The Perfect Bug Affects Cisco – Patch This Remote Code Execution Flaw Before You Become a Target
A programming bug in Cisco VPN has resulted in a critical vulnerability that is affecting ten different Adaptive Security Appliance (ASA) and Firepower Threat Defense Software products. The vulnerability tracked as CVE-2018-0101 has been assigned the perfect score of 10 out of 10 in severity rating and can enable a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) attack.
The flaw exists in ASA's Secure Sockets Layer (SSL) VPN functionality. If the webvpn feature is enabled on a device, a remote attacker can trigger the bug by sending specially crafted XML packets to a webvpn-configured interface on the affected system. "The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device," the advisory reads.
Cisco has now released software patches that address this major vulnerability affecting all Cisco devices running Adaptive Security Appliance (ASA) Software. The Cisco ASA Software is the core operating system for the Cisco ASA Family that offers firewall, antivirus, intrusion prevention, and VPN capabilities. Following devices are vulnerable to this security hole (if they have "webvpn" feature enabled):
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
The 10 on 10 rating shows that the flaw is considerably easy to exploit, carrying reduced complexity; can be exploited remotely, and doesn't require authentication. The company warns that the vulnerability was recently made public, which means it's important to install the patches at the earliest. "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability described in this advisory," the company assures.
As for the workarounds, Cisco suggested to either install the available patches or disable the ASA VPN functionality as there is no other way out of this security mess.
- More details here.