Cisco ASA WebVPN Vulnerability
Before I get too many "I'm surprised/disappointed you haven't mentioned..." emails let's get out a rough draft on CVE-2018-0101.
What is it? A Base CVSS of 10 remote code execution and denial of service vulnerability affecting Cisco ASA devices with webvpn configured with SSL support.
What's the hurry? Details of the exploit research will be presented this weekend at Recon in Brussels. So it's getting some press. Also, CISCO released the advisory yesterday so people who are into that sort of thing are writing their own tests and scanners and exploits.
How do I know if I'm affected? I don't own one of these, so I don't have a great answer. Do you have a CISCO ASA? (check your inventory) Do you have webvpn configured? (check your config) Does it support SSL or is it TLS support only? (check your config)
I have one of these set up this way, now what do I do? Upgrade to the 9.6 branch and patch.
I can't do that for reasons, what do I do? Reduce the exposure by blocking un-needed networks.
Very funny, it's a vpn, I need that open to the Internet. Do you really need it open to the ENTIRE Internet?
Yes, I'm a <industry> and <reasons> Okay, if you can't patch, and you can't block, then you must monitor.
Alright, how do I do that? I'm going to have to get back to you on that. Update: You may want to look at these proposed IDS signatures: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb
Comments
Anonymous
Jan 31st 2018
6 years ago
ciscoasa# show running-config webvpn
webvpn
enable Outside
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
Anonymous
Jan 31st 2018
6 years ago
Anonymous
Jan 31st 2018
6 years ago
Anonymous
Jan 31st 2018
6 years ago
Anonymous
Jan 31st 2018
6 years ago
https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.1(7.21),9.1(7.20)&sb=afr
If that link doesn't work, it returns these 3 bugs:
https://tools.cisco.com/bugsearch/bug/CSCvh55375 (affects 9.1(7.20) )
https://tools.cisco.com/bugsearch/bug/CSCuy46176 (affects 9.1(7.21) )
https://tools.cisco.com/bugsearch/bug/CSCva92997 (affects 9.1(7.21) )
Anonymous
Feb 1st 2018
6 years ago
Anonymous
Feb 1st 2018
6 years ago
Later in their advisory they assert that both SSL and DTLS (Datagram Transport Layer Security) listen socket on TCP port 443 must be present in order for the vulnerability to be exploited.
--> So, if that is the case, then is it not true the possibility of vulnerability mitigation for this CVE does exist by disabling DTLS?
DTLS can be disabled at the interface or group policy.
See https://supportforums.cisco.com/t5/security-documents/anyconnect-dtls-vs-tls/ta-p/3164027 for more information regarding DTLS.
I complete understand that disablement of DTLS can negatively impact delay sensitive applications; such as those used for voice and video. Even so, for those that, for whatever reasons cannot upgrade their firmware or shutdown their devices, I see this as a potentially better alternative than what Cisco wrote in their security advisory, "An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device."
Anonymous
Feb 2nd 2018
6 years ago