Cisco: Patch now, attackers are exploiting ASA DoS flaw to take down security

Apply our security fix to your Cisco Adaptive Security Appliance devices now, Cisco warns.
Written by Liam Tung, Contributing Writer

Cisco patches critical Smart Install flaw: 8.5 million devices affected.

After observing attacks on customers, Cisco is telling users to install the fix for a recently disclosed denial-of-service flaw affecting a number of its security appliances.

The flaw, tracked as CVE-2018-0296, was detailed in an advisory on June 6 and affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software.

Vulnerable products include 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, and FTD Virtual (FTDv).

"Cisco strongly recommends that customers upgrade to a fixed software release to remediate this issue," Omar Santos of Cisco's Product Security Incident Response Team warned on June 22.

The attacks follow the publication of proof-of-concept exploits for the flaw. Santos notes that a unauthenticated, remote attacker could cause a device to reload unexpectedly and cause a denial-of-service (DoS) condition.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Additionally, an exploit could cause a DoS or unauthenticated disclosure of information. However, Santos said: "Only a denial-of-service condition (device reload) has been observed by Cisco."

Cisco has also updated the advisory for CVE-2018-0296 with details about the attacks.

The researcher who found the flaw, Michał Bentkowski from Polish security firm Securitum, gave a brief description of the root cause in a tweet shortly after Cisco disclosed the bug.

In a blog in Polish, he describes how to use the flaw to reveal a catalog of sessions from Cisco's SSL VPN service login web interface. This catalog can reveal the IDs of logged-in users, which may help an attacker determine whose password to break.

Bentkowsky reported the issue to Cisco as a way to use directory-traversal techniques to disclose information to an unauthenticated attacker.

Cisco labeled its primary impact as a DoS condition, but said it is possible that on certain releases of ASA a device reload would not occur, yet still allow an attacker to use directory-traversal techniques to view sensitive system information.

Bleeping Computer identified two proof-of-concept exploits for CVE-2018-0296 on GitHub. One attempts to extract user names from Cisco ASA. The other states: "If the web server is vulnerable, the script will dump in a text file both the content of the current directory, files in +CSCOE+ and active sessions."

Previous and related coverage

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens

Hackers use Cisco gear to send Russia a message not to mess with US elections.

Cisco's warning: Watch out for government hackers targeting your network

Cisco urges Smart Install client users to patch and securely configure the software.

Cisco critical flaw: At least 8.5 million switches open to attack, so patch now

Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.

Cisco switch flaw led to attacks on critical infrastructure in several countries (TechRepublic)

The attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.

Adobe Acrobat vulnerability can compromise you with just a click (CNET)

Pro tip: Never click on a PDF from an unknown source.

Editorial standards