Chief Technology Officer/CISO
On January 29th Cisco published a critical CVE affecting their Adaptive Security Appliance (ASA) line of Next-Generation Firewalls.
The vulnerability exists within the XML parser of the ASA Software. Upon initial disclosure, Cisco had not seen attacks in the wild utilizing this vulnerability. However, within the past week sources have indicated that attackers weaponized this vulnerability to some degree.
Researchers detected attackers using the vulnerability to DDOS honeypot systems.
The vulnerability exists in the XML parser of the ASA software. An attacker could exploit this vulnerability by sending a malicious XML packet to a vulnerable interface on an affected system. The vulnerability is due to an issue with allocating and freeing memory when processing the malicious payload.
Mishandled memory during the exploitation of this vulnerability could allow an attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.
This disclosure is another troubling example of vulnerability discovery on widely deployed enterprise security solutions.
We have yet to see any sophisticated attacks exploiting the disclosed vulnerability. However, we advise clients running the following platforms to take immediate action and patch the software running on the following list of vulnerable systems:
3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 4120 Security Appliance
Firepower 4140 Security Appliance
Firepower 4150 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
To be vulnerable, the ASA must have Secure Socket Layer (SSL) services, or IKEv2 Remote Access VPN services enabled on an interface. The risk of the vulnerability being exploited also depends on the accessibility of the interface to the attacker.
Below is a three-step recommendation to address this vulnerability in your environment:
1. Review the CVE: A link to the advisory from Cisco is below. Please review it carefully for guidance on how to determine if your ASA platform is vulnerable.
2. Determine if systems are vulnerable: Review the technical guidance of the Cisco advisory and use the suggested CLI commands to verify vulnerable systems in your network architecture.
3. Patch vulnerable systems: Apply the recommended patch/appliance operation system to mitigate the threat to your systems.