On January 29, Cisco released an advisory for a critical vulnerability in their Adaptive Security Appliance (ASA) software. The critical flaw, assigned CVE-2018-0101, has a CVSS score of 10.0 and could allow for a denial-of-service attack and remote code execution. On February 5, Cisco updated the advisory indicating they’d found additional attack vectors and more affected products. They also determined the original fix was incomplete. Early adopters of the patch will need to revisit the advisory and apply the latest update to their devices.
Vulnerability details
The vulnerability was originally found by NCC Group and has since been presented at REcon Brussels. The slides have been made available and the details of the vulnerability are now widely available. A denial-of-service proof of concept has already been published to Pastebin as well.
The vulnerability is reportedly a seven-year-old flaw within a Cisco XML parser. Using a crafted XML payload, a remote, unauthenticated attacker could cause a reload on an affected device or potentially execute arbitrary code. The original exploit, as written by NCC Group, uses IKEv1 fragmentation to leverage the XML vulnerability into code execution. As such, the additional interfaces added in the February 5, 2018, update (ASDM, CSM, Cut-Through Proxy, Local CA, MDM Proxy, and REST API) may only be vulnerable to denial-of-service attacks.
Identifying affected systems
Tenable has released Nessus® plugins manageable via Security Center or Tenable.io to detect systems affected by this critical flaw. The following table summarizes Tenable's coverage. Cisco has updated the advisory several times since the initial release to update the affected vectors as well as to make corrections to the patch versions. Tenable continues to monitor this situation and update our coverage as necessary.
Plugin ID | Description |
106484 | Cisco ASA Remote Code Execution and Denial of Service Vulnerability (cisco-sa-20180129-asa1) |
106630 | Cisco Firepower Threat Defense (FTD) Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (cisco-sa-20180129-asa1) |
Note: Tenable is investigating alternate detection methods for these vulnerabilities, including investigating a proof of concept (PoC) for the Denial-of-Service (DoS) flaw.
What should you do?
If you’re running affected devices on your network, make sure you’re running the most current software release. Cisco notes in their advisory that customers should regularly review their security advisories to ensure they’re current and up-to-date on any new patches or software releases.
Get more information
- Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management
- Cisco cisco-sa-20180129-asa1Advisory
- Cisco Blog on CVE-2018-0101
- NCC Research
Thanks to Jacob Baines for his contributions to this blog post.