Cisco Adaptive Security Appliance: very serious vulnerabilities in the VPN service

Even world leaders in IT and networks, such as Cisco, do have incidents. Devices of this company from the Adaptive Security Appliance family contain a vulnerability in the software that has been baptized with the maximum severity of vulnerability (CVSS 10/10). In short, this means that the vulnerability is trivial to use for the attacker, it can be used remotely and does not require authentication on the device.

CVE-2018-0101 in the Secure Sockets Layer (SSL) security in the Cisco Adaptive Security Appliance (ASA) software allows remote code execution to an unauthenticated person on the device. This is a serious situation because the Cisco ASA family of products protects networks by offering firewalls, IPS systems, endpoint protection and VPN. Depending on the permissions, using this vulnerability gives the attacker the ability (in the context of the application) to execute the code remotely: install programs, view settings, change and delete data, and even create new accounts with full rights.

Cisco Adaptive Security Appliance

Cisco reports that the exploit gives the attacker full control over the device, although some dependence must be met. Namely, the VPN function must be enabled on the device, which most companies use anyway. Is the interface " webvpn " is active on the device, you can check it with the command in the CLI show " running-config webvpn ".

The following Cisco devices are:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

More detailed instructions on the gap and updating are given by the manufacturer. Cisco also reports that attacks that exploit vulnerability have not been detected in practice. However, this does not affect the seriousness of the threat.

We recommend that administrators recommend implementing the hotfix provided by Cisco; and before that it was checked whether unauthorized configuration modifications, intrusion monitoring for any anomalies and restriction of external access to endangered devices were performed before it was used.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.