Remote code execution in Cisco Adaptive Security Appliance (ASA)

1) Double-free error

EUVDB-ID: #VU10328

Risk: Critical

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-0101

CWE-ID: CWE-415 - Double Free

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a double-free error when parsing XML packets on webvpn-configured interface. A remote unauthenticated attacker can send a series of specially crafted XML packets to webvpn-enable device, trigger double-free error and corrupt memory.

Successful exploitation of the vulnerability may allow an attacker to cause denial of service condition or execute arbitrary code on the target system.

Note: according to Cisco, the vulnerability was publicly disclosed prior to vendor notification. There are known exploitation attempts of this vulnerability in the wild.

The following products are affected:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual

Mitigation

Install updates from vendor's website.
Vendor has released new patched on February 5.

Vulnerable software versions

Cisco Adaptive Security Appliance (ASA): 9.2.4 - 9.8.1

Cisco ASA 5500: All versions

Cisco ASA 5500-X Series: All versions

Cisco Catalyst 6500 Series ASA Services Module: All versions

Cisco 7600 Series ASA Services Module: All versions

Cisco ASA 1000V Cloud Firewall : All versions

Cisco Adaptive Security Virtual Appliance (ASAv): All versions

Cisco Firepower 9300 Security Appliance: All versions

Firepower 2100 Series Security Appliance: All versions

Firepower 4110 Security Appliance: All versions

3000 Series Industrial Security Appliance (ISA): All versions

: All versions

Adaptive Security Appliance (ASA) CX: 9.2.4 - 9.8.1

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg35618

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.