Cisco ASA Vulnerabilities See POC and Active Exploits

Marina Kidron Jul 3, 2018

A vulnerability recently surfaced in Cisco ASA, affecting Cisco Firepower and other Cisco devices. Exploiting the vulnerability (CVE-2018-0296) could cause an affected device to reload unexpectedly, allowing remote denial-of-service or information disclosure due to a path transversal issue.

The vulnerability exists at the web interface and applies to IPv4 and IPv6 traffic. It does not require user interaction — the Cisco ASA vulnerability can be exploited simply by sending a specially crafted HTTP packet to an affected device.

  • Cisco ASA Exploits

Cisco published (and patched) the vulnerability on June 6, 2018. But on June 22, Cisco acknowledged that a proof-of-concept (POC) was published: “Cisco PSIRT has become aware of a public proof-of-concept exploit and is aware of customer device reloads related to this vulnerability,” along with actual exploitation in the wild.

The python code used in the POC can be tracked back to a public post on ExploitDB published on June 28. The exploitation in the wild is currently limited, but could grow.

  • Cisco ASA Hit With High-Profile Vulnerabilities

Earlier this year, hackers exploited another Cisco ASA flaw (CVE-2018-0101) just five days after Cisco had released one of two patches. The vulnerability in the secure sockets layer (SSL) VPN functionality of Cisco ASA was due to an issue with allocating and freeing memory when processing a malicious XML payload. A remote attacker could exploit the vulnerability by sending crafted XML packets to a vulnerable interface on an affected system. The exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.

Back in 2017, The Shadow Brokers published two privilege escalation exploits against this Cisco ASA vulnerability dubbed EPICBANANA and EXTRABACON — meaning: it’s a well-known target at this point.

  • Protecting Against Cisco ASA Exploits

Affected users should patch their software and track the patching process to ensure its completion.

Skybox® Vulnerability Control customers can manage the entire management process to root out these vulnerabilities:

  • Use the Skybox Vulnerability Detector feature to discover the Cisco ASA vulnerabilities without a scan. Scanless assessment is particularly beneficial to detect vulnerabilities on network devices and zones — including operational technology networks — which often limit or prohibit active scanning.
  • Identify well-known vulnerabilities on infrastructure devices and know when those devices need to be updated due to a critical vulnerability. Automated correlation of vulnerability occurrences with the Skybox intelligence feed will also show customers clearly which vulnerabilities have POC exploit code or active exploits in the wild; vulnerabilities with active exploits are prioritized as an imminent threat and should be addressed immediately.
  • Know the patches available to address the Cisco ASA vulnerabilities and use Skybox Remediation Center to track remediation status, ensuring all procedures were carried out properly and no devices were omitted.

To learn more about the Skybox approach to vulnerability management, you can check out our e-book here.

Related Post

Hackers Disrupt Critical Infrastructure Network Using Cisco Smart Install Flaw: Bot uses Shodan to detect vulnerable devices, 200,000 affected worldwide by Cisco Smart Install Client vulnerability

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More