A warning has been issued by Cisco to its customers who are using its Adaptive Security Appliance (ASA) software to patch a dangerous VPN bug that a researcher will be revealing how to exploit this weekend. The bug was reported by NCC Group security researcher Cedric Halbronn, who will explain how he exploited the flaw in Cisco’s AnyConnect/WebVPN on ASA devices.
Cisco Warns Customers
As per Cisco’s advisory, Cisco’s ASA operating system for its network security devices has a severe double-free vulnerability in the Secure Sockets Layer VPN feature. The vulnerability can be exploited by using specially crafted XML packets. As a result of that attacker can gain full access to the system. Cisco warns that the unauthenticated attacker can cause a reload of the affected system or remotely execute code.
The bug — CVE-2018-010 — has been given a Common Vulnerability Score System (CVSS) score of 10 out of a possible 10 due to the fact that it’s easy to exploit, the impact could be worse.
However, ASA devices are only exposed if the webvpn feature is enabled, it notes. Cisco has provided instructions for admins to see if the the webvpn feature is enabled.
Cisco released FTD 6.2.2 which was the first one to support remote access VPN. The bug applies to FTD 6.2.2 and Systems with major release FTD versions before 6.2.2 aren’t vulnerable.
Below systems are vulnerable.
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches
- Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance,
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module, and Firepower Threat Defense Software (FTD).
Release Updates for fixes
Cisco has released free software updates that address the vulnerability described in this advisory and also has provided instructions for admins to see which versions of ASA and FTD they’re running. Cisco advises customers to migrate to a supported release to receive the fix. The detailed affected releases and the release which customer should migrate to are given on Cisco Website in tabular format.
NCC Group researcher Cedric Halbronn worked on the POC to exploit a pre-authentication vulnerability in Internet Key Exchange (IKE)v1. NCC Group has made detailed information available about the research