Cisco ASA VPN feature allows remote code execution

Cisco has urged users of its Adaptive Security Appliance firewall device to upgrade their software as soon as possible to prevent unauthenticated attackers from running arbitrary code remotely.

In its advisory, Cisco said the vulnerability stems from a flaw in the secure sockets layer (SSL)-based virtual private networking (VPN) component of the ASA device, which is used for remote access.

By sending data packets containing specially crafted XML files to ASA devices with the WebVPN interface, attackers can run any code they like and take full control of vulnerable systems.

The CVE-2018-0101 flaw can also be exploited to reload the firewall, Cisco warned.

WebVPN provides access to a broad range of web resources and web-enabled applications from almost any computer on the internet, such as internal websites, Outlook Web Access, and email proxies, among others.

Major versions 8.x, 9.0, 9.3 and 9.5 of Cisco's ASA software are affected. Users are advised to migrate to version 9.1.7.20 or later for the first two older variants, and 9.4.4.14 and 9.6.3.20 for the two latter ones.

Firepower Threat Defence software version 6.2.2.2 is also vulnerable, and customers should upgrade to FTD version 6.2.2.2-4 or 6.2.2.2-6.

Cisco's 3000, 5000 and 5500 series ASA firewalls are affected, as is the ASA Services Module for the Catalyst 6500 and 7600 series switches and routers.

The Adaptive Security Virtual Appliance and the Firepower 2100 and 4110 devices are also vulnerable, as well as the Firepower 9300 security module and Threat Defence Software.

iTnews has contacted Cisco to clarify if disabling the WebVPN component mitigates against the vulnerability.

To determine if a vulnerable version of Cisco ASA software runs on a device, customers are advised to use the show version command, or the Adaptive Security Device Manager.

Update: A company spokesperson said that while Cisco does not consider disabling the WebVPN feature a mitigation, the ASA products are not vulnerable if the service isn’t running.

They said WebVPN is not enabled by default in the Cisco ASAs.