Skip to main content

Mitigating Cisco ASA Critical WebVPN Vulnerability

By February 2, 2018September 18th, 2020Blog, Cisco, Networking, News
Cisco

Description:

On January 29th 2017 Cisco announced a critical vulnerability for a wide spectrum of ASA versions. This document describes the details of the vulnerability, how to identify whether you are affected and how to patch. Much of the below information is just re-hashed from Cisco’s handy-dandy advisory .

CSCvg35618

The vulnerability has a rating of 10 out of 10 severity, which is the highest severity in the scale. It allows for remote execution of code on any device affected, meaning that when successfully exploited, an attacker can effectively take full ownership of the device and do whatever they want. No secret knowledge, such as existing account names are necessary for an attacker to exploit the vulnerability. All that is needed is the address of a vulnerable device.

What Devices Are Vulnerable/Not Vulnerable:

A wide variety of Cisco security devices are vulnerable. There are three criteria.

First if the device is of any of the following model series:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Almost all lines of code of ASA software were affected, with few exceptions. Here is table provided by Cisco of all the code effected and the earliest version that is patched.

Second, if the ASA Software is of

Line First Fixed Release
8.x1 Affected; migrate to 9.1.7.20 or later
9.01 Affected; migrate to 9.1.7.20 or later
9.1 9.1.7.20
9.2 9.2.4.25
9.31 Affected; migrate to 9.4.4.14 or later
9.4 9.4.4.14
9.51 Affected; migrate to 9.6.3.20 or later
9.6 9.6.3.20
9.7 9.7.1.16
9.8 9.8.2.14
9.9 9.9.1.2

Warnings for people migrating from 8x code:

For people on 8.x lines of code, you will be forced to move to at least 9.1.7.23, which may require re-writing portions of your configuration, specifically related to NAT and certain object types that have been since deprecated. Another thing to watch out for moving from 8 code is the deprication of of the ntauth method of authentication against domain controllers. If you are using this aaa auth method, you would want to migrate to either an NPS server on your domain controller (ant then use RADIUS authentication) or migrate to LDAP authentication before migration.

Third, Firepower Threat Defense:

In addition, the following FTD(Firepower Threat Defense) software has been affected by the vulnerability. Initially, Cisco indicated that only versions supporting WebVPN capability (post 6.2.2 were affected) but now it appears that versions above 6..0 were affected as well. Here is a table with versions of FTD effected with the recommended fixes:

FTD Vulnerable Version First Fixed Release
6.0.0 Affected; migrate to 6.0.1 HotFix or later
6.0.1 Cisco_FTD_Hotfix_BH-6.0.1.5-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BH-6.0.1.5-1.sh (41xx and 9300 FTD hardware platform)
6.1.0 Cisco_FTD_Hotfix_DZ-6.1.0.7-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_DZ-6.1.0.7-1.sh (41xx and 9300 FTD hardware platform)
6.2.0 Cisco_FTD_Hotfix_BN-6.2.0.5-3.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BN-6.2.0.5-3.sh (41xx and 9300 FTD hardware platform)
6.2.1 Affected; migrate to 6.2.2 HotFix
6.2.2 Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar (All FTD hardware platforms except 21xx)
Cisco_FTD_SSP_FP2K_Hotfix_AC-6.2.2.2-6.sh.REL.tar (21xx FTD hardware platform)

To check your current version of ASA software simply run ‘show version’ and look for the Version line. For FTD, version will be labeled ‘Threat Defense’

Pei-Hq-Fw01# show version | i Version
Cisco Adaptive Security Appliance Software Version 9.4(4)14
Device Manager Version 7.4(3)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

Are any of the Vulnerable Features Enabled to the Outside?

Initially Cisco indicated that Anyconnect/WebVPN was vulnerable. With the update on 02/05/17, it appears that they now believe a variety of other features to be vulnerable. Here is a table with lists of features that are known to be vulnerable and the commands to look for in your configuration that will indicate vulnerability:

Feature Vulnerable Configuration
Adaptive Security Device Manager (ASDM)
http server enable $port
http $remote_ip_address $remote_subnet_mask $interface_name

 

AnyConnect IKEv2 Remote Access (with client services)
crypto ikev2 enable $interface_name
client-services port $port
webvpn
    anyconnect enable

AnyConnect IKEv2 Remote Access (without client services)
crypto ikev2 enable $interface_name
webvpn
   anyconnect enable

AnyConnect SSL VPN
webvpn
   enable $interface_name

Cisco Security Manager2
http server enable $port
http $remote_ip_address $remote_subnet_mask $interface_name

 

Clientless SSL VPN
webvpn
   enable $interface_name

Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)
aaa authentication listener $interface_name port $port_number

 

Local Certificate Authority (CA)
crypto ca server
   no shutdown

Mobile Device Manager (MDM) Proxy3
mdm-proxy
   enable $interface_name

 

Mobile User Security (MUS)
webvpn
   mus password $password
   mus host $hostname
   mus $address $mask $interface_name

Proxy Bypass
webvpn
   proxy-bypass

REST API4
rest-api image disk0:/$image name
rest-api agent
Security Assertion Markup Language (SAML) Single Sign-On (SSO)5 N/A

Cisco also recommends checking for an SSL and DTLS socket opened on any interfaces. Here is the command to list open ports (IP addresses have been sanitized with ‘x’s. As you can see by the output, we have webvpn enabled on two different interfaces.

Pei-Hq-Fw01# show asp table socket

Protocol  Socket    State      Local Address                                Foreign Address
SSL       000074f8  LISTEN     xxxxxxx:4443                              0.0.0.0:*
SSL       0000abf8  LISTEN    xxxxxxx:4443                          0.0.0.0:*
SSL       0000ca68  LISTEN     xxxxxxxx:443                          0.0.0.0:*
TCP       00012ca8  LISTEN     xxxxxxxx:22                                0.0.0.0:*
TCP       00017558  LISTEN     xxxxxxxx:22                            0.0.0.0:*
SSL       000194d8  LISTEN     xxxxxxxx:443                           0.0.0.0:*
DTLS      0001f1c8  LISTEN     xxxxxxxx:443                           0.0.0.0:*
DTLS      00023088  LISTEN     xxxxxxxxx:443                          0.0.0.0:*
TCP       002cdae8  ESTAB      xxxxxxxxx:22                                xxxxxxx:52679
TCP       004815c8  ESTAB      xxxxxxxxx:22                                xxxxxxx:39166
TCP       004877f8  ESTAB      xxxxxxxxx:22                                xxxxxxx:39176
Pei-Hq-Fw01#

Another way to verify is looking at SSL message statistics. If you have any handshakes and are not on new code, chances are you are vulnerable:

pei-hq-vpn01# show asp table socket stats protocol ssl

NP SSL System Stats:
  Handshake Started:            341
  Handshake Complete:           275
  SSL Open:                     13
  SSL Close:                    562
  SSL Server:                   357
  SSL Server Verify:            0
  SSL Client:                   5

pei-hq-vpn01#

Exposure:

This vulnerability is likely to be extremely easy to exploit with just a couple specially crafted XML files. According to an article from ZDNet, the researcher who discovered the bug, Cedric Halbronn, has announced that he will be releasing the method for exploiting this bug over the weekend of 02/02/18 during a talk this weekend at the Recon Brussels 2018 conference.

vulndb, which tracks dark web/black market prices on exploits, estimates a bounty of between $25k and $100k. Even if a full exploit is not released this weekend, I would expect one to be coming around shortly.

With the seriousness of the bug, which would allow full access to the device, the ease of exploit, and large number of devices affected, everyone should be looking to patch quickly.

Max Fuller, PEI

Leave a Reply