Cisco Adaptive Security Appliance Remote Code Execution

Cisco Adaptive Security Appliance Remote Code Execution


What some observers have labeled as the “perfect bug” is raising concern in the security community. A bug in Cisco VPN programming has created a significant vulnerability that impacts two product sets. It has received the highest severity rating with a 10 out of 10 score and can lead to a denial-of-services attack from unauthenticated and remote users.

Software patches have been released and the threat experts at Masergy are closely monitoring the situation. The breakdown below summarizes what is known thus far and we will continue to provide updates as more information and analysis becomes available.

Overview

Cisco recently disclosed a vulnerability in Cisco Adaptive Security Appliance (ASA) software that could allow attackers to reload the system or perform unauthenticated remote code execution. If a successful remote code execution occurs, the attacker could obtain full control over the ASA.

Threat Intelligence

The Masergy Threat Intelligence Team is not aware of any exploitation of this vulnerability being reported. Because the vulnerability can be exploited without authentication and the fact that ASA firewalls are typically accessible from the Internet, it is highly likely that threat actors will develop and utilize exploits targeting this vulnerability.

Technical Summary

Crafted XML packets can be sent to a webvpn enabled interface by a remote attacker that cause double free memory error that can lead to an unauthenticated reload of the system or remote code execution. A double free memory error occurs when the same memory location is freed twice. After a double free memory error occurs, multiple memory location pointers point to the same memory location in the SSL VPN function of the Cisco device.

Recommendations

We recommend the following actions be taken:

  • Update your ASA to a software version including the fix. To determine the version you should update to, we recommend referencing the table provided by Cisco in their advisory.
  • If the webvpn service is not in use or needed, disable webvpn services.

References

Vulnerabilities

Systems Affected

Cisco ASA software on the following Cisco products are affected:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)