Threat Update: Cisco ASA VPN Feature Allows Remote Code Execution (CVE-2018-0101)
January 30, 2018
A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.
Analysis:
This vulnerability applies to Cisco ASA software where the ‘webvpn’ feature is enabled, as well as products using FTD version 6.2.2, which is the first version to support the Remote Access VPN feature. All FTD software versions previous to 6.2.2 are NOT impacted. There are no workarounds for this vulnerability. The CVE score for this vulnerability is 10 out of a possible 10 due to its ease of exploitation and impact.
Affected products may include:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Recommendations:
- Assess your environment for Cisco hosts running vulnerable software versions and disable the ‘webvpn’ feature where possible.
- Cisco has released updates to patch this vulnerability, they should be installed immediately if appropriate. Please see the table below from the Cisco advisory to determine the appropriate release to upgrade to.
| Cisco ASA Major Release | First Fixed Release |
|---|---|
| 8.x1 | Affected; migrate to 9.1.7.20 or later |
| 9.01 | Affected; migrate to 9.1.7.20 or later |
| 9.1 | 9.1.7.20 |
| 9.2 | 9.2.4.25 |
| 9.31 | Affected; migrate to 9.1.7.20 or later |
| 9.4 | 9.4.4.14 |
| 9.51 | Affected; migrate to 9.1.7.20 or later |
| 9.6 | 9.6.3.20 |
| 9.7 | 9.7.1.16 |
| 9.8 | 9.8.2.14 |
| 9.9 | 9.9.1.2 |
Additional Resources:
- Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
- CVE-2018-0101 Detail
- Cisco ASA VPN Feature Allows Remote Code Execution
- Cisco: This VPN Bug Has A 10 Out Of 10 Severity Rating, So Patch It Now
For more information please connect with a Herjavec Group security specialist.
CONNECT WITH USTake the First Step
In Transforming Your Cybersecurity Program
Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.
