This week I'll be taking a look at a Cisco ASA Remote Code Execution Vulnerability.
Name: CVE-2018/0101
Report Date: 01/29/2018
What does it affect?
Per the Cisco advisory this vulnerability impacts the following devices running the ASA software.
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 4120 Security Appliance
- Firepower 4140 Security Appliance
- Firepower 4150 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
- FTD Virtual
What's the big deal?
The big deal with this exploit is that sending specially crafted XML packets to an ASA device that is running an SSL VPN allows for device reload or remote code execution that could allow for full control of the device. This exploit requires no authentication, and based on the typical deployment of an SSL VPN it means that the ASA is looking to accept traffic coming from the outside world.
How do we fix it?
Currently there are no workarounds for the exploit. Shortly after the release of the exploit Cisco put out a patch to resolve the issue, and then shortly after that Cisco discovered the patch only prevented a portion of the vulnerabilities. A new patch has since been released, and Cisco advises immediate updates for all impacted systems.
No comments:
Post a Comment