Remote code execution in Cisco Adaptive Security Appliance (ASA)
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-0101 |
| CWE-ID | CWE-415 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Cisco Adaptive Security Appliance (ASA) Hardware solutions / Security hardware applicances Cisco ASA 5500 Hardware solutions / Security hardware applicances Cisco ASA 5500-X Series Hardware solutions / Security hardware applicances Cisco Catalyst 6500 Series ASA Services Module Hardware solutions / Security hardware applicances Cisco 7600 Series ASA Services Module Hardware solutions / Security hardware applicances Cisco ASA 1000V Cloud Firewall Hardware solutions / Security hardware applicances Cisco Firepower 9300 Security Appliance Hardware solutions / Security hardware applicances Cisco Adaptive Security Virtual Appliance (ASAv) Server applications / Virtualization software Firepower 2100 Series Security Appliance Server applications / IDS/IPS systems, Firewalls and proxy servers Firepower 4110 Security Appliance Server applications / IDS/IPS systems, Firewalls and proxy servers 3000 Series Industrial Security Appliance (ISA) Server applications / IDS/IPS systems, Firewalls and proxy servers Other Adaptive Security Appliance (ASA) CX Hardware solutions / Firmware |
| Vendor |
Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Double-free error
EUVDB-ID: #VU10328
Risk: Critical
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red]
CVE-ID: CVE-2018-0101
CWE-ID:
CWE-415 - Double Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a double-free error when parsing XML packets on webvpn-configured interface. A remote unauthenticated attacker can send a series of specially crafted XML packets to webvpn-enable device, trigger double-free error and corrupt memory.
Successful exploitation of the vulnerability may allow an attacker to cause denial of service condition or execute arbitrary code on the target system.
Note: according to Cisco, the vulnerability was publicly disclosed prior to vendor notification. There are known exploitation attempts of this vulnerability in the wild.
The following products are affected:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 4120 Security Appliance
- Firepower 4140 Security Appliance
- Firepower 4150 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
- FTD Virtual
Mitigation
Install updates from vendor's website.
Vendor has released new patched on February 5.
Cisco Adaptive Security Appliance (ASA): 9.2.4 - 9.8.1
Cisco ASA 5500: All versions
Cisco ASA 5500-X Series: All versions
Cisco Catalyst 6500 Series ASA Services Module: All versions
Cisco 7600 Series ASA Services Module: All versions
Cisco ASA 1000V Cloud Firewall: All versions
Cisco Adaptive Security Virtual Appliance (ASAv): All versions
Cisco Firepower 9300 Security Appliance: All versions
Firepower 2100 Series Security Appliance: All versions
Firepower 4110 Security Appliance: All versions
3000 Series Industrial Security Appliance (ISA): All versions
: All versions
Adaptive Security Appliance (ASA) CX: 9.2.4 - 9.8.1
CPE2.3- cpe:2.3:h:cisco_systems:asa:9.2.4:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:asa:9.6.2:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:asa:9.8.1:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5500:*:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5500-x_series:*:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_catalyst_6500_series_asa_services_module:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_7600_series_asa_services_module:*:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_1000v_cloud_firewall:*:*:*:*:*:asa:*:*
- cpe:2.3:a:cisco_systems:cisco_adaptive_security_virtual_appliance_asav:*:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_firepower_9300_security_appliance:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:firepower_2100_series_security_appliance:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:firepower_4110_security_appliance:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:3000_series_industrial_security_appliance_isa:*:*:*:*:*:*:*:*
- cpe:2.3::::*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:adaptive_security_appliance_asa_cx:9.2.4:*:*:*:*:*:*:*
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg35618
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
