Cisco ASA: patched critical firewall vulnerability

Published on March 25, 2018

Cisco ASA: patched critical firewall vulnerability

    At the end of January, Cisco announced the critical vulnerability of CVE-2018-0101 in the Cisco ASA firewalls. It allowed attackers to remotely execute malicious code, conduct DDoS attacks, and reboot the system.

    To date, the vulnerability is "closed."

    We decided to understand the situation and take a closer look at the attack vector.


    / Flickr / horst gutmann / cc

    What was the vulnerability


    The problem was discovered by researcher Cedric Halbronn (Cedric Halbronn) from the consulting agency for information security NCC Group. It was based on the Cisco Adaptive Security Appliance firewall XML parser and was associated with allocating and freeing memory when processing XML messages.

    A hacker could send specially crafted XML messages to the target device’s WebVPN interface to free up a portion of the system’s memory several times in a row. This led to a failure and gave the attacker the ability to run malicious code, change data in system memory blocks, and conduct DDoS attacks.

    Total vulnerability affectedMore than ten Cisco solutions, ranging from the 3000 Series Industrial Security Appliance and ASA 5500-X Series Next-Generation firewalls to the Firepower Security Appliance and Firepower Threat Defense (FTD) modules. The full list can be found here .

    Cisco also discovered 13 ASA software vulnerabilities.

    Among them are AnyConnect IKEv2:

    crypto ikev2 enable <interface_name>
    webvpn
       anyconnect enable
    

    Solution for work with security policies Cisco Security Manager:

    http server enable <port>
    http <remote_ip_address> <remote_subnet_mask> <interface_name>
    

    And also the REST API:

    rest-api image disk0:/<image name>
    rest-api agent
    

    The Firepower Threat Defense features are also listed: Active HTTP Service, AnyConnect SSL VPN, and AnyConnect IKEv2.



    Patch for Vulnerability


    Vulnerabilities were rated highest in the CVSS criticality rating. And as noted in Cisco, users did not have the ability to defend themselves against all potential threats (retaining functionality). You could only limit the number of trusted hosts by configuring ASDM access using the CLI command:

    http <remote_ip_address> <remote_subnet_mask> <interface_name>.

    Therefore, Cisco urgently released patches that covered vulnerabilities. However, a few days later it turned out that the "patches" presented by the developers did not solve all the problems.

    The company conducted an additional investigation and found that more decisions were at stake. In this case, the initial patches createdadditional DoS vulnerability. After that, Cisco hastened to release a new series of updates and recommended installing them as soon as possible.

    Some system administrators were not enthusiastic about the information about new updates. The first patches were already installed, and a repeated update meant additional downtime.


    All updates are now available in the Cisco Software Center under Products> Security> Firewalls. At the moment, the vulnerability is considered completely closed, and, according to Cisco, they did not manage to use it for hacker attacks.

    A few materials from 1cloud's corporate blog: