Cisco ASA Remote Code Execution & DOS Vulnerability

Release Date (01-29-2018) - Updated (02-05-2018) CVE#-2018-0101

Affected Products - Must have WebVPN enabled to be vulnerable

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual

Vulnerability Details

After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available.

Cisco ASA Remote Code Execution & DOS Vulnerability

Release Date (01-29-2018) CVE#-2018-0101

Affected Products - Must have WebVPN enabled to be vulnerable

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)

Vulnerability Details

This vulnerability affects an unknown function of the SSL VPN component within the ASA. The vulnerability is triggered when an attacker attempts to double free a section of memory when the VPN component is active on the ASA. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.

Spectre 

Release Date (01-03-18) CVE-2017-5753 & CVE-2017-5715

KRACK or Key Reinstallation Attack is a vulnerability in the WPA2 wireless security protocol. The majority of wi-fi network implementations at this time are vulnerable to this attack as it exploits the protocol itself and not any specific brand or solution. As a whole, KRACK is focused around clients more than it is on APs, however, both need to be appropriately updated to avoid the vulnerabilities that make up KRACK. Do not change to different encryption schemes as opposed to maintaining an already stable implementation of WPA2, as it is still more secure than WEP or WPA despite this vulnerability.

If you haven’t heard already, Equifax one of the “big-three” U.S. credit bureaus has announced a data breach that may have affected 143 million Americans, including consumer Social Security numbers, birth dates, addresses and some driver’s license numbers. For a good rundown of what has transpired so far, Krebs on Security has a solid in-depth article on it here. Every time there is a breach in the news, most other outlets swarm to a few different types of articles. Some popular directions are attribution, defense advice, or sensationalist journalism.

A few years back I had a lunch meeting with two IT Security veterans. One remarked, “There’s been no Pearl Harbor or 9/11 in cyber security. Nobody has ever died because of hacking.” If there was, there would have been a “rallying cry” or a massive response.

VENOM (Virtualized Environment Neglected Operations Manipulation)

If you are currently utilizing Xen, KVM or QEMU virtualization products you need to apply patches. VMware and Microsoft Hyper-V virtualization products are not affected.

Affected Product
Cisco UCS Central Software versions 1.2 and earlier

If you are currently running Cisco UCS Central Software you should update the software immediately.