Cisco issues new, complete fixes for critical flaw in enterprise security appliances

Cisco researchers have identified additional attack vectors and features that are affected by the “perfect 10” remote code execution and denial of service vulnerability they attempted to patch last Tuesday.

This discovery also means that the fix they pushed out at the time is incomplete, and administrators now have to update the vulnerable software again.

More on CVE-2018-0101

Initially, they thought that the vulnerability (CVE-2018-0101) only affected the webvpn feature of the Cisco Adaptive Security Appliance (ASA) software.

As it turns out, the number of vulnerable feature is much larger and depends on their configuration.

The scope of the vulnerability is also more extensive: aside from potentially allowing unauthenticated, remote attackers to cause a reload of the affected system or to execute code remotely, they might also make the ASA stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.

“The vulnerability is due to an issue with allocating and freeing memory when processing a malicious XML payload. An attacker could exploit this vulnerability by sending a crafted XML packet to a vulnerable interface on an affected system,” Cisco said in the updated advisory.

“To be vulnerable the ASA must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface. The risk of the vulnerability being exploited also depends on the accessibility of the interface to the attacker.”

Vulnerable devices

This vulnerability affects Cisco ASA software that is running on:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual.

There are no workarounds that address all the features that are affected by this vulnerability, but management access to the security appliance can be restricted to trusted hosts.

As before, administrators are advised to upgrade to fixed releases – and hope that this is the last they’ve seen of this problem.

The Cisco Product Security Incident Response Team still says there is no indication the vulnerability is being exploited in the wild, but that could soon change. Cedric Halbronn, the researcher who discovered it and reported it has shared details about it in a recent talk.

UPDATE (February 7, 2018): “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory,” the company reported shortly after the latest update.