Cisco Adaptive Security Appliance 2.0

Advisory: CERT.be Advisory #2018-002
Version: 2.0
Reference: CVE-2018-0101
Impacted Software: Cisco Adaptive Security Appliance (ASA) Software
Type:
- Denial-of-Service (DoS)
- Remote code execution (Administrator/Root)

Original advisory

https://cert.be/docs/cisco-adaptive-security-appliance.html

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb
https://blogs.cisco.com/security/cve-2018-0101

Summary

A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to an attempt to free a region of the memory for a second time when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.
After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available. Check the fixed software section here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

Updated vulnerabilities list

In the following table, the left column lists the vulnerable Cisco ASA features. The right column indicates the vulnerable configuration from the CLI command show running-config, if it can be determined.

1 - ASDM is vulnerable only from an IP address in the configured http command range.
2 - Cisco Security Manager is vulnerable only from an IP address in the configured http command range.
3 - The MDM Proxy is first supported as of software release 9.3.1.
4 - The REST API is first supported as of software release 9.3.2. The REST API is vulnerable only from an IP address in the configured http command range.
5 - SAML SSO is first supported as of software release 9.6.