
Cisco Security Advisory Cisco ASA RCE and DoS Vulnerability - jgrahamc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
======
peterwwillis
Cisco left AnyConnect open on the external interface by default. This guy
found an RCE on it with a fuzzer. Jesus.
[https://recon.cx/2018/brussels/talks/cisco.html](https://recon.cx/2018/brussels/talks/cisco.html)
This was announced a month and a half ago, fwiw

Fun stuff: [https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/)
[https://github.com/nccgroup/asatools](https://github.com/nccgroup/asatools)

~~~
dogma1138
AnyConnnect is on by default because the ASA is used for VPN in 99.99% of the
cases it’s effectively Cisco’s VPN appliance more than anything else.

------
fulafel
What's the reason to use these boxes? "Nobody ever got fired for buying IBM"?
It seems that vulnerabilities are much more common than in the platform VPN
(ipsec/ssh/openvpn etc) implementations shipping in server operating systems,
why not just just terminate at a server box?

My favourite recent one was the slapstick Fortinet one,
[https://blog.cryptographyengineering.com/2017/10/23/attack-o...](https://blog.cryptographyengineering.com/2017/10/23/attack-
of-the-week-duhk/)

(Same goes for terminating TLS at load balancers)

~~~
jfindley
For businesses without very strong tech teams but with a need for lots of VPN
accounts, cisco webvpn has long been popular, as it does all the things well
that the things you mentioned don't:

It has good stories around user management and access control. There are
literally millions of people able to configure it well enough to work. It has
an excellent reputation for stability and security among it's client base
(which is not the same as actually _being_ very secure, mind). It has good
(albeit expensive) commercial support. It works well with most desktop and
mobiles OSes. It's easy for non-technical users to use it. Etc, etc.

------
jlgaddis
CVSS scores range from 0.0 to 10.0 so this one, at 10.0, is "as bad as it
gets".

The advisory says:

> _The Cisco Product Security Incident Response Team (PSIRT) is aware of
> public knowledge of the vulnerability that is described in this advisory.
> Cisco PSIRT is not aware of any malicious use of the vulnerability described
> in this advisory._

... though I'm guessing that will change in the very near future.

Time to go reconfigure and/or update some firewalls...

~~~
tptacek
CVSS scores are like Ouija boards; you can make them say whatever you want
them to say. I wouldn't take them too seriously.

That's not to say that this isn't a severe vulnerability, but rather that
plenty of vulnerabilities that don't get a "10.0" are just as bad.

The pragmatic, conservative way to look at these kinds of announcements is:

* Assume any vulnerability that refers to memory corruption (really, "memory" of any sort not qualified by "reading", which is itself a pretty bad vulnerability) is remote code execution.

* Assume potential remote code execution is remote code execution.

* Assume remote code execution or denial of service is remote code execution.

* If the announcement doesn't clearly indicate that the vulnerability requires authentication to exploit, assume it's pre-auth.

~~~
jlgaddis
If you have an ASA, WebVPN is enabled, OOTB.

If you have an ASA that hasn't been updated today, you are vulnerable to DoS
and RCE vulnerabilities.

That is, as far as I'm concerned, about as bad as it gets (we've got, I dunno,
several dozen of these).

I realize that, like everything, CVSS scores aren't perfect. But as a general
"how bad is this?" indicator, I do think it's useful and, in this case, the
10.0 does the job of pointing out, "It's bad".

~~~
tptacek
Right, I'm less perturbed by the 10.0 these bugs got, and more by the huge
number that get lower scores. I don't think CVSS works.

------
graystevens
This has, similar to Meltdown and Spectre, been broken earlier than expected.
As far as I am aware this wasn’t supposed to be released by Cisco until
Wednesday, but anonymous reports started to circulate yesterday and today.
This isn’t a great sign for the industry when stuff can’t be kept under wraps
until an agreed date.

Edit: Credit to the folks at NCC Group - they’ve picked up a few ASA
vulnerabilities now.

~~~
duncan_bayne
Maybe it's not a bad sign for the industry - maybe it's just a sign that the
industry really thinks that embargoes like these are a bad idea. Or at least
some members of it.

------
newman8r
just a small sample of impacted devices:
[https://www.shodan.io/search?query=cisco+asa](https://www.shodan.io/search?query=cisco+asa)

