A new critical flaw in Cisco's Adaptive Security Appliance software could allow dangerous remote attacks and requires...
a patch to mitigate.
The Cisco ASA vulnerability received the highest severity rating of 10.0 on CVSS and according to Cisco, it could "allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code."
"The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system," Cisco wrote in a security advisory. "An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device."
Kevin Beaumont, a security architect based in the U.K., said on Twitter the Cisco ASA vulnerability was disclosed early and called it "one of the bigger bugs."
If you run a supported ASA release you can jump to the listed versions. If you're on 9.0 or 9.3 you need to upgrade to a supported release. If you have obsolete hardware, you may want to move VPN to a different product.— Kevin Beaumont (@GossiTheDog) January 29, 2018
According to the official advisory, the Cisco ASA vulnerability has no mitigations, and the only way to secure affected devices is to apply the patch.
Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, said the Cisco ASA vulnerability could be exploited by an attacker "to harvest credentials, as well as to monitor and manipulate traffic, which should be protected by the VPN."
"The danger is further compounded by the fact that attackers can easily locate public SSL VPN terminals through services like Shodan, as well as by searching certificate transparency logs for security certificates containing the word VPN," Young told SearchSecurity. "In general, an attacker must have some degree of knowledge or control over the remote memory layout. In practical terms, this means that attackers will need to study the vulnerability and develop reliable exploit methods specific for different firmware versions. Developing these exploits would not be within reach of the average hacker, as it requires rather extensive knowledge about the ASA operating system and how it manages system memory."
Mounir Hahad, head of threat research at Juniper Networks, described a range of attacks that could leverage the Cisco ASA vulnerability.
"Typically, WebVPN is enabled on edge firewalls, which means this particular vulnerability is exploitable directly from the internet. It is fairly easy to exploit as it only requires crafting specific XML packets to a WebVPN configured device. An attacker could take full control of the firewall: They could change the running configuration of the device, allow inbound traffic that should be blocked and infiltrate the organization," Hahad told SearchSecurity. "They could also simply launch a denial-of-service attack by restarting the device continuously, which will basically shutdown internet connectivity to an entire organization. For cloud services, the entire service could go offline."