Understanding the Attack Vectors of CVE-2018-0101 – Cisco ASA Remote Code Execution and Denial of Service Vulnerability
Cisco is committed to responsible coordinated disclosure about vulnerabilities, and maintains a very open relationship with the security research community. On January 29, 2018, the Cisco PSIRT learned about public knowledge of a remote code execution and denial of service vulnerability affecting the Cisco ASA and Cisco Next-Generation Firewall platforms. Inline with our security vulnerability disclosure policy, we immediately published a security advisory. This vulnerability was originally found by Cedric Halbronn from the NCC Group and Cisco PSIRT has been working with him to assess, fix and disclose this critical security vulnerability.
After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory. In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions. A new comprehensive fix for Cisco ASA platforms is now available.
Cisco puts the security of our customers first. When we have new information about a security vulnerability in our products, we strive to provide up-to-date information and updates to make sure our customers know what it is and how to address it.
The security advisory has been updated with information about the newly identified affected features and updated software fixes.
While Cisco PSIRT is not aware of any malicious use of this vulnerability, Cisco highly recommends all customers upgrade to a fixed software version. This proactive patching is especially important for those customers whose devices and configurations include potential exposure through the expanded attack surface.
Affected Device Identification
The security advisory lists details about the affected features and affected software versions. However, I would like to highlight one of the best methods that can be used to identify an affected device.
First, in order for an attacker to successfully exploit this vulnerability, the attacker must send a crafted XML message to an interface that is configured with one of the features described in the security advisory.
To be vulnerable the affected device must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface.
Regardless of the features, you can use the show asp table socket command and look for an SSL or a DTLS listen socket on any TCP port, as shown below:
If a socket exists, you are vulnerable. You can also use the show asp table socket stats command to list the underlying SSL system statistics, as demonstrated below:
The NP SSL statistics indicate the number of each type of message received. Most indicate the start and completion of new SSL connections to either the SSL server or SSL client. This vulnerability only affects traffic destined to the affected device, not transient traffic. If your device terminates SSL connections, your device is vulnerable.
IKEv2 configurations are also affected. You can use the show run crypto ikev2 | grep enable command to assess if IKEv2 is enabled in your device, as shown below.
If a command like crypto ikev2 enable is present in the running configuration and the command anyconnect enable is part of the global webvpn configuration, the ASA device is also considered vulnerable.
In order for an attacker to exploit this vulnerability the offending packets must be received on an interface that has IKEv2 or any of the affected features described in the security advisory. Please refer to the security advisory for a complete list of affected features and configurations. These are only quick ways to accelerate the assessment.
If affected, Cisco strongly recommends that you update your device with fixed software.
Cisco PSIRT investigates and discloses vulnerabilities in Cisco products and services from the date of First Commercial Shipment (FCS) to the Last Day of Support to all customers and the public at the same time simultaneously. Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco Support website. Cisco recommends contacting the TAC only with specific and imminent problems or questions.
In order to improve the overall security of the Internet, in the event of high-severity security vulnerabilities, Cisco also offers customers free software updates who purchased directly from Cisco but do not hold a Cisco service contract, as well as those who purchased through third-party vendors but cannot obtain fixed software through their point of sale . This is one example of a critical security vulnerability where access to fixed software is being extended. Non-contract customers who are eligible for the update may obtain it by contacting the Cisco Technical Assistance Center (TAC). To verify their entitlement, individuals who contact the TAC should provide the URL of the security advisory.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license. Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
This is also documented in our public security vulnerability policy.
The security community is always willing to help and Cisco PSIRT is aware of individuals posting Cisco ASA software at their own websites for other people to download. In order to ensure that you are downloading and installing genuine Cisco software, we highly recommend that you only obtain Cisco software from Cisco’s website or from the Cisco Technical Assistance Center (TAC) via any of the methods listed in the following link:
We always recommend that you verify the SHA512 checksum for all Cisco software. You can obtain more information on how to perform SHA checksum verification at a blog post I previously posted in the following link:
A Graphical View of the Affected Versions and First Fixed Information
The security advisory lists the details about all affected software versions and the first fixed releases. The following is a high-level graphical summary of the migration path for the Cisco ASA:
Firepower Threat Defense (FTD) Software is also affected by this vulnerability. A hotfix for Cisco FTD Software version 6.2.2 is now available. Please refer to the security advisory to obtain additional details.
Cisco recognizes the technology vendor’s role in protecting customers, and we won’t shy away from our responsibility to constantly be transparent with up-to-date information.