Cisco ASA Firewall Critical Vulnerability Allows Remote Code Execution

Cisco ASA firewalls are exposed to the CVE-2018-0101 critical vulnerability, which allows attackers to perform remote execution of arbitrary code. In addition, an error can lead to a denial of service and provoke a system reboot.

Security researcher Cedric Halbronn of the NCC Group has discovered a security problem. He plans to present technical details at the Recon 2018 conference, which will be held in Brussels on February 2.
')

What is the problem

The vulnerability was discovered in the Secure Sockets Layer (SSL) VPN module of Cisco ASA firewalls. According to the information published by the company, when the webvpn option was enabled, the error led to attempts to double free the region of memory.

To operate, an attacker needs to create special XML packages and send them to the interface on which webvpn is configured — this will open the possibility of executing arbitrary code and give the hacker complete control over the system or lead to a device reboot. The vulnerability received the highest CVSS severity score.

Among the vulnerable Cisco ASA products:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Firewall ASA 1000V Cloud
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense (FTD)

Vulnerability first appeared in the product Firepower Threat Defense 6.2.2 in September 2017 - this tool implements the functionality of remote VPN access.

How to protect

Cisco has published a security bulletin that lists recommended protection measures. First of all, device administrators are advised to check their version, and if it is on the vulnerable list, install the released patches. According to Cisco Product Security Incident Response Team (PSIRT), there are currently no attempts to attack using the detected vulnerability.

Also, to detect vulnerabilities, Positive Technologies experts recommend using specialized tools, for example, the monitoring system for security and compliance with MaxPatrol 8 standards.