On February 5th, 2018 Cisco updated an existing vulnerability advisory for CVE-2018-010 due to newly discovered attack vectors and because the original software fix was identified to be incomplete. The vulnerability, CVE-2018-010, is a critical Remote Code Execution and Denial of Service vulnerability in the Cisco ASA and Cisco Next-General firewall platforms with a CVSS score of 10.0, the highest possible score. The original vulnerability advisory along with incomplete software fixes were published on January 29th, 2018
After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified and Cisco has now issued a new software version to comprehensively address this vulnerability and additional Denial of Service vulnerabilities. Unfortunately, Cisco clients who had already updated their devices after the original advisory must also apply these new patches to ensure the vulnerability is properly addressed.
The vulnerability is in the XML parser of Cisco Adaptive Security Appliance (ASA) and FirePower Threat Defense (FTD) software which could allow for unauthenticated, remote attackers to remotely execute arbitrary code, cause a reload of the affected system, or cause the device to stop processing Virtual Private Network (VPN) authentication requests.
To be vulnerable, the Adaptive Security Appliance (ASA) or Cisco Next-Generation Firewall must be running an affected software version and have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface. The vulnerability affects any device that terminates SSL traffic. This vulnerability only affects traffic destined to the affected device, not traffic passing through the device.
Remote attackers can utilize carefully crafted XML packets to allow for remote code execution, force a reload of the of the affected system, to obtain full control of the system, or to stop the process of incoming VPN authentication requests due to lack of memory.
The ability for unauthenticated remote attackers to execute arbitrary code on security devices designed to be exposed to the internet makes the potential impact of this vulnerability extremely high. The vulnerability has been assigned a CVSS score of 10.0, the highest possible.
While no publically available exploit code for this vulnerability exists at the time of writing, the vulnerability could allow remote attackers to completely compromise the device, allowing unauthorized access to an organizations internal network, exposing protected assets, and could allow attackers to program backdoors on affected systems for persistent access.
To be vulnerable, the Adaptive Security Appliance (ASA) or Cisco Next-Generation Firewall must be running an affected software version and have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface. This vulnerability only affects traffic destined to the affected device, not traffic passing through the device.
The following Cisco products are affected by this critical vulnerability:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 4120 Security Appliance
- Firepower 4140 Security Appliance
- Firepower 4150 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
- FTD Virtual
To determine if your ASA device is vulnerable, clients can utilize the following command:
“show asp table socket”
Clients should look for an SSL or DTLS listen socket on any TCP port. If a socket exists, the device is vulnerable.
Clients can also utilize the following command to determine if IKE V2 is enabled:
“show run crypto ikev2 | grep enable”
If “crypto ikev2 enable” is present in the devices running configuration, and “anyconnect enable” is part of the global webvpn configuraton, the ASA device is vulnerable.
To identify which version of the ASA software your device(s) is currently running, use the following command:
“show version | include Version
To identify which FirePower Threat Defense (FTD) version your device(s)is currently running, use the following command:
Cisco has provided the table below to assist organizations in determining if their device’s configurations are vulnerable to the issues described in CVE-2018-010. The left column lists the potentially vulnerable feature and the right column indicates the contents that would be seen in the device’s “running” configuration if the feature was enabled.
To determine if your device(s) running the features are impacted, run the following command:
“show running-config | include ”
|Adaptive Security Device Manager (ASDM)||http server enable
|AnyConnect IKEv2 Remote Access (with client services)||crypto ikev2 enable
|AnyConnect IKEv2 Remote Access (without client services)||crypto ikev2 enable
|AnyConnect SSL VPN||webvpn
|Cisco Security Manager||http server enable
|Clientless SSL VPN||webvpn
|Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)||aaa authentication listener|
|Local Certificate Authority (CA)||crypto ca server
|Mobile Device Manager (MDM) Proxy||mdm-proxy
|Mobile User Security (MUS)||webvpn
mus password mus host
|REST API||rest-api image disk0:/
Mitigation and Response
No work around currently exists to mitigate this vulnerability. Cisco has released new Adaptive Security Appliance (ASA) and FirePower Threat Defense (FTD) software images which comprehensively resolve the issues identified in this Cyber Fusion Center advisory. Due to the potential impact and severity of the vulnerability (described in the section labeled “potential impact”), the Cyber Fusion Center recommends that client apply these new software patches as soon as possible.
The Cyber Fusion Center (CFC) has begun assessing and testing the latest software fixes provided by Cisco. The CFC will reach out to Security Device Management clients whose managed Cisco devices are impacted by this vulnerability in order to schedule maintenance windows to perform the required software updates. The Cyber Fusion Center has also begun deploying Intrusion Detection System (IDS) signatures to client environments to ensure attempts to exploit this vulnerability are promptly detected.
The following table lists the Cisco Adaptive Security Appliance (ASA) major software releases impacted by this vulnerability and the software versions released to fix this vulnerability:
|Impacted Cisco ASA Major Release||First Fixed Release|
|8.x||Affected; migrate to 220.127.116.11|
|9.0||Affected; migrate to 18.104.22.168|
|9.3||Affected; migrate to 22.214.171.124|
|9.5||Affected; migrate to 126.96.36.199|
The following table lists the Cisco FirePower Threat Defense (FTD) software releases impacted by this vulnerability and the software versions released to fix this vulnerability:
|Impacted Cisco FTD Major Release||First Fixed Release|
|6.0.0||Affected; migrate to 6.0.1 HotFix or later|
|6.0.1||Cisco_FTD_Hotfix_BH-188.8.131.52-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BH-184.108.40.206-1.sh (41xx and 9300 FTD hardware platform)
|6.1.0||Cisco_FTD_Hotfix_DZ-220.127.116.11-1.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_DZ-18.104.22.168-1.sh (41xx and 9300 FTD hardware platform)
|6.2.0||Cisco_FTD_Hotfix_BN-22.214.171.124-3.sh (All FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_BN-126.96.36.199-3.sh (41xx and 9300 FTD hardware platform)
|6.2.1||Affected; migrate to 6.2.2 HotFix|
|6.2.2||Cisco_FTD_SSP_FP2K_Hotfix_AN-188.8.131.52-4.sh.REL.tar (21xx FTD hardware platform)
Cisco_FTD_SSP_Hotfix_AO-184.108.40.206-1.sh.REL.tar (41xx and 9300 FTD hardware platforms)
Cisco_FTD_Hotfix_AO-220.127.116.11-1.sh.REL.tar (All other FTD hardware platforms)