What’s the risk?
An unauthenticated Remote Code Execution/Denial of Service vulnerability has been identified as affecting the WebVPN component of various Cisco ASA services. This vulnerability presents a significant risk to an organisation’s Confidentiality, Integrity and Availability as it may allow an external attacker to remotely compromise an organisation’s VPN gateway.
How might you be exposed?
WebVPN is the vulnerable component at the core of CVE-2018-0101. If you do not use this service on your Cisco ASA, you are not vulnerable. For an ASA to be vulnerable, either IKEv2 remote access must be enabled, or any of the various SSL services listed below.
The following is a list of ASA features which may be configured on your device. If you currently implement any of these features, it is strongly recommended to confirm their configuration, and apply the latest patch which is available for the device:
- Adaptive Security Device Manager (ASDM)
- AnyConnect IKEv2 Remote Access (with client services)
- AnyConnect IKEv2 Remote Access (without client services)
- AnyConnect SSL VPN
- Cisco Security Manager
- Clientless SSL VPN
- Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)
- Local Certificate Authority (CA)
- Mobile Device Manager (MDM) Proxy
- Mobile User Security (MUS)
- Proxy Bypass
- REST API
- Security Assertion Markup Language (SAML) Single Sign-On (SSO)
For more information relating to vulnerable configurations of the software listed above, please refer to the Cisco security advisory: cisco-sa-20180129-asa1 (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1)
[separator headline=”h2″ title=”What can you do to minimise your exposure?”]
- Upgrade affected devices to the latest version in the respective software stream. Application of the patch will require a reboot of the device. Depending on your architecture, downtime may impact the availability of various services.
- Several ASA major releases will require migration to a later software steam, including:
- 8.x and 9.0 are unsupported and will require migration to 184.108.40.206;
- 9.3 will require migration to 220.127.116.11; and
- 9.5 will require migration to 18.104.22.168.
If it is not possible to immediately patch your WebVPN enabled device to an unaffected version, it is recommended to disable the service until an appropriate patch can be applied.
If the above information raises any concerns within your organisation or you would like to discuss any of the issues with a consultant from CQR, please call 1300 277 001 or email enquiries@localhost
CQR is a wholly Australian-owned provider of independent Cyber and Information Security Consulting Services, delivering these services both nationally and globally. Founded by information security professionals who previously worked for multinational corporations we have experienced strong and consistent growth and now operate globally from offices in Adelaide, Melbourne, Sydney, Brisbane, Oxford (UK) and New York (US).
As a committed and passionate company CQR has the world-class information security expertise to ensure business risks are identified and managed. This allows you to leverage your investments in information and technology to their full potential, whilst simultaneously maintaining and growing a secure information network. We pride ourselves on being bilingual in the languages of business and technology, enabling us to deliver specialist services from a business focused point of view.
By being 100% independent, we can genuinely call ourselves a trusted adviser.