-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1689.4
         Cisco Adaptive Security Appliance Web Services Denial of
                           Service Vulnerability
                               7 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Adaptive Security Appliance Web Services
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0296  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Revision History:  March    7 2019: Attempted exploitation of this vulnerability in the wild
                   October  8 2018: Remove unaffected version of 6.2.0
                   June    25 2018: Cisco is aware of this vulnerability being exploited in the wild.
                   June     7 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20180606-asaftd

First Published: 2018 June 6 16:00 GMT

Last Updated:    2019 March 6 16:27 GMT

Version 1.3:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvi16029

CVE-2018-0296    

CWE-20

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web interface of the Cisco Adaptive Security
    Appliance (ASA) could allow an unauthenticated, remote attacker to cause an
    affected device to reload unexpectedly, resulting in a denial of service
    (DoS) condition. It is also possible on certain software releases that the
    ASA will not reload, but an attacker could view sensitive system
    information without authentication by using directory traversal techniques.

    The vulnerability is due to lack of proper input validation of the HTTP
    URL. An attacker could exploit this vulnerability by sending a crafted HTTP
    request to an affected device. An exploit could allow the attacker to cause
    a DoS condition or unauthenticated disclosure of information. This
    vulnerability applies to IPv4 and IPv6 HTTP traffic.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180606-asaftd

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco ASA Software and Cisco Firepower Threat
    Defense (FTD) Software that is running on the following Cisco products:
       3000 Series Industrial Security Appliance (ISA)
       ASA 1000V Cloud Firewall
       ASA 5500 Series Adaptive Security Appliances
       ASA 5500-X Series Next-Generation Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series Security Appliance
       Firepower 4100 Series Security Appliance
       Firepower 9300 ASA Security Module
       FTD Virtual (FTDv)
    ASA Software

    In the following table, the left column lists the Cisco ASA features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined. If the device is configured for one of these
    features, follow the additional instructions to determine if the device is
    vulnerable.


                  Cisco ASA Feature                    Possible Vulnerable
                                                          Configuration
                                                  http server enable <port>
    Adaptive Security Device Manager (ASDM) ^1    http <remote_ip_address>
                                                  <remote_subnet_mask>
                                                  <interface_name>
                                                  crypto ikev2 enable
    AnyConnect IKEv2 Remote Access (with client   <interface_name>
    services)                                     client-services port <port #>
                                                  webvpn
                                                  anyconnect enable
                                                  crypto ikev2 enable
    AnyConnect IKEv2 Remote Access (without       <interface_name>
    client services)                              webvpn
                                                  anyconnect enable
    AnyConnect SSL VPN                            webvpn
                                                  enable <interface_name>
                                                  http server enable <port>
    Cisco Security Manager ^2                     http <remote_ip_address>
                                                  <remote_subnet_mask>
                                                  <interface_name>
    Clientless SSL VPN                            webvpn
                                                  enable <interface_name>
    Cut-Through Proxy (Not vulnerable unless used aaa authentication listener
    in conjunction with other vulnerable features <interface_name> port
    on the same port)                             <number>
    Local Certificate Authority (CA)              crypto ca server
                                                  no shutdown
    Mobile Device Manager (MDM) Proxy ^3          mdm-proxy
                                                  enable <interface_name>
                                                  webvpn
                                                  mus password <password>
    Mobile User Security (MUS)                    mus server enable port <port
                                                  #>
                                                  mus <address> <mask>
                                                  <interface_name>
    Proxy Bypass                                  webvpn
                                                  proxy-bypass
                                                  rest-api image disk0:/<image
    REST API ^4                                   name>
                                                  rest-api agent

    ^ 1 ASDM is vulnerable only from an IP address in the configured http 
    command range.
    ^ 2 Cisco Security Manager is vulnerable only from an IP address in the
    configured http command range.
    ^ 3 The MDM Proxy is first supported as of Cisco ASA Software Release
    9.3.1.
    ^ 4 The REST API is first supported as of Cisco ASA Software Release 9.3.2.
    The REST API is vulnerable only from an IP address in the configured http 
    command range.

    Determining Whether an ASA Configured with a Potentially Vulnerable Feature
    Is Vulnerable

    Step 1: Administrators can use the show asp table socket | include SSL|DTLS
    command and look for a Secure Sockets Layer (SSL) or a Datagram Transport
    Layer Security (DTLS) listen socket on any TCP port. If either socket is
    present in the output and the ASA device is configured for one or more of
    the ASA features in the preceding table, the device may be vulnerable. The
    following example shows an ASA device with SSL and DTLS listen sockets:

        ciscoasa# show asp table socket | include SSL|DTLS

        SSL       00185038  LISTEN     172.16.0.250:443    0.0.0.0:*
        SSL       00188638  LISTEN     10.0.0.250:443      0.0.0.0:*
        DTLS      0018f7a8  LISTEN     10.0.0.250:443      0.0.0.0:*

    Step 2: Administrators can then use the show processes | include Unicorn 
    command to see if the vulnerable process is running on the device. This
    means that one of the possible vulnerable features has created an instance
    of the internal web server, which is vulnerable. If Unicorn Proxy Thread is
    present, the device is considered vulnerable.

        ciscoasa# show processes | include Unicorn

        Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0       3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

    Note: The Unicorn Proxy Thread identifier in the preceding example is 218 
    and can vary. A device must be considered vulnerable if the Unicorn Proxy
    Thread process is running, regardless of the actual thread identifier
    number.

    Determining the Running ASA Software Release

    To determine whether a vulnerable release of Cisco ASA Software is running
    on a device, administrators can use the show version | include Version 
    command in the CLI. The following example shows the output of the command
    for a device that is running Cisco ASA Software Release 9.2(1):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.2(1)
        Device Manager Version 7.4(1)

    Administrators who use Cisco Adaptive Security Device Manager (ASDM) to
    manage devices can locate the software release in the table that appears in
    the login window or the upper-left corner of the Cisco ASDM window.

    FTD Software

    This vulnerability applies to all Cisco FTD Software releases except
    Release 6.2.0, which is not vulnerable. See the Fixed Releases section for
    additional information about fixed releases of Cisco FTD Software. The
    Cisco FTD Software release contains both Firepower and ASA code. Review the
    "Firepower Threat Defense Devices" section of the Cisco Firepower
    Compatibility Guide for additional information.

    In the following table, the left column lists the Cisco FTD features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined. If the device is configured for one of these
    features, follow the additional instructions to determine if the device is
    vulnerable.


             Cisco FTD Feature                  Vulnerable Configuration
                                         http server enable <port #>
    HTTP Service enabled ^1              http <remote_ip_address>
                                         <remote_subnet_mask> <interface_name>
                                         crypto ikev2 enable <interface_name>
    AnyConnect IKEv2 Remote Access (with client-services port <port #>
    client services) ^2,3                webvpn
                                         anyconnect enable
    AnyConnect IKEv2 Remote Access       crypto ikev2 enable <interface_name>
    (without client services) ^2,3       webvpn
                                         anyconnect enable
    AnyConnect SSL VPN ^2,3              webvpn
                                         enable <interface_name>

    ^ 1 The HTTP feature is enabled via Firepower Threat Defense Platform
    Settings > HTTP in the Cisco Firepower Management Console (FMC).
    ^ 2 Remote Access VPN features are enabled via Devices > VPN > Remote
    Access in the Cisco FMC or via Device > Remote Access VPN in Cisco
    Firepower Device Manager (FDM).
    ^ 3 Remote Access VPN features are first supported as of Cisco FTD Software
    Release 6.2.2.

    Determining Whether Cisco FTD Configured with a Potentially Vulnerable
    Feature Is Vulnerable

    Step 1: Administrators can use the show asp table socket | include SSL|DTLS
    command and look for an SSL or a DTLS listen socket on any TCP port. If
    either socket is present in the output and the FTD device is configured for
    one or more of the features listed in the preceding table, the device may
    be vulnerable. The following example shows an FTD device with SSL and DTLS
    listen sockets:

        firepower# show asp table socket | include SSL|DTLS

        SSL       01ffb648  LISTEN     1.1.1.1:443         0.0.0.0:*
        DTLS      00009438  LISTEN     1.1.1.1:443         0.0.0.0:*

    Step 2: Administrators can then use the show processes | include Unicorn 
    command to see if the vulnerable process is running on the device. This
    means that one of the possible vulnerable features has created an instance
    of the internal web server, which is vulnerable. If Unicorn Proxy Thread is
    present, the device is considered vulnerable.

        firepower# show processes | include Unicorn

        Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0       3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

    Notes:

       The Unicorn Proxy Thread identifier in the previous example is 218 and
        can vary. A device must be considered vulnerable if the Unicorn Proxy
        Thread process is running, regardless of the actual thread identifier
        number.
       Although certain IKEv2 feature sets do not enable the underlying SSL
        TCP listening socket, they may still be vulnerable. Administrators can
        use the show running-config crypto ikev2 CLI command to check if the
        crypto ikev2 enable configuration command is present in the
        configuration, as shown in the following example:

            firepower# show running-config crypto ikev2 | include enable

            crypto ikev2 enable Outside

        If a command like crypto ikev2 enable is present in the running
        configuration and the anyconnect enable command is part of the global
        webvpn configuration, the Cisco FTD device is also considered
        vulnerable.

    Determining the Running Cisco FTD Software Release

    Administrators can use the show version command in the CLI to determine the
    Cisco FTD Software release. In this example, the device is running Release
    6.2.2:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that Cisco AnyConnect Secure Mobility Client is not
    vulnerable.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers should upgrade to an appropriate release as indicated in the
    following tables.

    Cisco ASA Software

    +----------------------------+--------------------------------------------+
    | Cisco ASA Software Release | First Fixed Release for This Vulnerability |
    +----------------------------+--------------------------------------------+
    | Prior to 9.1 ^1            | Migrate to 9.1.7.29                        |
    +----------------------------+--------------------------------------------+
    | 9.1                        | 9.1.7.29                                   |
    +----------------------------+--------------------------------------------+
    | 9.2                        | 9.2.4.33                                   |
    +----------------------------+--------------------------------------------+
    | 9.3 ^1                     | Migrate to 9.4.4.18                        |
    +----------------------------+--------------------------------------------+
    | 9.4                        | 9.4.4.18                                   |
    +----------------------------+--------------------------------------------+
    | 9.5 ^1                     | Migrate to 9.6.4.8                         |
    +----------------------------+--------------------------------------------+
    | 9.6                        | 9.6.4.8                                    |
    +----------------------------+--------------------------------------------+
    | 9.7                        | 9.7.1.24                                   |
    +----------------------------+--------------------------------------------+
    | 9.8                        | 9.8.2.28                                   |
    +----------------------------+--------------------------------------------+
    | 9.9                        | 9.9.2.1                                    |
    +----------------------------+--------------------------------------------+

    ^ 1 Cisco ASA Software releases prior to Release 9.1 and Cisco ASA Software
    Releases 9.3 and 9.5 have reached end-of-software maintenance. Customers
    should migrate to a supported release.

    The software is available for download from the Software Center on
    Cisco.com by navigating to Products > Security > Firewalls > Adaptive
    Security Appliances (ASA) > ASA 5500-X Series Firewalls , where there is a
    list of Cisco ASA hardware platforms. The majority of these software
    releases are listed under Interim .

    Cisco FTD Software

    +------------------+------------------------------------------------------+
    | Cisco FTD        | First Fixed Release for This Vulnerability           |
    | Software Release |                                                      |
    +------------------+------------------------------------------------------+
    | 6.0              | Migrate to 6.1.0 HotFix or later                     |
    +------------------+------------------------------------------------------+
    | 6.0.1            | Migrate to 6.1.0 HotFix or later                     |
    +------------------+------------------------------------------------------+
    |                  | Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware   |
    | 6.1.0            | platforms except 41 xx and 9300)                     |
    |                  | Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41 xx and 9300 |
    |                  | FTD hardware platforms)                              |
    +------------------+------------------------------------------------------+
    | 6.2.0            | Not vulnerable                                       |
    +------------------+------------------------------------------------------+
    | 6.2.1            | Migrate to 6.2.2.3                                   |
    +------------------+------------------------------------------------------+
    | 6.2.2            | 6.2.2.3                                              |
    +------------------+------------------------------------------------------+
    |                  | 6.2.3.1                                              |
    | 6.2.3            | 6.2.3-85 ^1                                          |
    |                  | 6.2.3-85.0 ^2                                        |
    +------------------+------------------------------------------------------+

    ^ 1 Software image for FTD Virtual for the Microsoft Azure Cloud
    ^ 2 Software image for FTD Virtual for the AWS Cloud

    The software is available for download from the Software Center on
    Cisco.com by navigating to Products > Security > Firewalls >
    Next-Generation Firewalls (NGFW) , where there is a list of Cisco FTD
    hardware platforms.

Exploitation and Public Announcements

  o On March 5, 2019, the Cisco Product Security Incident Response Team (PSIRT)
    became aware of additional attempted exploitation of this vulnerability in
    the wild. Cisco continues to strongly recommend that customers upgrade to a
    fixed Cisco ASA Software release to remediate this vulnerability.

Source

  o Cisco would like to thank security researcher Michal Bentkowski from
    Securitum for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Action Links for This Advisory

  o Snort Rule 46897

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180606-asaftd

Revision History

  o +---------+--------------------+---------------+--------+-----------------+
    | Version |    Description     |    Section    | Status |      Date       |
    +---------+--------------------+---------------+--------+-----------------+
    |         | Updated the        |               |        |                 |
    |         | exploitation       |               |        |                 |
    |         | information in the | Exploitation  |        |                 |
    | 1.3     | Exploitation and   | and Public    | Final  | 2019-March-06   |
    |         | Public             | Announcements |        |                 |
    |         | Announcements      |               |        |                 |
    |         | section.           |               |        |                 |
    +---------+--------------------+---------------+--------+-----------------+
    |         | Corrected advisory |               |        |                 |
    | 1.2     | metadata to remove | -             | Final  | 2018-October-05 |
    |         | unaffected version |               |        |                 |
    |         | 6.2.0.             |               |        |                 |
    +---------+--------------------+---------------+--------+-----------------+
    |         | Updated the        |               |        |                 |
    |         | Exploitation and   |               |        |                 |
    |         | Public             | Exploitation  |        |                 |
    | 1.1     | Announcements      | and Public    | Final  | 2018-June-22    |
    |         | section with       | Announcements |        |                 |
    |         | up-to-date         |               |        |                 |
    |         | exploitation       |               |        |                 |
    |         | information.       |               |        |                 |
    +---------+--------------------+---------------+--------+-----------------+
    | 1.0     | Initial public     | -             | Final  | 2018-June-06    |
    |         | release.           |               |        |                 |
    +---------+--------------------+---------------+--------+-----------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIC6iWaOgq3Tt24GAQi8Xw/7B1Obn13ZuAsOHdxmu7tZpSW/UEzFUoMs
klsymGHz/syZbLx40QHILkePchtBvEzL3Nc/anV0IDL6QFWcRknS1XUZmdkIabvk
25YLNLfmlq2iOuDaH8hSuRln22N9HJlY4ISfQrIuefajyL+zL/XjQsjNine/H0x3
OiK3pQTTBP5GGgzisUEcjjHn3ocUPyIdd5ur7pJhCml0/dWLf6WIXSY/vqj4gI0G
HuHKifJPut/e6uasQcRMeOrjK1OrG9JkBHpu2J/eo6mVuChWtZfOjD3QBYBdpA6t
gYZ+9+6p7EorWLS0XDu0RK0OkCXwaxU3nFZ56SHP9IzDx9Chlk/ZPHmNq9I4wDT2
gpn24Uk0A9uDj1ZfMmFAPK7fXmaJ1CmMpc0PtrqdG+6QFTUiwcDW4vSPg8P8WjrB
s2tHpj21OMqOT3o3jGbj3z+EvIFDP0tMSFQLbLlRSD17sFHAtGUYCk5ajpJib6ST
3TrAIIhW1kRc1SOMSAbNZDCm4+7mquKRtAWF65fRoJVysPckE7LPgp5E6OBfMadB
Aeg1V9n3PP3hsGTFmsk1f/M+Pn46RAZCoptXtbCDjNUSJKtAeDPEZTbvAmM1I5zc
YMDDptnJn1jU4O5uW7MoMqRpRnHcZ0coOc5cq8GWmG37QPtNkiJf/JwEdyiGKPJR
IgFN1jwNJzQ=
=ZP3K
-----END PGP SIGNATURE-----