--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Cisco Adaptive Security Appliance' version: '1.1' number: '2018-004' date: 'February 6, 2018' --- _History:_ * _31/01/2018 --- v1.0: Initial publication_ * _06/01/2018 --- v1.1: Corrections after CISCO updated advisory_ # Summary On the 29nd of January 2018, CISCO published a security advisory for a remote code execution and denial of service vulnerability affecting Cisco Adaptive Security Appliance (ASA) [1]. The vulnerability is located in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software and could allow an unauthenticated, remote attacker to cause a reboot of the affected system or to remotely execute code. On the 5th of February 2018, CISCO updated the advisory after identifying additional attack vectors and release of new patches. # Technical Details The vulnerability received the following CVE: CVE-2018-0101 [2]. The vulnerability is due to an attempt to _double free_ a region of memory when the `webvpn` feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a `webvpn`-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reboot of the affected device. To determine whether `webvpn` is enabled for at least one interface, administrators can use the `show running-config webvpn` command at the CLI and verify that the command returns at least one enable `` line: ciscoasa# show running-config webvpn webvpn enable Outside Administrators can also use the `show asp table socket command` and look for an `SSL` and a `DTLS` listen socket on `TCP port 443`: ciscoasa# show asp table socket Protocol Socket State Local Address Foreign Address SSL 00005898 LISTEN 10.48.66.202:8443 0.0.0.0:* TCP 00009718 LISTEN 10.48.66.202:23 0.0.0.0:* TCP 0000e708 LISTEN 10.48.66.202:22 0.0.0.0:* SSL 00011cc8 LISTEN 10.48.66.202:443 0.0.0.0:* DTLS 000172f8 LISTEN 10.48.66.202:443 0.0.0.0:* To determine whether a vulnerable version of Cisco ASA Software is running on a device, administrators can use the `show version` command in the CLI: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.2(1) Device Manager Version 7.4(1) This vulnerability also applies to the FTD 6.2.2 software release. Administrators can use the `show version` command at the CLI to determine the FTD release: show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- # Products Affected The following products are affected if they are running a vulnerable version of CISCO ASA with the webvpn feature is enabled: * 3000 Series Industrial Security Appliance (ISA) * ASA 5500 Series Adaptive Security Appliances * ASA 5500-X Series Next-Generation Firewalls * ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers * ASA 1000V Cloud Firewall * Adaptive Security Virtual Appliance (ASAv) * Firepower 2100 Series Security Appliance * Firepower 4110 Security Appliance * Firepower 9300 ASA Security Module * Firepower Threat Defense Software (FTD) The impacted versions of CISCO ASA are: * 8.x (all versions) * 9.0 (all versions) * 9.1 prior to 9.1.7.23 * 9.2 prior to 9.2.4.27 * 9.3 (all versions) * 9.4 prior to 9.4.4.16 * 9.5 (all versions) * 9.6 prior to 9.6.4.3 * 9.7 prior to 9.7.1.21 * 9.8 prior to 9.8.2.20 * 9.9 prior to 9.9.1.2 The impacted version of FTD Software are: * 6.0.0 * 6.0.1 * 6.1.0 * 6.2.0 * 6.2.1 * 6.2.2 # Recommendations For CISCO ASA, update to release not affected by the vulnerability. If using version 8.x, 9.0, 9.3 or 9.5, you need to migrate to higher CISCO ASA major release. For FTD software, apply the provided hotfixes [3]. For version 6.0.0 and 6.2.1, you also need to migrate to higher FTD software version. # References [1] [2] [3]