Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cisco ASA WebVPN Vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco ASA WebVPN Vulnerability

Before I get too many "I'm surprised/disappointed you haven't mentioned..." emails let's get out a rough draft on CVE-2018-0101.

What is it?  A Base CVSS of 10 remote code execution and denial of service vulnerability affecting Cisco ASA devices with webvpn configured with SSL support.

What's the hurry?  Details of the exploit research will be presented this weekend at Recon in Brussels.  So it's getting some press.  Also, CISCO released the advisory yesterday so people who are into that sort of thing are writing their own tests and scanners and exploits.

How do I know if I'm affected?  I don't own one of these, so I don't have a great answer.  Do you have a CISCO ASA? (check your inventory)  Do you have webvpn configured? (check your config)  Does it support SSL or is it TLS support only? (check your config)  

I have one of these set up this way, now what do I do?  Upgrade to the 9.6 branch and patch.

I can't do that for reasons, what do I do?  Reduce the exposure by blocking un-needed networks.

Very funny, it's a vpn, I need that open to the Internet.  Do you really need it open to the ENTIRE Internet?

Yes, I'm a <industry> and <reasons>   Okay, if you can't patch, and you can't block, then you must monitor.

Alright, how do I do that?  I'm going to have to get back to you on that. Update: You may want to look at these proposed IDS signatures:

Kevin Liston

292 Posts
ISC Handler
Jan 31st 2018
Has anyone verified / validated those IDS signatures?

15 Posts
Cisco has now published an advisory that describes a few ways to determine if you are affected. Perhaps the easiest is:

ciscoasa# show running-config webvpn
enable Outside
Bill D.

2 Posts
These signatures make no sense. The vulnerable service is running TLS, not IPSec (IKE/ISAKMP).
If you have a Cisco ASA 55xx (not the recent 55xx-X or the ones with FirePower), then you can't update beyond 9.2.3.

24 Posts
I looked up my old ASA-5505 on CCO and found I could run 9.2(4)25 which, according to Cisco's advisory, is the interim release which does have the fix.

12 Posts
For those on ASA 9.1, and want to stay on the 9.1 branch (with the fix), you might want to look at the potentially show stopper bugs in the 2 versions that include a patch.*&pf=prdNm&pfVal=279513386&rls=9.1(7.21),9.1(7.20)&sb=afr

If that link doesn't work, it returns these 3 bugs: (affects 9.1(7.20) ) (affects 9.1(7.21) ) (affects 9.1(7.21) )

5 Posts
I noticed the same thing and would expect to see port 443.
According to Cisco, they stated there are no current workarounds for this vulnerability. The company has released software updates (code version or later) which fixes the vulnerability.

Later in their advisory they assert that both SSL and DTLS (Datagram Transport Layer Security) listen socket on TCP port 443 must be present in order for the vulnerability to be exploited.

--> So, if that is the case, then is it not true the possibility of vulnerability mitigation for this CVE does exist by disabling DTLS?

DTLS can be disabled at the interface or group policy.
See for more information regarding DTLS.

I complete understand that disablement of DTLS can negatively impact delay sensitive applications; such as those used for voice and video. Even so, for those that, for whatever reasons cannot upgrade their firmware or shutdown their devices, I see this as a potentially better alternative than what Cisco wrote in their security advisory, "An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device."

1 Posts

Sign Up for Free or Log In to start participating in the conversation!