Cisco ASA: Patched Firewall Critical Vulnerability
In late January, Cisco announced the critical vulnerability CVE-2018-0101 in Cisco ASA firewalls. It allowed attackers to remotely execute malicious code, conduct DDoS attacks, and reboot the system.
Today, the vulnerability is "closed".
We decided to look into the situation and take a closer look at the attack vector.
')
/ Flickr / horst gutmann / cc
The problem was discovered by researcher Cedric Halbronn of the IB consulting agency NCC Group. It consisted of the Cisco Adaptive Security Appliance Firewall XML Parser and was associated with memory allocation and freeing when processing XML messages.
A hacker could send a specially modified XML message to the target device's WebVPN interface in order to free up a portion of the system's memory several times in a row. This led to a crash and gave the attacker the ability to run malicious code, change data in system memory blocks, and conduct DDoS attacks.
In total, the vulnerability affected more than ten Cisco solutions ranging from the 3000 Series Industrial Security Appliance and the ASA 5500-X Series Next-Generation firewalls to the Firepower Security Appliance and Firepower Threat Defense (FTD) modules. Full list can be found at the link .
Cisco also discovered 13 vulnerable ASA software features.
AnyConnect IKEv2 is among them:
Solution for working with Cisco Security Manager security policies:
And also REST API:
More in the list are the features of Firepower Threat Defense - this is the active HTTP Service, AnyConnect SSL VPN and AnyConnect IKEv2.
Vulnerabilities gave the highest rating in the CVSS criticality rating. And, as noted by Cisco, users did not have the ability to protect themselves against all potential threats (retaining the functionality). It was only possible to limit the circle of trusted hosts by configuring ASDM access using the CLI command:
http <remote_ip_address> <remote_subnet_mask> <interface_name>.
Therefore, Cisco urgently released patches that covered vulnerabilities. However, a few days later it turned out that the patches presented by the developers did not solve all the problems.
The company conducted an additional investigation and found out that more decisions are under threat. At the same time, the initial patches created an additional DoS vulnerability. After that, Cisco hastened to release a new series of updates and recommended installing them as soon as possible.
Information about new updates, some system administrators reacted without enthusiasm. The first patches have already been installed, and the repeated update meant additional downtime.
Now all updates are available in the Cisco Software Center in the Products> Security> Firewalls tab. At the moment, the vulnerability is considered to be completely closed, and, according to Cisco, it did not have time to use it for hacker attacks.
Today, the vulnerability is "closed".
We decided to look into the situation and take a closer look at the attack vector.
')
/ Flickr / horst gutmann / cc
What was the vulnerability
The problem was discovered by researcher Cedric Halbronn of the IB consulting agency NCC Group. It consisted of the Cisco Adaptive Security Appliance Firewall XML Parser and was associated with memory allocation and freeing when processing XML messages.
A hacker could send a specially modified XML message to the target device's WebVPN interface in order to free up a portion of the system's memory several times in a row. This led to a crash and gave the attacker the ability to run malicious code, change data in system memory blocks, and conduct DDoS attacks.
In total, the vulnerability affected more than ten Cisco solutions ranging from the 3000 Series Industrial Security Appliance and the ASA 5500-X Series Next-Generation firewalls to the Firepower Security Appliance and Firepower Threat Defense (FTD) modules. Full list can be found at the link .
Cisco also discovered 13 vulnerable ASA software features.
AnyConnect IKEv2 is among them:
crypto ikev2 enable <interface_name> webvpn anyconnect enable Solution for working with Cisco Security Manager security policies:
http server enable <port> http <remote_ip_address> <remote_subnet_mask> <interface_name> And also REST API:
rest-api image disk0:/<image name> rest-api agent More in the list are the features of Firepower Threat Defense - this is the active HTTP Service, AnyConnect SSL VPN and AnyConnect IKEv2.
Vulnerability patches
Vulnerabilities gave the highest rating in the CVSS criticality rating. And, as noted by Cisco, users did not have the ability to protect themselves against all potential threats (retaining the functionality). It was only possible to limit the circle of trusted hosts by configuring ASDM access using the CLI command:
http <remote_ip_address> <remote_subnet_mask> <interface_name>.
Therefore, Cisco urgently released patches that covered vulnerabilities. However, a few days later it turned out that the patches presented by the developers did not solve all the problems.
The company conducted an additional investigation and found out that more decisions are under threat. At the same time, the initial patches created an additional DoS vulnerability. After that, Cisco hastened to release a new series of updates and recommended installing them as soon as possible.
Information about new updates, some system administrators reacted without enthusiasm. The first patches have already been installed, and the repeated update meant additional downtime.
Now all updates are available in the Cisco Software Center in the Products> Security> Firewalls tab. At the moment, the vulnerability is considered to be completely closed, and, according to Cisco, it did not have time to use it for hacker attacks.
Some materials from the corporate blog 1cloud:
Source: https://habr.com/ru/post/351908/
All Articles