A critical vulnerability fixed in mid-2018 has been resurrected recently in denial-of-service and information disclosure attempts against Cisco’s appliances Adaptive Security (ASA) and Firepower.
The company is issuing a warning to its customers urging them to follow recommendations for proper mitigation actions.
DoS and sensitive info
Tracked as CVE-2018-0296, the vulnerability can be leveraged by an unauthenticated, remote attacker to cause the appliance to reload by simply sending it a crafted HTTP request.
An attacker can also exploit this bug to view sensitive system information without authentication. On affected devices, this is achievable through path traversal techniques.
First exploit attempts in the wild were registered immediately after Cisco disclosed the details of the bug and published patched software for the products affected. At the time, the attackers aimed at causing a DoS condition.
At the end of the workweek, though, exploitation attempts in the wild grew to a number sufficiently high for Cisco to advise ASA and Firepower customers to make sure that the devices run on a version of code that is not vulnerable to CVE-2018-0296.
The attacks have been happening for several weeks and kept increasing in frequency, suggesting that there sufficient victims still exist for the effort to be worth it.
Check for risk
Admins that want to determine if the products they manage are vulnerable can start by running the following command:
show asp table socket | include SSL|DTLS
Potential for exploitation exists if listening sockets are shown. However, a vulnerable process needs to be running for things to get ugly. Finding out its status is done through this command:
show processes | include Unicorn
“The likelihood of a vulnerability existing is elevated” on devices that have this process running, writes Nick Biasini, threat researcher at Cisco Talos.
In this case, to determine if there is a risk, admins should check if the software version running on their devices is impacted by the bug. The information is available in the original advisory for the vulnerability.
The reason for making this check before deciding to update the code to a newer version is that the vulnerability is in the web framework of ASA/Firepower products, so not all appliances are affected.
Biasini warns that despite not being a new vulnerability, it still poses a real risk for denial of service and unauthenticated information disclosure as attacks are increasing.
With holidays around the corner, companies have less staff on duty and adversaries are likely to take advantage.
“Customers should validate if they are vulnerable as soon as possible and plan the appropriate patching/mitigations strategies as necessary to minimize both risk and impact to the organization,” Biasini advises.