ESB-2018.1689.3 - UPDATE [Cisco] Cisco Adaptive Security Appliance Web Services: Denial of service - Remote/unauthenticated 2018-10-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1689.3
         Cisco Adaptive Security Appliance Web Services Denial of
                           Service Vulnerability
                              8 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Adaptive Security Appliance Web Services
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0296  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Revision History:  October  8 2018: Remove unaffected version of 6.2.0
                   June    25 2018: Cisco is aware of this vulnerability being 
                                    exploited in the wild.
                   June     7 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability

High
Advisory ID:     cisco-sa-20180606-asaftd
First Published: 2018 June 6 16:00 GMT
Last Updated:    2018 October 5 15:28 GMT
Version 1.2:     Final
Workarounds:     No workarounds available

Cisco Bug IDs:
CSCvi16029
 
CVE-2018-0296
 
CWE-20
 
CVSS Score:
Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
CVE-2018-0296
 
Summary

  * A vulnerability in the web interface of the Cisco Adaptive Security
    Appliance (ASA) could allow an unauthenticated, remote attacker to cause an
    affected device to reload unexpectedly, resulting in a denial of service
    (DoS) condition. It is also possible on certain software releases that the
    ASA will not reload, but an attacker could view sensitive system
    information without authentication by using directory traversal techniques.

    The vulnerability is due to lack of proper input validation of the HTTP
    URL. An attacker could exploit this vulnerability by sending a crafted HTTP
    request to an affected device. An exploit could allow the attacker to cause
    a DoS condition or unauthenticated disclosure of information. This
    vulnerability applies to IPv4 and IPv6 HTTP traffic.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco ASA Software and Cisco Firepower Threat
    Defense (FTD) Software that is running on the following Cisco products:
      + 3000 Series Industrial Security Appliance (ISA)
      + ASA 1000V Cloud Firewall
      + ASA 5500 Series Adaptive Security Appliances
      + ASA 5500-X Series Next-Generation Firewalls
      + ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
      + Adaptive Security Virtual Appliance (ASAv)
      + Firepower 2100 Series Security Appliance
      + Firepower 4100 Series Security Appliance
      + Firepower 9300 ASA Security Module
      + FTD Virtual (FTDv)
    ASA Software

    In the following table, the left column lists the Cisco ASA features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined. If the device is configured for one of these
    features, follow the additional instructions to determine if the device is
    vulnerable.


                  Cisco ASA Feature                    Possible Vulnerable
                                                          Configuration
                                                  http server enable <port>
    Adaptive Security Device Manager (ASDM)^1     http <remote_ip_address>
                                                  <remote_subnet_mask>
                                                  <interface_name>
                                                  crypto ikev2 enable
    AnyConnect IKEv2 Remote Access (with client   <interface_name>
    services)                                     client-services port <port #>
                                                  webvpn
                                                     anyconnect enable
                                                  crypto ikev2 enable
    AnyConnect IKEv2 Remote Access (without       <interface_name>
    client services)                              webvpn
                                                     anyconnect enable
    AnyConnect SSL VPN                            webvpn
                                                     enable <interface_name>
                                                  http server enable <port>
    Cisco Security Manager^2                      http <remote_ip_address>
                                                  <remote_subnet_mask>
                                                  <interface_name>
    Clientless SSL VPN                            webvpn
                                                     enable <interface_name>
    Cut-Through Proxy (Not vulnerable unless used aaa authentication listener
    in conjunction with other vulnerable features <interface_name> port
    on the same port)                             <number>
    Local Certificate Authority (CA)              crypto ca server
                                                   no shutdown
    Mobile Device Manager (MDM) Proxy^3           mdm-proxy
                                                    enable <interface_name>
                                                  webvpn
                                                   mus password <password>
    Mobile User Security (MUS)                     mus server enable port <port
                                                  #>
                                                   mus <address> <mask>
                                                  <interface_name>
    Proxy Bypass                                  webvpn
                                                    proxy-bypass
                                                  rest-api image disk0:/<image
    REST API^4                                    name>
                                                  rest-api agent

^1ASDM is vulnerable only from an IP address in the configured http command
    range.
    ^2 Cisco Security Manager is vulnerable only from an IP address in the
    configured http command range.
    ^3The MDM Proxy is first supported as of Cisco ASA Software Release 9.3.1.
    ^4The REST API is first supported as of Cisco ASA Software Release 9.3.2.
    The REST API is vulnerable only from an IP address in the configured http 
    command range.

    Determining Whether an ASA Configured with a Potentially Vulnerable Feature
    Is Vulnerable

    Step 1: Administrators can use the show asp table socket | include SSL|DTLS
    command and look for a Secure Sockets Layer (SSL) or a Datagram Transport
    Layer Security (DTLS) listen socket on any TCP port. If either socket is
    present in the output and the ASA device is configured for one or more of
    the ASA features in the preceding table, the device may be vulnerable. The
    following example shows an ASA device with SSL and DTLS listen sockets:

        ciscoasa# show asp table socket | include SSL|DTLS

        SSL       00185038  LISTEN     172.16.0.250:443    0.0.0.0:*
        SSL       00188638  LISTEN     10.0.0.250:443      0.0.0.0:*
        DTLS      0018f7a8  LISTEN     10.0.0.250:443      0.0.0.0:*    

    Step 2: Administrators can then use the show processes | include Unicorn
    command to see if the vulnerable process is running on the device. This
    means that one of the possible vulnerable features has created an instance
    of the internal web server, which is vulnerable. If Unicorn Proxy Thread is
    present, the device is considered vulnerable.

        ciscoasa# show processes | include Unicorn

        Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0       
        3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

    Note: The Unicorn Proxy Thread identifier in the preceding example is 218 
    and can vary. A device must be considered vulnerable if the Unicorn Proxy
    Thread process is running, regardless of the actual thread identifier
    number.

    Determining the Running ASA Software Release

    To determine whether a vulnerable release of Cisco ASA Software is running
    on a device, administrators can use the show version | include Version
    command in the CLI. The following example shows the output of the command
    for a device that is running Cisco ASA Software Release 9.2(1):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.2(1)
        Device Manager Version 7.4(1)

    Administrators who use Cisco Adaptive Security Device Manager (ASDM) to
    manage devices can locate the software release in the table that appears in
    the login window or the upper-left corner of the Cisco ASDM window.

    FTD Software

    This vulnerability applies to all Cisco FTD Software releases except
    Release 6.2.0, which is not vulnerable. See the Fixed Releases section for
    additional information about fixed releases of Cisco FTD Software. The
    Cisco FTD Software release contains both Firepower and ASA code. Review the
    ?Firepower Threat Defense Devices? section of the Cisco Firepower
    Compatibility Guide for additional information.

    In the following table, the left column lists the Cisco FTD features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined. If the device is configured for one of these
    features, follow the additional instructions to determine if the device is
    vulnerable.


             Cisco FTD Feature                 Vulnerable Configuration
                                        http server enable <port #>
    HTTP Service enabled^1              http <remote_ip_address>
                                        <remote_subnet_mask> <interface_name>
                                        crypto ikev2 enable <interface_name>
    AnyConnect IKEv2 Remote Access      client-services port <port #>
    (with client services)^2,3          webvpn
                                          anyconnect enable
    AnyConnect IKEv2 Remote Access      crypto ikev2 enable <interface_name>
    (without client services)^2,3       webvpn
                                          anyconnect enable
    AnyConnect SSL VPN^2,3              webvpn
                                          enable <interface_name>

^1 The HTTP feature is enabled via Firepower Threat Defense Platform Settings >
    HTTP in the Cisco Firepower Management Console (FMC).
    ^2 Remote Access VPN features are enabled via Devices > VPN > Remote Access
    in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower
    Device Manager (FDM).
    ^3 Remote Access VPN features are first supported as of Cisco FTD Software
    Release 6.2.2.

    Determining Whether Cisco FTD Configured with a Potentially Vulnerable
    Feature Is Vulnerable

    Step 1: Administrators can use the show asp table socket | include SSL|DTLS
    command and look for an SSL or a DTLS listen socket on any TCP port. If
    either socket is present in the output and the FTD device is configured for
    one or more of the features listed in the preceding table, the device may
    be vulnerable. The following example shows an FTD device with SSL and DTLS
    listen sockets:

        firepower# show asp table socket | include SSL|DTLS

        SSL       01ffb648  LISTEN     1.1.1.1:443         0.0.0.0:*
        DTLS      00009438  LISTEN     1.1.1.1:443         0.0.0.0:*  

    Step 2: Administrators can then use the show processes | include Unicorn
    command to see if the vulnerable process is running on the device. This
    means that one of the possible vulnerable features has created an instance
    of the internal web server, which is vulnerable. If Unicorn Proxy Thread is
    present, the device is considered vulnerable.

        firepower# show processes | include Unicorn

        Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0       
        3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

    Notes:

      + The Unicorn Proxy Thread identifier in the previous example is 218 and
        can vary. A device must be considered vulnerable if the Unicorn Proxy
        Thread process is running, regardless of the actual thread identifier
        number.
      + Although certain IKEv2 feature sets do not enable the underlying SSL
        TCP listening socket, they may still be vulnerable. Administrators can
        use the show running-config crypto ikev2 CLI command to check if the
        crypto ikev2 enable configuration command is present in the
        configuration, as shown in the following example:

            firepower# show running-config crypto ikev2 | include enable

            crypto ikev2 enable Outside

        If a command like crypto ikev2 enable is present in the running
        configuration and the anyconnect enable command is part of the global
        webvpn configuration, the Cisco FTD device is also considered
        vulnerable.

    Determining the Running Cisco FTD Software Release

    Administrators can use the show version command in the CLI to determine the
    Cisco FTD Software release. In this example, the device is running Release
    6.2.2:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that Cisco AnyConnect Secure Mobility Client is not
    vulnerable.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers should upgrade to an appropriate release as indicated in the
    following tables.

    Cisco ASA Software

    +-----------------------------------------------------------------------------+
    | Cisco ASA Software Release   | First Fixed Release for This Vulnerability   |
    |------------------------------+----------------------------------------------|
    | Prior to 9.1^1               | Migrate to 9.1.7.29                          |
    |------------------------------+----------------------------------------------|
    | 9.1                          | 9.1.7.29                                     |
    |------------------------------+----------------------------------------------|
    | 9.2                          | 9.2.4.33                                     |
    |------------------------------+----------------------------------------------|
    | 9.3^1                        | Migrate to 9.4.4.18                          |
    |------------------------------+----------------------------------------------|
    | 9.4                          | 9.4.4.18                                     |
    |------------------------------+----------------------------------------------|
    | 9.5^1                        | Migrate to 9.6.4.8                           |
    |------------------------------+----------------------------------------------|
    | 9.6                          | 9.6.4.8                                      |
    |------------------------------+----------------------------------------------|
    | 9.7                          | 9.7.1.24                                     |
    |------------------------------+----------------------------------------------|
    | 9.8                          | 9.8.2.28                                     |
    |------------------------------+----------------------------------------------|
    | 9.9                          | 9.9.2.1                                      |
    +-----------------------------------------------------------------------------+

    ^1Cisco ASA Software releases prior to Release 9.1 and Cisco ASA Software
    Releases 9.3 and 9.5 have reached end-of-software maintenance. Customers
    should migrate to a supported release.

    The software is available for download from the Software Center on
    Cisco.com by navigating to Products > Security > Firewalls > Adaptive
    Security Appliances (ASA) > ASA 5500-X Series Firewalls, where there is a
    list of Cisco ASA hardware platforms. The majority of these software
    releases are listed under Interim.

    Cisco FTD Software

    +-----------------------------------------------------------------------------+
    | Cisco FTD         | First Fixed Release for This Vulnerability              |
    | Software Release  |                                                         |
    |-------------------+---------------------------------------------------------|
    | 6.0               | Migrate to 6.1.0 HotFix or later                        |
    |-------------------+---------------------------------------------------------|
    | 6.0.1             | Migrate to 6.1.0 HotFix or later                        |
    |-------------------+---------------------------------------------------------|
    |                   | Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware      |
    | 6.1.0             | platforms except 41xx and 9300)                         |
    |                   | Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD |
    |                   | hardware platforms)                                     |
    |-------------------+---------------------------------------------------------|
    | 6.2.0             | Not vulnerable                                          |
    |-------------------+---------------------------------------------------------|
    | 6.2.1             | Migrate to 6.2.2.3                                      |
    |-------------------+---------------------------------------------------------|
    | 6.2.2             | 6.2.2.3                                                 |
    |-------------------+---------------------------------------------------------|
    |                   | 6.2.3.1                                                 |
    | 6.2.3             | 6.2.3-85^1                                              |
    |                   | 6.2.3-85.0^2                                            |
    +-----------------------------------------------------------------------------+

    ^1Software image for FTD Virtual for the Microsoft Azure Cloud
    ^2Software image for FTD Virtual for the AWS Cloud

    The software is available for download from the Software Center on
    Cisco.com by navigating to Products > Security > Firewalls >
    Next-Generation Firewalls (NGFW), where there is a list of Cisco FTD
    hardware platforms.

Exploitation and Public Announcements

  * Cisco PSIRT has become aware of a public proof-of-concept exploit and is
    aware of customer device reloads related to this vulnerability. Cisco
    strongly recommends that customers upgrade to a fixed Cisco ASA software
    release to remediate this issue.

Source

  * Cisco would like to thank security researcher Michal Bentkowski from
    Securitum for reporting this vulnerability.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Action Links for This Advisory

  * Snort Rule 46897

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Revision History

  * 
    +-----------------------------------------------------------------------------+
    | Version |      Description       |    Section    | Status |      Date       |
    |---------+------------------------+---------------+--------+-----------------|
    |         | Correcting advisory    |               |        |                 |
    | 1.2     | metadata to remove     | ?             | Final  | 2018-October-05 |
    |         | unaffected version     |               |        |                 |
    |         | 6.2.0.                 |               |        |                 |
    |---------+------------------------+---------------+--------+-----------------|
    |         | Updated the            |               |        |                 |
    |         | Exploitation and       |               |        |                 |
    |         | Public Announcements   | Exploitation  |        |                 |
    | 1.1     | section with           | and Public    | Final  | 2018-June-22    |
    |         | up-to-date             | Announcements |        |                 |
    |         | exploitation           |               |        |                 |
    |         | information.           |               |        |                 |
    |---------+------------------------+---------------+--------+-----------------|
    | 1.0     | Initial public         | ?             | Final  | 2018-June-06    |
    |         | release.               |               |        |                 |
    +-----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7qqU2aOgq3Tt24GAQis0A/9HHSNppnT4Atw/lKx8nPnbz3AIDIw+Jc9
CmhhkVtr/sM5G7FIUnWKV7yBTXdGtM7blbPKy50hvW6YM+QtJG8lSoe+4cUojG5Q
W5uHbI85/ZTEneBr8gcSA6aWyIlyS1Mi4hJih6wsD8ngWWTwa+k/3U+Dq3DPYizn
tAh2QTN6vtBbSYIIZW57vIlOYaZHcgJOOhpcTUb6baH+bnicK8qz3f4cVXbsHf44
gKPhugNI/oJpXlDK2DVpN+uaJTl+vK6IgpE4HFAxNcBhJnm/VnPmDDLsnRIcaISY
fjW1MRGatudjWGAQyzb7+L4xcdNQ+XmOQKZKu9QyoK2hKo41sRDrCrcrNCtZygpD
lxxl5mxyNfRidEEGZp+huwsZzZNRbBK5d5UI4rx0zYh2LYin2fJ2ldGeAL1nz8rU
rXde45XinOeU8sWjhEk3CVrGa+Bl6FtZ6x+yHmttQX/uXnETJ3elS7UDaTw6DEFW
x9LwPPU5ZIJu078MpU3ZrX4QNmxfXzGE0wkZRis3AUawykHm1FJrml4K2ackxAfk
m2lwkRayOQ7zApV/k/GgEsyeSfdkHStq92t5gEQxeZECgXCFUHEZuB5qGFxCMo9F
iAALxrkJVZ2MrqKhf7nFIeR4FZTejklDVIp22DfO1UPzbdy5UOpl82cZU1/2BFFE
uwzrt9Xb3/Y=
=UUv0
-----END PGP SIGNATURE-----

« Back to bulletins