Cisco Confirms Critical Firewall Software Bug Is Under Attack

Great white shark attack

Cisco has issued patches for the vulnerability, which could be up to seven years old.

Attackers are trying to exploit a critical vulnerability in Cisco’s Adaptive Security Appliance firewall software, the company has confirmed.

Cisco has updated its advisory for the vulnerability, which was first revealed on Jan. 29 and has been logged as CVE-2018-0101, on Feb. 7.  “The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory,” the update states. “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.”

The vulnerability received a Common Vulnerability Scoring System base score of 10.0, the highest possible. It was first discovered by Cedric Halbronn, a researcher with NCC Group.

A successful attacker would be able to view all data moving through the system, along with giving them admin privileges and remote access to the network, according to NCC. Meanwhile, “targeting the vulnerability without a specially-crafted exploit would cause the firewall to crash and would potentially disrupt the connectivity to the network,” the company said.

The vulnerability could be up to seven years old, according to a detailed presentation [PDF] Halbronn gave this week at the REcon conference in Brussels.

Users posted proof-of-concept code to Pastebin, with the title “Cisco ASA CVE-2018-0101 Crash PoC.” It wasn’t immediately clear whether the attacks referenced by Cisco employed the code.

Cisco issued a patch for the vulnerability, but days later updated it after finding additional attack vectors and features that are impacted by it.

The vulnerability is associated with ASA’s XML parser. Attackers can exploit it by pushing a malicious XML file through, allowing them to “execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests,” according to Cisco’s security advisory.

Affected products include the 3000 Series Industrial Security Appliance, ASA 5500 Series Adaptive Security Appliances ASA 5500-X Series Next-Generation Firewalls, Adaptive Security Virtual Appliance, a range of Firepower Security appliances and Firepower Threat Defense Software.

Suggested articles