Cisco Security Appliances Targeted for DoS Attacks via Old Bug

Posted by & filed under Security Alerts.

A critical vulnerability fixed in mid-2018 has been resurrected recently in denial-of-service and information disclosure attempts against Cisco’s appliances Adaptive Security (ASA) and Firepower.

The company is issuing a warning to its customers urging them to follow recommendations for proper mitigation actions.

DoS and sensitive info

Tracked as CVE-2018-0296, the vulnerability can be leveraged by an unauthenticated, remote attacker to cause the appliance to reload by simply sending it a crafted HTTP request.

An attacker can also exploit this bug to view sensitive system information without authentication. On affected devices, this is achievable through path traversal techniques.

First exploit attempts in the wild were registered immediately after Cisco disclosed the details of the bug and published patched software for the products affected. At the time, the attackers aimed at causing a DoS condition.

At the end of the workweek, though, exploitation attempts in the wild grew to a number sufficiently high for Cisco to advise ASA and Firepower customers to make sure that the devices run on a version of code that is not vulnerable to CVE-2018-0296.

The attacks have been happening for several weeks and kept increasing in frequency, suggesting that there sufficient victims still exist for the effort to be worth it.

Check for risk

Admins that want to determine if the products they manage are vulnerable can start by running the following command:

show asp table socket | include SSL|DTLS

Potential for exploitation exists if listening sockets are shown. However, a vulnerable process needs to be running for things to get ugly. Finding out its status is done through this command:

show processes | include Unicorn

“The likelihood of a vulnerability existing is elevated” on devices that have this process running, writes Nick Biasini, threat researcher at Cisco Talos.

In this case, to determine if there is a risk, admins should check if the software version running on their devices is impacted by the bug. The information is available in the original advisory for the vulnerability.

The reason for making this check before deciding to update the code to a newer version is that the vulnerability is in the web framework of ASA/Firepower products, so not all appliances are affected.

Biasini warns that despite not being a new vulnerability, it still poses a real risk for denial of service and unauthenticated information disclosure as attacks are increasing.

With holidays around the corner, companies have less staff on duty and adversaries are likely to take advantage.

“Customers should validate if they are vulnerable as soon as possible and plan the appropriate patching/mitigations strategies as necessary to minimize both risk and impact to the organization,” Biasini advises.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.