Network technologies and trends

Feb 2 2018   12:40AM GMT

Cisco ASA Firewalls and Cisco FTDs can be exploited remotely due to “Remote Code Execution and Denial of Service Vulnerability”

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
ASA
Cisco
Cisco ASA
Cisco Firewall
Code
Denial of Service
DOS
REMOTE
Software
VPN
vulnerability

According to latest Cisco Security Advisories and Alerts update, Cisco ASA Firewalls, and Cisco FTDs can be exploited remotely provided WebVPN is configured on them. There is a vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

 

Following Cisco Products are affected by this vulnerability

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

One can discover whether their Cisco ASA is affected by running the Cisco ASA Command “ show running-config webvpn” as shown below

The following example shows the output of the command for a device that is running Cisco ASA Software and has WebVPN enabled on the Outside interface.

ciscoasa# show running-config webvpn

webvpn

enable Outside

The customer can also use the show asp table socket command and look for an SSL and a DTLS listen socket on TCP port 443. An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited. The following example shows the output of the command for a device that has SSL and DTLS listen sockets on TCP port 443:

ciscoasa# show asp table socket

Protocol  Socket    State      Local Address       Foreign Address

SSL       00005898  LISTEN     10.48.66.202:8443    0.0.0.0:*

TCP       00009718  LISTEN     10.48.66.202:23      0.0.0.0:*

TCP       0000e708  LISTEN     10.48.66.202:22      0.0.0.0:*

SSL       00011cc8  LISTEN     10.48.66.202:443     0.0.0.0:*

DTLS      000172f8  LISTEN     10.48.66.202:443     0.0.0.0:*

 

Determining the ASA Running Software Release

To determine whether a vulnerable version of Cisco ASA Software is running on a device, administrators can use the show version command in the CLI. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.2(1):

ciscoasa# show version | include Version

Cisco Adaptive Security Appliance Software Version 9.2(1)

Device Manager Version 7.4(1)

Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.

 

FTD Software

This vulnerability applies to the FTD 6.2.2 software release, which was the first to support the Remote Access VPN feature. This release contains both Firepower and ASA code. Review Firepower Threat Defense Devices in the Cisco Firepower Compatibility Guide for additional information.

 

Determining the Running FTD Software Release

 

Administrators can use the show version command at the CLI to determine the FTD release. In this example, the device is running software release 6.2.2.

> show version

———————[ ftd ]———————

Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)

UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c

Rules update version : 2017-03-15-001-vrt

VDB version : 279

—————————————————-

 

In order to overcome this vulnerability, one has to upgrade their Cisco ASA and Cisco FTD appliances as there is no other workaround available.

Cisco has released a new ASA version of software which closes this vulnerability, so its recommend to install the recommend ASA Software based on the below table,

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to 9.1.7.20 or later
9.01 Affected; migrate to 9.1.7.20 or later
9.1 9.1.7.20
9.2 9.2.4.25
9.31 Affected; migrate to 9.4.4.14 or later
9.4 9.4.4.14
9.51 Affected; migrate to 9.6.3.20 or later
9.6 9.6.3.20
9.7 9.7.1.16
9.8 9.8.2.14
9.9 9.9.1.2

 

When it comes to FTD, Cisco FTD major release prior to 6.2.2 are not vulnerable simply because they were not supporting VPNs, the below table shows the details of the fix.

Cisco FTD Major Release  First Fixed Release 
Prior to 6.2.2 Not vulnerable
6.2.21 Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar (All FTD hardware platforms except 21xx)
Cisco_FTD_SSP_FP2K_Hotfix_AC-6.2.2.2-6.sh.REL.tar (21xx FTD hardware platform)

 

Its recommended to take the advice of Cisco TAC and plan the software upgrade.

This vulnerability was discovered by Security researchers Cedric Halbronn form the NCC group and reported the same to Cisco. On Feb 2 2018 at the Recon Brussels conference, Cedric Halbronn is scheduled to deliver a talk on how he exploited this vulnerability.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: