{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-004.pdf"
    },
    "title": "UPDATE Critical Vulnerability in Cisco Adaptive Security Appliance",
    "serial_number": "2018-004",
    "publish_date": "31-01-2018 11:35:00",
    "description": "On the 29nd of January 2018, CISCO published a security advisory for a<br>remote code execution and denial of service vulnerability affecting<br>Cisco Adaptive Security Appliance (ASA). The vulnerability is located in<br>the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive<br>Security Appliance (ASA) Software and could allow an unauthenticated,<br>remote attacker to cause a reboot of the affected system or to remotely<br>execute code. On the 5th of February 2018, CISCO updated the advisory<br>after identifying additional attack vectors and release of new patches.",
    "url_title": "2018-004",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Cisco\u00a0Adaptive\u00a0Security\u00a0Appliance'\nversion: '1.1'\nnumber: '2018-004'\ndate: 'February 6, 2018'\n---\n\n_History:_\n\n* _31/01/2018 --- v1.0: Initial publication_\n* _06/01/2018 --- v1.1: Corrections after CISCO updated advisory_\n\n# Summary\n\nOn the 29nd of January 2018, CISCO published a security advisory for a remote code execution and denial of service vulnerability affecting Cisco Adaptive Security Appliance (ASA) [1]. The vulnerability is located in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software and could allow an unauthenticated, remote attacker to cause a reboot of the affected system or to remotely execute code.\n\nOn the 5th of February 2018, CISCO updated the advisory after identifying additional attack vectors and release of new patches.\n\n# Technical Details\n\nThe vulnerability received the following CVE: CVE-2018-0101 [2].\n\nThe vulnerability is due to an attempt to _double free_ a region of memory when the `webvpn` feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a `webvpn`-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reboot of the affected device.\n\nTo determine whether `webvpn` is enabled for at least one interface, administrators can use the `show running-config webvpn` command at the CLI and verify that the command returns at least one enable `<if_name>` line:\n\n\t\t\t\t\t\t\tciscoasa# show running-config webvpn\n\t\t\t\t\t\t\twebvpn\n\t\t\t\t\t\t\tenable Outside\n\nAdministrators can also use the `show asp table socket command` and look for an `SSL` and a `DTLS` listen socket on `TCP port 443`:\n\n\t\t\t\t\t\t\tciscoasa# show asp table socket\n\t\t\t\t\t\t\tProtocol  Socket    State      Local Address       Foreign Address\n\t\t\t\t\t\t\tSSL       00005898  LISTEN     10.48.66.202:8443    0.0.0.0:*\n\t\t\t\t\t\t\tTCP       00009718  LISTEN     10.48.66.202:23      0.0.0.0:*\n\t\t\t\t\t\t\tTCP       0000e708  LISTEN     10.48.66.202:22      0.0.0.0:*\n\t\t\t\t\t\t\tSSL       00011cc8  LISTEN     10.48.66.202:443     0.0.0.0:*\n\t\t\t\t\t\t\tDTLS      000172f8  LISTEN     10.48.66.202:443     0.0.0.0:*\n\nTo determine whether a vulnerable version of Cisco ASA Software is running on a device, administrators can use the `show version` command in the CLI:\n\n\t\t\t\t\t\t\tciscoasa# show version | include Version\n\t\t\t\t\t\t\tCisco Adaptive Security Appliance Software Version 9.2(1)\n\t\t\t\t\t\t\tDevice Manager Version 7.4(1)\n\nThis vulnerability also applies to the FTD 6.2.2 software release. Administrators can use the `show version` command at the CLI to determine the FTD release:\n\n\t\t\t\t\t\t\tshow version\n\t\t\t\t\t\t\t---------------------[ ftd ]---------------------\n\t\t\t\t\t\t\tModel : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)\n\t\t\t\t\t\t\tUUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c\n\t\t\t\t\t\t\tRules update version : 2017-03-15-001-vrt\n\t\t\t\t\t\t\tVDB version : 279\n\t\t\t\t\t\t\t----------------------------------------------------\n\n\n# Products Affected\n\nThe following products are affected if they are running a vulnerable version of CISCO ASA with the webvpn feature is enabled:\n\n * 3000 Series Industrial Security Appliance (ISA)\n * ASA 5500 Series Adaptive Security Appliances\n * ASA 5500-X Series Next-Generation Firewalls\n * ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers\n * ASA 1000V Cloud Firewall\n * Adaptive Security Virtual Appliance (ASAv)\n * Firepower 2100 Series Security Appliance\n * Firepower 4110 Security Appliance\n * Firepower 9300 ASA Security Module\n * Firepower Threat Defense Software (FTD)\n\nThe impacted versions of CISCO ASA are:\n\n * 8.x (all versions)\n * 9.0 (all versions)\n * 9.1 prior to 9.1.7.23\n * 9.2 prior to 9.2.4.27\n * 9.3 (all versions)\n * 9.4 prior to 9.4.4.16\n * 9.5 (all versions)\n * 9.6 prior to 9.6.4.3\n * 9.7 prior to 9.7.1.21\n * 9.8 prior to 9.8.2.20\n * 9.9 prior to 9.9.1.2\n\nThe impacted version of FTD Software are:\n\n * 6.0.0\n * 6.0.1\n * 6.1.0\n * 6.2.0\n * 6.2.1\n * 6.2.2\n\n# Recommendations\n\nFor CISCO ASA, update to release not affected by the vulnerability. If using version 8.x, 9.0, 9.3 or 9.5, you need to migrate to higher CISCO ASA major release.\n\nFor FTD software, apply the provided hotfixes [3]. For version 6.0.0 and 6.2.1, you also need to migrate to higher FTD software version.\n\n\n# References\n\n[1] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1>\n\n[2] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0101>\n\n[3] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>31/01/2018 --- v1.0: Initial publication</em></li><li><em>06/01/2018 --- v1.1: Corrections after CISCO updated advisory</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 29nd of January 2018, CISCO published a security advisory for a remote code execution and denial of service vulnerability affecting Cisco Adaptive Security Appliance (ASA) [1]. The vulnerability is located in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software and could allow an unauthenticated, remote attacker to cause a reboot of the affected system or to remotely execute code.</p><p>On the 5th of February 2018, CISCO updated the advisory after identifying additional attack vectors and release of new patches.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability received the following CVE: CVE-2018-0101 [2].</p><p>The vulnerability is due to an attempt to <em>double free</em> a region of memory when the <code>webvpn</code> feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a <code>webvpn</code>-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reboot of the affected device.</p><p>To determine whether <code>webvpn</code> is enabled for at least one interface, administrators can use the <code>show running-config webvpn</code> command at the CLI and verify that the command returns at least one enable <code>&lt;if_name&gt;</code> line:</p><pre><code>ciscoasa# show running-config webvpn\n                        webvpn\n                        enable Outside\n</code></pre><p>Administrators can also use the <code>show asp table socket command</code> and look for an <code>SSL</code> and a <code>DTLS</code> listen socket on <code>TCP port 443</code>:</p><pre><code>ciscoasa# show asp table socket\n                        Protocol  Socket    State      Local Address       Foreign Address\n                        SSL       00005898  LISTEN     10.48.66.202:8443    0.0.0.0:*\n                        TCP       00009718  LISTEN     10.48.66.202:23      0.0.0.0:*\n                        TCP       0000e708  LISTEN     10.48.66.202:22      0.0.0.0:*\n                        SSL       00011cc8  LISTEN     10.48.66.202:443     0.0.0.0:*\n                        DTLS      000172f8  LISTEN     10.48.66.202:443     0.0.0.0:*\n</code></pre><p>To determine whether a vulnerable version of Cisco ASA Software is running on a device, administrators can use the <code>show version</code> command in the CLI:</p><pre><code>ciscoasa# show version | include Version\n                        Cisco Adaptive Security Appliance Software Version 9.2(1)\n                        Device Manager Version 7.4(1)\n</code></pre><p>This vulnerability also applies to the FTD 6.2.2 software release. Administrators can use the <code>show version</code> command at the CLI to determine the FTD release:</p><pre><code>show version\n                        ---------------------[ ftd ]---------------------\n                        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)\n                        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c\n                        Rules update version : 2017-03-15-001-vrt\n                        VDB version : 279\n                        ----------------------------------------------------\n</code></pre><h2 id=\"products-affected\">Products Affected</h2><p>The following products are affected if they are running a vulnerable version of CISCO ASA with the webvpn feature is enabled:</p><ul><li>3000 Series Industrial Security Appliance (ISA)</li><li>ASA 5500 Series Adaptive Security Appliances</li><li>ASA 5500-X Series Next-Generation Firewalls</li><li>ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers</li><li>ASA 1000V Cloud Firewall</li><li>Adaptive Security Virtual Appliance (ASAv)</li><li>Firepower 2100 Series Security Appliance</li><li>Firepower 4110 Security Appliance</li><li>Firepower 9300 ASA Security Module</li><li>Firepower Threat Defense Software (FTD)</li></ul><p>The impacted versions of CISCO ASA are:</p><ul><li>8.x (all versions)</li><li>9.0 (all versions)</li><li>9.1 prior to 9.1.7.23</li><li>9.2 prior to 9.2.4.27</li><li>9.3 (all versions)</li><li>9.4 prior to 9.4.4.16</li><li>9.5 (all versions)</li><li>9.6 prior to 9.6.4.3</li><li>9.7 prior to 9.7.1.21</li><li>9.8 prior to 9.8.2.20</li><li>9.9 prior to 9.9.1.2</li></ul><p>The impacted version of FTD Software are:</p><ul><li>6.0.0</li><li>6.0.1</li><li>6.1.0</li><li>6.2.0</li><li>6.2.1</li><li>6.2.2</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>For CISCO ASA, update to release not affected by the vulnerability. If using version 8.x, 9.0, 9.3 or 9.5, you need to migrate to higher CISCO ASA major release.</p><p>For FTD software, apply the provided hotfixes [3]. For version 6.0.0 and 6.2.1, you also need to migrate to higher FTD software version.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0101\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0101</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}