Why do I need to worry about my Cisco ASA? Firewalls are bulletproof right?

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Well it seems that security researchers again have proven that you cannot rely on a single piece of security equipment alone to provide sufficient defense in todays complex threat landscape. In August 2016 a previous Cisco vulnerability for all its ASA branded software [1] was leaked during the dump of the NSA toolset onto the internet.

The previous ASA exploit required SNMP access with a known community string (if you use ‘public’ you should stop doing so now), however many system administrators would simply leave SNMP wide open to their whole internal network. This would still make it reasonably trivial for a crafted piece of malware to be emailed to an internal user who could be persuaded to unwittingly aid in such an attack. The new exploit requires none of these prerequisites, and does not even need a valid username or password.

This latest Cisco vulnerability is much more dangerous and easier to exploit to boot, as it attacks a setup that is much more common: Having the SSL VPN service available to the internet. The exploit sends specially crafted XML packets to the webvpn service which can reboot an ASA, cause Denial of Service, and that top level ticket: Remote Code Execution. There is no mitigation for this vulnerability if you are unable to update aside from disabling SSL VPN features entirely.

Obviously many organisations have needed to support remote workers or collaborate with partners for many years now, and the growing demands for interconnectivity between organisations necessitates services such as this. Firewalls, networking equipment, security products, and other non-server devices in organisations are all programmable and essentially computers in their own right, yet are all too often overlooked during patching cycles and internal security audits. IT managers need to look at all the equipment in their racks underpinning their infrastructure, to ensure that they are not leaving welcome signs for attackers. Do not let your equipment fall out of scope and update now.

For more information on this vulnerability, and to check whether your ASA may be vulnerable, please see Cisco Advisory

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

Recent Blog Posts

Meltdown & Spectre 7 weeks on

Posted on Feb 28, 2018 - Written by Barry @ Corsaire - Category: Vulnerabilities

SSL/TLS Cheat Sheet

Posted on Feb 13th, 2018 - Written by Rowena @ Corsaire - Category: SSL/TLS, Guidance

Why do I need to worry about my Cisco ASA? Firewalls are bulletproof right?

Posted on Jan 30th, 2018 - Written by Barry @ Corsaire - Category: Industry News

68 million Dropbox accounts leaked; is your data at risk?

Posted on Sep 2nd, 2016 - Written by Corsaire - Category: Company News

CREST Accredited Penetration Testing

Posted on Jan 19th, 2016 - Written by Corsaire - Category: Company News

The Time (Value) of Information Security

Posted on Sep 7th, 2015 - Written by Corsaire - Category: Company News