standards .