Adam Louca
Chief Security Technologist
Last updated: 15:05 6th Feb 2018
After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, Cisco has identified the original fix was incomplete so has released fixed code versions which are now available (see tables below).
Summary
On January 30th a critical vulnerability was disclosed for the Cisco ASA firewall platform. The vulnerability could allow an attacker to obtain remote code execution or reload of a vulnerable Cisco ASA firewall. The vulnerability is contained with the SSL VPN module of the Cisco ASA platform - this affects your organisation if you're using this WebVPN feature. All users of this function should disable or update to mitigate this issue.
Am I affected?
If you have a Cisco ASA/Firepower appliance deployed within your environment running the WebVPN feature, you are affected. You can verify this by running show running-config webvpn on the CLI interface and look to see if a value is enabled and displayed. If this is the case then you are vulnerable to this attack.
What is the impact?
This attack allows a remote attacker to obtain remote code execution on the firewall and can allow them to change the configuration or view traffic crossing the boundary. This has been given a CVE score of 10.0 (highest possible).
Mitigation?
Cisco has released free software updates for all platforms to address this vulnerability. This can be found via the Cisco support contract portal for those with a valid support agreement. If you do not have a support agreement you can still request the update via Cisco TAC. You will need the serial number of the box for access. Alternatively disabling the WebVPN feature will mitigate this vulnerability and might be a consideration in the short-term while scheduled downtime is arranged.
What is my upgrade path?
Cisco ASA
| Cisco ASA Major Release | First Fixed Release |
|---|---|
| 8.x1 | Affected; migrate to 9.1.7.23 |
| 9.01 | Affected; migrate to 9.1.7.23 |
| 9.1 | 9.1.7.23 |
| 9.2 | 9.2.4.27 |
| 9.31 | Affected; migrate to 9.4.4.16 |
| 9.4 | 9.4.4.16 |
| 9.51 | Affected; migrate to 9.6.4.0 |
| 9.6 | 9.6.4.3 |
| 9.7 | 9.7.1.21 |
| 9.8 | 9.8.2.20 |
| 9.9 | 9.9.1.2 |
1 ASA Software releases prior to 9.1, including all 8.x releases, and ASA releases 9.3 and 9.5 have reached end of software maintenance. Customers should migrate to a supported release.
Cisco FTD
| Cisco FTD Major Release | First Fixed Release |
|---|---|
| 6.0.0 | Affected; migrate to 6.0.1 HotFix or later |
| 6.0.1 | Cisco_FTD_Hotfix_BH-6.0.1.5-1.sh (All FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_BH-6.0.1.5-1.sh (41xx and 9300 FTD hardware platform) |
| 6.1.0 | Cisco_FTD_Hotfix_DZ-6.1.0.7-1.sh (All FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_DZ-6.1.0.7-1.sh (41xx and 9300 FTD hardware platform) |
| 6.2.0 | Cisco_FTD_Hotfix_BN-6.2.0.5-3.sh (All FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_BN-6.2.0.5-3.sh (41xx and 9300 FTD hardware platform) |
| 6.2.1 | Affected; migrate to 6.2.2 HotFix |
| 6.2.2 | Cisco_FTD_SSP_FP2K_Hotfix_AN-6.2.2.2-4.sh.REL.tar (21xx FTD hardware platform) Cisco_FTD_SSP_Hotfix_AO-6.2.2.2-1.sh.REL.tar (41xx and 9300 FTD hardware platforms) Cisco_FTD_Hotfix_AO-6.2.2.2-1.sh.REL.tar (All other FTD hardware platforms) |
Likelyhood of exploit?
There is currently no evidence of this exploit being used in the wild however the detalis of the vulnerabilty have been published publicly. I would expect a short (3-10 day) window before exploitation in the wild. (OPINION)
Further reading:
Get in touch
Please get in touch with your Softcat account manager, give us a call, or send us a message using the button below if you'd like further advice.