On January 29th 2017 Cisco announced a critical vulnerability for a wide spectrum of ASA versions. This document describes the details of the vulnerability, how to identify whether you are affected and how to patch. Much of the below information is just re-hashed from Cisco’s handy-dandy advisory .
The vulnerability has a rating of 10 out of 10 severity, which is the highest severity in the scale. It allows for remote execution of code on any device affected, meaning that when successfully exploited, an attacker can effectively take full ownership of the device and do whatever they want. No secret knowledge, such as existing account names are necessary for an attacker to exploit the vulnerability. All that is needed is the address of a vulnerable device.
What Devices Are Vulnerable/Not Vulnerable:
A wide variety of Cisco security devices are vulnerable. There are three criteria.
First if the device is of any of the following model series:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Almost all lines of code of ASA software were affected, with few exceptions. Here is table provided by Cisco of all the code effected and the earliest version that is patched.
Second, if the ASA Software is of
|Line||First Fixed Release|
|8.x1||Affected; migrate to 18.104.22.168 or later|
|9.01||Affected; migrate to 22.214.171.124 or later|
|9.31||Affected; migrate to 126.96.36.199 or later|
|9.51||Affected; migrate to 188.8.131.52 or later|
Warnings for people migrating from 8x code:
For people on 8.x lines of code, you will be forced to move to at least 184.108.40.206, which may require re-writing portions of your configuration, specifically related to NAT and certain object types that have been since deprecated. Another thing to watch out for moving from 8 code is the deprication of of the ntauth method of authentication against domain controllers. If you are using this aaa auth method, you would want to migrate to either an NPS server on your domain controller (ant then use RADIUS authentication) or migrate to LDAP authentication before migration.
Third, Firepower Threat Defense:
In addition, the following FTD(Firepower Threat Defense) software has been affected by the vulnerability. Initially, Cisco indicated that only versions supporting WebVPN capability (post 6.2.2 were affected) but now it appears that versions above 6..0 were affected as well. Here is a table with versions of FTD effected with the recommended fixes:
|FTD Vulnerable Version||First Fixed Release|
|6.0.0||Affected; migrate to 6.0.1 HotFix or later|
|6.0.1||Cisco_FTD_Hotfix_BH-220.127.116.11-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BH-18.104.22.168-1.sh (41xx and 9300 FTD hardware platform)
|6.1.0||Cisco_FTD_Hotfix_DZ-22.214.171.124-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_DZ-126.96.36.199-1.sh (41xx and 9300 FTD hardware platform)
|6.2.0||Cisco_FTD_Hotfix_BN-188.8.131.52-3.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BN-184.108.40.206-3.sh (41xx and 9300 FTD hardware platform)
|6.2.1||Affected; migrate to 6.2.2 HotFix|
|6.2.2||Cisco_FTD_Hotfix_AB-220.127.116.11-4.sh.REL.tar (All FTD hardware platforms except 21xx)
Cisco_FTD_SSP_FP2K_Hotfix_AC-18.104.22.168-6.sh.REL.tar (21xx FTD hardware platform)
To check your current version of ASA software simply run ‘show version’ and look for the Version line. For FTD, version will be labeled ‘Threat Defense’
Pei-Hq-Fw01# show version | i Version Cisco Adaptive Security Appliance Software Version 9.4(4)14 Device Manager Version 7.4(3) Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Are any of the Vulnerable Features Enabled to the Outside?
Initially Cisco indicated that Anyconnect/WebVPN was vulnerable. With the update on 02/05/17, it appears that they now believe a variety of other features to be vulnerable. Here is a table with lists of features that are known to be vulnerable and the commands to look for in your configuration that will indicate vulnerability:
|Adaptive Security Device Manager (ASDM)||
|AnyConnect IKEv2 Remote Access (with client services)||
|AnyConnect IKEv2 Remote Access (without client services)||
|AnyConnect SSL VPN||
|Cisco Security Manager2||
|Clientless SSL VPN||
|Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)||
|Local Certificate Authority (CA)||
|Mobile Device Manager (MDM) Proxy3||
|Mobile User Security (MUS)||
|Security Assertion Markup Language (SAML) Single Sign-On (SSO)5||N/A|
Cisco also recommends checking for an SSL and DTLS socket opened on any interfaces. Here is the command to list open ports (IP addresses have been sanitized with ‘x’s. As you can see by the output, we have webvpn enabled on two different interfaces.
Pei-Hq-Fw01# show asp table socket Protocol Socket State Local Address Foreign Address SSL 000074f8 LISTEN xxxxxxx:4443 0.0.0.0:* SSL 0000abf8 LISTEN xxxxxxx:4443 0.0.0.0:* SSL 0000ca68 LISTEN xxxxxxxx:443 0.0.0.0:* TCP 00012ca8 LISTEN xxxxxxxx:22 0.0.0.0:* TCP 00017558 LISTEN xxxxxxxx:22 0.0.0.0:* SSL 000194d8 LISTEN xxxxxxxx:443 0.0.0.0:* DTLS 0001f1c8 LISTEN xxxxxxxx:443 0.0.0.0:* DTLS 00023088 LISTEN xxxxxxxxx:443 0.0.0.0:* TCP 002cdae8 ESTAB xxxxxxxxx:22 xxxxxxx:52679 TCP 004815c8 ESTAB xxxxxxxxx:22 xxxxxxx:39166 TCP 004877f8 ESTAB xxxxxxxxx:22 xxxxxxx:39176 Pei-Hq-Fw01#
Another way to verify is looking at SSL message statistics. If you have any handshakes and are not on new code, chances are you are vulnerable:
pei-hq-vpn01# show asp table socket stats protocol ssl NP SSL System Stats: Handshake Started: 341 Handshake Complete: 275 SSL Open: 13 SSL Close: 562 SSL Server: 357 SSL Server Verify: 0 SSL Client: 5 pei-hq-vpn01#
This vulnerability is likely to be extremely easy to exploit with just a couple specially crafted XML files. According to an article from ZDNet, the researcher who discovered the bug, Cedric Halbronn, has announced that he will be releasing the method for exploiting this bug over the weekend of 02/02/18 during a talk this weekend at the Recon Brussels 2018 conference.
vulndb, which tracks dark web/black market prices on exploits, estimates a bounty of between $25k and $100k. Even if a full exploit is not released this weekend, I would expect one to be coming around shortly.
With the seriousness of the bug, which would allow full access to the device, the ease of exploit, and large number of devices affected, everyone should be looking to patch quickly.
Max Fuller, PEI