CyberWarfare / ExoWarfare

10-out-of-10 Severity: Cisco Security Appliances Are Now Under Attack

Admins need to urgently patch the bug.


Cisco’s Adaptive Security Appliance (ASA) flaw with a CVSS score of 10 is now being exploited by attacks.

Cisco has updated its advisory for vulnerability CVE-2018-0101 for the second time since warning customers of the critical flaw on January 29. The bug affects its ASA and Firepower security appliances.

The networking giant now says it is “aware of attempted malicious use of the vulnerability described in this advisory”.

Cisco’s initial advisory was published just days before the NCC Group researcher who reported the bug was scheduled to explain in detail how to attack the vulnerability at the Recon conference in Brussels.

Using crafted XML, the attack exploited a seven-year-old bug in the Cisco XML parser to gain remote code execution.

While the 10 out of 10 CVSS score suggested admins needed to urgently patch the bug, the prospect of a detailed explanation of it made the issue more pressing for customers to patch.

On Monday, two days after the researcher published a 120-page explanation of his attack, other researchers posted a proof-of-concept exploit that basically followed the researcher’s presentation. Fortunately, the proof of concept only causes a crash but, nonetheless, may offer the building blocks for others to develop a more serious attack.

Cisco actually released fixes for the bug in some versions of ASA two months before its advisory, so some customers would have been protected without knowing it.

However, earlier this week Cisco updated its original advisory warning customers that it had found more attack vectors that weren’t identified by NCC Group and urged customers to update to new versions of its affected products.

Cisco has since also revealed there were many more vulnerable Cisco ASA features than previously known.

The company has provided a table explaining the vulnerable configurations for features including:

  • Adaptive Security Device Manager
  • AnyConnect IKEv2 Remote Access
  • AnyConnect IKEv2 Remote Access
  • AnyConnect SSL VPN
  • Cisco Security Manager
  • Clientless SSL VPN
  • Cut-Through Proxy
  • Local Certificate Authority
  • Mobile Device Manager Proxy
  • Mobile User Security Proxy Bypass
  • Security Assertion Markup Language Single Sign-On

In addition to products already known to be vulnerable, Cisco said its:

  • Firepower 4120 Security Appliance
  • Firepower 4140 Security Appliance
  • Firepower 4150 Security Appliance
  • FTD Virtual

are also vulnerable.