Cisco has warned customers using its Adaptive Security Appliance (ASA) software to patch a dangerous VPN bug that a researcher will be revealing how to exploit this weekend. Cisco’s ASA operating system for its network security devices has a severe double-free vulnerability in the Secure Sockets Layer VPN feature that it warns “could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code”. A successful attack using multiple, specially crafted XML packets would allow an attacker to take “full control of the system”, according to Cisco’s advisory. Due to the ease of exploitation and the impact, the bug – CVE-2018-0101 – has been given a Common Vulnerability Score System (CVSS) score of 10 out of a possible 10. However, ASA devices are only exposed if the webvpn feature is enabled, it notes. Admins can see if the feature is enabled by using command-line interface instructions provided by Cisco. According to a tweet by security researcher Kevin Beaumont, almost 200,000 internet-connected devices may be vulnerable. The vulnerability affects the 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module, and Firepower Threat Defense Software (FTD). The bug applies to FTD 6.2.2, which Cisco released in September and was the first version to support remote access VPN. Systems with major release FTD versions before 6.2.2 aren’t vulnerable. Download now: Network security policy Cisco has provided instructions for admins to see which versions of ASA and FTD they’re running. It has also provided a table detailing versions affected by the vulnerability and the first release that has a fix. Cisco advises customers to migrate to a supported release to receive the fix. The company notes that it is not aware of any attacks that have used the vulnerability, but that situation could change soon. The bug was reported by NCC Group security researcher Cedric Halbronn, who will explain how he exploited the flaw in Cisco’s AnyConnect/WebVPN on ASA devices. He’s scheduled to give a talk on the subject, including the fuzzer he used to find the flaw, this weekend at the Recon Brussels 2018 conference. “Our talk details the general architecture of the fuzzer used to find the double-free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices,” Halbronn writes in his conference notes. “We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco, which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.”
Previous and related coverage
Cisco, Apple release security connector app for iOS The Security Connector app monitors network activity across traffic generated by users and applications to combat ransomware and malware on enterprise-managed iOS devices. Cisco rolls out industry-first security features for Spark The collaboration platform will now, among other things, enable customers to run on-prem key servers for securing cloud content. Cisco, IBM forge security integration partnership Both companies will integrate products, research and services as they aim to collaborate on cybersecurity. GoT’s Dinklage presents miserable, threatening world for Cisco (CNET) Commentary: A new Cisco ad has Tyrion Lanister explain how the company is fighting cyberthreats. It’s all a little scary. Cisco’s iOS security app aims to help smartphone users combat malware and ransomware (TechRepublic) A new iOS 11 app gives companies more visibility and control over network activity in order to reduce exposure to common cybersecurity threats.