Network technologies and trends

Feb 5 2018   10:19PM GMT

Cisco ASA Firewalls and Cisco FTDs can be – exploited remotely due to “Remote Code Execution and Denial of Service Vulnerability” updates

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
Adaptive Security Device Manager
API
ASA
Cisco
Cisco ASA
Cisco Firewall
Code
Denial of Service
DOS
REMOTE
Software
SSL
VPN
vulnerability

In my previous post, I talked about the vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. On January 29, 2018, Cisco recommended following ASA Versions which could overcome the vulnerability

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to 9.1.7.20 or later
9.01 Affected; migrate to 9.1.7.20 or later
9.1 9.1.7.20
9.2 9.2.4.25
9.31 Affected; migrate to 9.4.4.14 or later
9.4 9.4.4.14
9.51 Affected; migrate to 9.6.3.20 or later
9.6 9.6.3.20
9.7 9.7.1.16
9.8 9.8.2.14
9.9 9.9.1.2

 

However, the latest blog post by Omar Santos at Cisco blogs explains how the vulnerability can be exploited using crafted XML messages.

 

 

 

 

 

Picture Courtesy: Cisco Blog

If an SSL or DTLS listen socket exists in the Cisco ASA then the ASA is vulnerable, even if you have patched your ASA with the above-mentioned software versions the ASA still can be exploited. So it’s better to repatch the Cisco ASA with the below recommended ASA versions

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to 9.1.7.23
9.01 Affected; migrate to 9.1.7.23
9.1 9.1.7.23
9.2 9.2.4.27
9.31 Affected; migrate to 9.4.4.16
9.4 9.4.4.16
9.51 Affected; migrate to 9.6.4.3
9.6 9.6.4.3
9.7 9.7.1.21
9.8 9.8.2.20
9.9 9.9.1.2

A new set of ASA features which are vulnerable is updated in Cisco Security Advisory,

Feature Vulnerable Configuration
Adaptive Security Device Manager (ASDM)1 http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
AnyConnect IKEv2 Remote Access (with client services) crypto ikev2 enable <interface_name> client-services port <port #>
webvpn
anyconnect enable
AnyConnect IKEv2 Remote Access (without client services) crypto ikev2 enable <interface_name>
webvpn
anyconnect enable
AnyConnect SSL VPN webvpn
enable <interface_name>
Cisco Security Manager2 http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
Clientless SSL VPN webvpn
enable <interface_name>
Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port) aaa authentication listener <interface_name> port <number>
Local Certificate Authority (CA) crypto ca server
no shutdown
Mobile Device Manager (MDM) Proxy3 mdm-proxy
enable <interface_name>
Mobile User Security (MUS) webvpn
mus password <password>
mus host <hostname>
mus <address > <mask > <interface_name>
Proxy Bypass webvpn
proxy-bypass
REST API4 rest-api image disk0:/<image name>
rest-api agent
Security Assertion Markup Language (SAML) Single Sign-On (SSO)5 N/A

 

1ASDM is vulnerable only from an IP address in the configured http command range.
2 Cisco Security Manager is vulnerable only from an IP address in the configured http command range.
3The MDM Proxy is first supported as of software release 9.3.1.
4The REST API is first supported as of software release 9.3.2. The REST API is vulnerable only from an IP address in the configured http command range.
5SAML SSO is first supported as of software release 9.6.

Its recommend to immediately upgrade your ASA with the new recommended release to overcome this vulnerability.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: