Marina Kidron, Director of Threat Intelligence in the Skybox Research Lab
A Vulnerability recently surfaced in Cisco ASA, affecting Cisco Firepower and other Cisco devices. Exploiting the vulnerability (CVE-2018-0296) could cause an affected device to reload unexpectedly, allowing remote denial-of-service or information disclosure due to a path transversal issue.
The vulnerability exists at the web interface and applies to IPv4 and IPv6 traffic. It does not require user interaction — the Cisco ASA vulnerability can be exploited simply by sending a specially crafted HTTP packet to an affected device.
Cisco ASA Exploits
Cisco published (and patched) the vulnerability on June 6, 2018. But on June 22, Cisco acknowledged that a proof-of-concept (POC) was published: “Cisco PSIRT has become aware of a public proof-of-concept exploit and is aware of customer device reloads related to this vulnerability,” along with actual exploitation in the wild.
The python code used in the POC can be tracked back to a public post on ExploitDB published on June 28. The exploitation in the wild is currently limited, but could grow.
Cisco ASA Hit With High-Profile Vulnerabilities
Earlier this year, hackers exploited another Cisco ASA flaw (CVE-2018-0101) just five days after Cisco had released one of two patches. The vulnerability in the secure sockets layer (SSL) VPN functionality of Cisco ASA was due to an issue with allocating and freeing memory when processing a malicious XML payload. A remote attacker could exploit the vulnerability by sending crafted XML packets to a vulnerable interface on an affected system. The exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.
Back in 2017, The Shadow Brokers published two privilege escalation exploits against this Cisco ASA vulnerability dubbed EPICBANANA and EXTRABACON — meaning: it’s a well-known target at this point.
Protecting Against Cisco ASA Exploits
Affected users should patch their software and track the patching process to ensure its completion.
Skybox® Vulnerability Control customers can manage the entire management process to root out these vulnerabilities:
• Use the Skybox Vulnerability Detector feature to discover the Cisco ASA vulnerabilities without a scan. Scanless assessment is particularly beneficial to detect vulnerabilities on network devices and zones — including operational technology networks — which often limit or prohibit active scanning.
• Identify well-known vulnerabilities on infrastructure devices and know when those devices need to be updated due to a critical vulnerability. Automated correlation of vulnerability occurrences with the Skybox intelligence feed will also show customers clearly which vulnerabilities have POC exploit code or active exploits in the wild; vulnerabilities with active exploits are prioritized as an imminent threat and should be addressed immediately.
• Know the patches available to address the Cisco ASA vulnerabilities and use Skybox Remediation Center to track remediation status, ensuring all procedures were carried out properly and no devices were omitted.