Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Cisco ASA WebVPN Vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco ASA WebVPN Vulnerability

Before I get too many "I'm surprised/disappointed you haven't mentioned..." emails let's get out a rough draft on CVE-2018-0101.

What is it?  A Base CVSS of 10 remote code execution and denial of service vulnerability affecting Cisco ASA devices with webvpn configured with SSL support.

What's the hurry?  Details of the exploit research will be presented this weekend at Recon in Brussels.  So it's getting some press.  Also, CISCO released the advisory yesterday so people who are into that sort of thing are writing their own tests and scanners and exploits.

How do I know if I'm affected?  I don't own one of these, so I don't have a great answer.  Do you have a CISCO ASA? (check your inventory)  Do you have webvpn configured? (check your config)  Does it support SSL or is it TLS support only? (check your config)  

I have one of these set up this way, now what do I do?  Upgrade to the 9.6 branch and patch.

I can't do that for reasons, what do I do?  Reduce the exposure by blocking un-needed networks.

Very funny, it's a vpn, I need that open to the Internet.  Do you really need it open to the ENTIRE Internet?

Yes, I'm a <industry> and <reasons>   Okay, if you can't patch, and you can't block, then you must monitor.

Alright, how do I do that?  I'm going to have to get back to you on that. Update: You may want to look at these proposed IDS signatures: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Kevin Liston

292 Posts
ISC Handler
Has anyone verified / validated those IDS signatures?
Chavez243

15 Posts
These signatures make no sense. The vulnerable service is running TLS, not IPSec (IKE/ISAKMP).
Anonymous
If you have a Cisco ASA 55xx (not the recent 55xx-X or the ones with FirePower), then you can't update beyond 9.2.3.
AndrewB

24 Posts
I looked up my old ASA-5505 on CCO and found I could run 9.2(4)25 which, according to Cisco's advisory, is the interim release which does have the fix. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
Steven

12 Posts
For those on ASA 9.1, and want to stay on the 9.1 branch (with the fix), you might want to look at the potentially show stopper bugs in the 2 versions that include a patch.

https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.1(7.21),9.1(7.20)&sb=afr

If that link doesn't work, it returns these 3 bugs:
https://tools.cisco.com/bugsearch/bug/CSCvh55375 (affects 9.1(7.20) )
https://tools.cisco.com/bugsearch/bug/CSCuy46176 (affects 9.1(7.21) )
https://tools.cisco.com/bugsearch/bug/CSCva92997 (affects 9.1(7.21) )
JDoe

5 Posts

Sign Up for Free or Log In to start participating in the conversation!