Cisco: Severe bug in our security appliances is now under attack

A proof-of-concept exploit for Cisco's 10-out-of-10 severity bug surfaces days after researcher details his attack.
Written by Liam Tung, Contributing Writer

Video: Top 10 malware threats in 2017

Cisco's Adaptive Security Appliance (ASA) flaw with a CVSS score of 10 is now being exploited by attacks.

Cisco has updated its advisory for vulnerability CVE-2018-0101 for the second time since warning customers of the critical flaw on January 29. The bug affects its ASA and Firepower security appliances.

The networking giant now says it is "aware of attempted malicious use of the vulnerability described in this advisory".

Cisco's initial advisory was published just days before the NCC Group researcher who reported the bug was scheduled to explain in detail how to attack the vulnerability at the Recon conference in Brussels.

Using crafted XML, the attack exploited a seven-year-old bug in the Cisco XML parser to gain remote code execution.

While the 10 out of 10 CVSS score suggested admins needed to urgently patch the bug, the prospect of a detailed explanation of it made the issue more pressing for customers to patch.

On Monday, two days after the researcher published a 120-page explanation of his attack, other researchers posted a proof-of-concept exploit that basically followed the researcher's presentation. Fortunately, the proof of concept only causes a crash but, nonetheless, may offer the building blocks for others to develop a more serious attack.

Download now: Cybersecurity in a mobile and IoT world (free PDF)

Cisco actually released fixes for the bug in some versions of ASA two months before its advisory, so some customers would have been protected without knowing it.

However, earlier this week Cisco updated its original advisory warning customers that it had found more attack vectors that weren't identified by NCC Group and urged customers to update to new versions of its affected products.

Cisco has since also revealed there were many more vulnerable Cisco ASA features than previously known.

The company has provided a table explaining the vulnerable configurations for features including Adaptive Security Device Manager, AnyConnect IKEv2 Remote Access, AnyConnect IKEv2 Remote Access, AnyConnect SSL VPN, Cisco Security Manager, Clientless SSL VPN, Cut-Through Proxy, Local Certificate Authority, Mobile Device Manager Proxy, Mobile User Security Proxy Bypass, REST API, and Security Assertion Markup Language Single Sign-On.

Also read: Cybersecurity in 2018: A roundup of predictions

In addition to products already known to be vulnerable, Cisco said its Firepower 4120 Security Appliance, Firepower 4140 Security Appliance, Firepower 4150 Security Appliance, and FTD Virtual are also vulnerable.

Previous and related coverage

Cisco: You need to patch our security devices again for dangerous ASA VPN bug

Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was "incomplete".

Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now

The researcher who found the flaw will be telling the world how to exploit it this weekend.

Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.

Cisco launches open container platform to boost hybrid cloud deployments (TechRepublic)

The new platform will simplify the deployment and management of containers on Kubernetes.

Editorial standards