Cisco ASA WebVPN Vulnerability

Published: 2018-01-30
Last Updated: 2018-01-31 15:35:06 UTC
by Kevin Liston (Version: 2)
8 comment(s)

Before I get too many "I'm surprised/disappointed you haven't mentioned..." emails let's get out a rough draft on CVE-2018-0101.

What is it?  A Base CVSS of 10 remote code execution and denial of service vulnerability affecting Cisco ASA devices with webvpn configured with SSL support.

What's the hurry?  Details of the exploit research will be presented this weekend at Recon in Brussels.  So it's getting some press.  Also, CISCO released the advisory yesterday so people who are into that sort of thing are writing their own tests and scanners and exploits.

How do I know if I'm affected?  I don't own one of these, so I don't have a great answer.  Do you have a CISCO ASA? (check your inventory)  Do you have webvpn configured? (check your config)  Does it support SSL or is it TLS support only? (check your config)  

I have one of these set up this way, now what do I do?  Upgrade to the 9.6 branch and patch.

I can't do that for reasons, what do I do?  Reduce the exposure by blocking un-needed networks.

Very funny, it's a vpn, I need that open to the Internet.  Do you really need it open to the ENTIRE Internet?

Yes, I'm a <industry> and <reasons>   Okay, if you can't patch, and you can't block, then you must monitor.

Alright, how do I do that?  I'm going to have to get back to you on that. Update: You may want to look at these proposed IDS signatures: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Keywords: cisco
8 comment(s)

Comments

Has anyone verified / validated those IDS signatures?
Cisco has now published an advisory that describes a few ways to determine if you are affected. Perhaps the easiest is:

ciscoasa# show running-config webvpn
webvpn
enable Outside

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
These signatures make no sense. The vulnerable service is running TLS, not IPSec (IKE/ISAKMP).
If you have a Cisco ASA 55xx (not the recent 55xx-X or the ones with FirePower), then you can't update beyond 9.2.3.
I looked up my old ASA-5505 on CCO and found I could run 9.2(4)25 which, according to Cisco's advisory, is the interim release which does have the fix. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
For those on ASA 9.1, and want to stay on the 9.1 branch (with the fix), you might want to look at the potentially show stopper bugs in the 2 versions that include a patch.

https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.1(7.21),9.1(7.20)&sb=afr

If that link doesn't work, it returns these 3 bugs:
https://tools.cisco.com/bugsearch/bug/CSCvh55375 (affects 9.1(7.20) )
https://tools.cisco.com/bugsearch/bug/CSCuy46176 (affects 9.1(7.21) )
https://tools.cisco.com/bugsearch/bug/CSCva92997 (affects 9.1(7.21) )
I noticed the same thing and would expect to see port 443.
According to Cisco, they stated there are no current workarounds for this vulnerability. The company has released software updates (code version 9.1.7.20 or later) which fixes the vulnerability.

Later in their advisory they assert that both SSL and DTLS (Datagram Transport Layer Security) listen socket on TCP port 443 must be present in order for the vulnerability to be exploited.

--> So, if that is the case, then is it not true the possibility of vulnerability mitigation for this CVE does exist by disabling DTLS?

DTLS can be disabled at the interface or group policy.
See https://supportforums.cisco.com/t5/security-documents/anyconnect-dtls-vs-tls/ta-p/3164027 for more information regarding DTLS.

I complete understand that disablement of DTLS can negatively impact delay sensitive applications; such as those used for voice and video. Even so, for those that, for whatever reasons cannot upgrade their firmware or shutdown their devices, I see this as a potentially better alternative than what Cisco wrote in their security advisory, "An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device."

Diary Archives