On January 29th, 2018 Cisco made public a security vulnerability disclosure for the ASA and Firepower security appliances. This is a pretty severe vulnerability. This blog provides some basic information about the vulnerability and details on how to determine if your environment is at risk.
What is the vulnerability?
In short, it potentially allows a remote attacker to execute arbitrary code on an ASA and/or create a denial of service (DoS) condition by rebooting the firewall at their whim. It requires an attacker to send a series of crafted XML packets to the firewall, but the attacker does not need to know any authentication credentials for the firewall to be able to run the attack. Also, if the affected feature, AnyConnect VPN, is configured the attacker can’t easily be blocked from executing the attack.
How severe is it?
The vulnerability is pervasive in ASA code, affecting basically any release that is more than a few days to a few weeks old. It affects AnyConnect VPN, a very common feature that many customers rely on. Additionally, this vulnerability allows a remote, unauthenticated attacker to take complete control of and/or run arbitrary software code on the firewall. This combination of elements makes this a pretty severe threat. Cisco has rated this as a 10 on the CVSS scale, which is the maximum severity rating for a security vulnerability, industry-wide.
Is this attack in the wild yet?
It doesn’t appear to be. This disclosure was done based on the normal responsible disclosure process. The researcher that identified the vulnerability informed Cisco some time ago, and Cisco has created and published fixed software releases. On February 2 (that’s this Friday!), the researcher will present his findings at an information security conference in Europe. After that presentation, enough detail will be available that attacks in the wild will likely be possible. This gives administrators a couple days to patch their systems if they are behind on software. If you act now, you should be able to close this exposure before it is likely to hit you.
Am I at risk?
There are two factors that determine if your firewalls are at risk:
1) If you are running software versions prior to the versions named in the “First Fixed Release” column of the table below.
To find your software version, you can SSH to your firewall and run the “show version | include Version” command as shown in the example below:
ciscoasa# show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
The firewall in the above example would be vulnerable.
Alternately, you can log into the ASDM GUI and look in the upper-left pane of the Device Dashboard Home tab. You’ll see your device version like this:
In the example shown above, this firewall is running 9.6(4), which is not vulnerable.
If you are running the Firepower Threat Defense (FTD) software on your ASA or Firepower appliance, this table shows the version info.
You can check the version by running the “show version” command:
> show version
---------------------[ ftd ]---------------------
Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
Rules update version : 2017-03-15-001-vrt
VDB version : 279
2) If you are running an affected software version (as described above), and the Cisco AnyConnect SSLVPN is configured, then you are vulnerable. To determine if AnyConnect is configured, you can run the “show run webvpn” command from the command line.
This is an example of a firewall that does not have AnyConnect enabled, and thus is not vulnerable:
FW-5512-1# show run webvpn
This is an example of a firewall that does have AnyConnect enabled, and thus is vulnerable:
PA-FW-5512-1# show run webvpn
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 1 regex "Windows NT"
If any output is shown under the “webvpn” configuration stanza, AnyConnect is configured and the firewall is exposed if running a vulnerable version of software.
How can I mitigate this vulnerability?
The best way to mitigate this vulnerability is to upgrade your ASA software (or patch your FTD software) to a fixed version. ASA code upgrades are straight-forward as long as you are already on a code train that has a fixed release. If you are running a very old ASA version (like 8.x or 9.0), some analysis to determine the impact of an upgrade may be necessary and H.A. can assist with that.
If you are running FTD, can apply the hotfix patches listed in the FTD software table above.
Alternately, if your firewall is vulnerable and has AnyConnect (the “webvpn” command) configured, but you are absolutely sure you are not using AnyConnect VPN, you can simply disable AnyConnect by entering the “no webvpn” configuration command from configuration mode. This is only an option if you are not using AnyConnect VPN (either client-based or clientless) on your firewall. If you rely on AnyConnect VPN for your business functions and you execute the “no webvpn” command, you will probably have a bad day. If you’re unsure, please let me know and we can have an H.A. engineer help assess your situation.
There are no other known workarounds to secure a vulnerable software release that is running the AnyConnect feature.
Where can I find more information?
Here is the link to Cisco’s public PSIRT alert:
Here is the link to Cisco’s BugDB report (you need a Cisco login to view this):
This is a link to the upcoming researcher’s presentation session disclosing the hack:
Need more assistance? Reach out to your H.A. account manager or email@example.com to schedule a potentially necessary ASA/Firepower upgrade.