FIREWALL

What you need to know about vulnerabilities on your ASA

Your ASA could be affected by a recently found Cisco vulnerability. An explanation of the problem, fix releases and the products affected are outlined in this article.

The vulnerability tracked as CVE-2018-0101 has been assigned the perfect score of 10 out of 10 in severity rating and can enable a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) attack. This vulnerability is in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense Software products. If the web VPN feature is enabled on a device, a remote attacker can trigger the bug by sending specially crafted XML packets to a webVPN-configured interface on the affected system. The vulnerability is due to an attempt to double free a region of memory when the webVPN feature is enabled on the Cisco ASA device Software, which could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices.

Cisco is not aware of any malicious attacks exploiting this flaw, but its product security incident response team (PSIRT) “is aware of public knowledge of the vulnerability.”

To be vulnerable the affected device must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface.

Regardless of the features, you can use the show asp table socket command and look for an SSL or a DTLS listen socket on any TCP port, as shown below:

asa

If a socket exists, you are vulnerable. You can also use the show asp table socket stats command to list the underlying SSL system statistics, as demonstrated below:

This vulnerability only affects traffic destined to the affected device, not transient traffic. If your device terminates SSL connections, your device is vulnerable.

IKEv2 configurations are also affected. You can use the show run crypto ikev2 | grep enable command to assess if IKEv2 is enabled in your device.

If a command like crypto ikev2 enable is present in the running configuration and the command anyconnect enable is part of the global webVPN configuration, the ASA device is also considered vulnerable.

There are no workarounds that address all the features that are affected by this vulnerability. The management access to the security appliance can be restricted to known, trusted hosts using the CLI command http <remote_ip_address> <remote_subnet_mask> <interface_name>. Please refer to the Enable HTTP Service section in the Cisco Guide to Harden Cisco ASA Firewall for further information.

Fixed Releases

Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.  (ASA Software releases prior to 9.1, including all 8.x releases, and ASA releases 9.3 and 9.5 have reached End of Software Maintenance. Customers should migrate to a supported release)

In the following tables, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Customers should upgrade to an appropriate release as indicated in this section.

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to 9.1.7.23
9.01 Affected; migrate to 9.1.7.23
9.1 9.1.7.23
9.2 9.2.4.27
9.31 Affected; migrate to 9.4.4.16
9.4 9.4.4.16
9.51 Affected; migrate to 9.6.4.3
9.6 9.6.4.3
9.7 9.7.1.21
9.8 9.8.2.20
9.9 9.9.1.2

In the following table, the left column lists major releases of Cisco FTD Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Customers should upgrade to an appropriate release as indicated in this section. The FTD software images will be posted as they become available.

Cisco FTD Major Release  First Fixed Release 
6.0.0 Affected; migrate to 6.0.1 HotFix or later
6.0.1 Cisco_FTD_Hotfix_BH-6.0.1.5-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BH-6.0.1.5-1.sh (41xx and 9300 FTD hardware platform)
6.1.0 Cisco_FTD_Hotfix_DZ-6.1.0.7-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_DZ-6.1.0.7-1.sh (41xx and 9300 FTD hardware platform)
6.2.0 Cisco_FTD_Hotfix_BN-6.2.0.5-3.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BN-6.2.0.5-3.sh (41xx and 9300 FTD hardware platform)
6.2.1 Affected; migrate to 6.2.2 HotFix
6.2.2 Cisco_FTD_SSP_FP2K_Hotfix_AN-6.2.2.2-4.sh.REL.tar (21xx FTD hardware platform)
Cisco_FTD_SSP_Hotfix_AO-6.2.2.2-1.sh.REL.tar (41xx and 9300 FTD hardware platforms)
Cisco_FTD_Hotfix_AO-6.2.2.2-1.sh.REL.tar (All other FTD hardware platforms)

 

Here is a list of products affected:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)
  • FTD Virtual