Cisco noticed a steep rise in the exploitation attempts of a critical vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. Cisco ASA is a family of security devices which is known to have a million deployments around the world. CVE-2018-0296 is a denial of service vulnerability which has been abused by attackers a number of times and continues to be.
Cisco published the advisory for CVE-2018-0296 in June 2018, which was soon followed by multiple attempts of exploitation in June 2018, March and September 2019. Proofs-of-concept were also released online.
A critical vulnerability exists in Cisco Adaptive Security Appliance (ASA) due to an improper input validation of the HTTP URL. This vulnerability, which is applicable to both IPv4 and IPv6 HTTP traffic, can be exploited by an attacker who sends crafted HTTP requests to an affected device to reload the device unexpectedly and cause denial of service. A failed attempt at DoS, would still allow an attacker to view sensitive information through directory traversal.
Cisco has pointed that a Snort signature is available which can detect the attack.
How to determine if you are vulnerable?
Step1: Run the command 1 given below to check for any listening sockets. If they exist, your device is susceptible to attack.
show asp table socket | include SSL|DTLS
Step2: Run the command 2 given below to check for running processes. If the process is running on your machine, confirm that the version of code running on your device is not listed under affected versions in the advisory.
show processes | include Unicorn
Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software running on :
- 3000 Series Industrial Security Appliance (ISA)
- ASA 1000V Cloud Firewall
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
Successful exploitation allows an attacker to cause the affected device to reload leading to denial of service condition. The ASA does not reload on certain software releases, in which case an attacker could use techniques of directory traversal to disclose sensitive information.
Cisco has released security updates to mitigate the vulnerability. We recommend that these updates be installed on affected devices immediately.