There’s an eminently exploitable remote code execution flaw in the Adaptive Security Appliance (ASA) Software running on a number of Cisco enterprise appliances, and admins are advised to plug the hole as soon as possible.
The Cisco Product Security Incident Response Team (PSIRT) says that it is aware of public knowledge of the vulnerability, but not of any current malicious use of it. Nevertheless, active exploitation might be close at hand. Also, details about the vulnerability and exploit research will be shared this Friday at Recon Brussels 2018.
About the vulnerability
The vulnerability (CVE-2018-0101) has been found by Cedric Halbronn from the NCC Group in the Secure Sockets Layer (SSL) VPN functionality of the Cisco ASA Software.
“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device,” Cisco explained.
The flaw is deemed critical, as it can be easily exploited by unauthenticated, remote attackers.
There are no available workarounds for it, but luckily Cisco has already pushed out fixed releases of the Cisco ASA Software, as well as of the Cisco FTD Software, which supports the vulnerable Remote Access VPN feature.
Among the vulnerable products are the 3000 Series Industrial Security Appliance (ISA), the ASA 5500-X Series Next-Generation Firewalls, the ASA 1000V Cloud Firewall, the Adaptive Security Virtual Appliance (ASAv), and many others.
Administrators are advised to upgrade to fixed releases. The complete list of affected appliances and fixes can be found here.