Cisco logo

Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug in the wild against Cisco ASA devices.

Cisco did not provide any details about the exploitation attempts or the techniques hackers used, but only said it was "aware of attempted malicious use of the vulnerability."

CVE-2018-0101 allows full device takeover

The exploited bug is CVE-2018-0101, a vulnerability that became public in late January. The issue got a lot of people's attention because it was a remote code execution flaw that granted attackers an easy way of taking over devices, but also because it received a CVSS severity score of 10 out of 10, meaning it was both easy and remotely exploitable via the Internet.

Initially, it was believed that only Cisco devices running ASA software with the VPN (webvpn) feature enabled were vulnerable, but more components were found to be vulnerable later (more below).

At the time, experts put the number of vulnerable machines available online to between 120,000 to 200,000.

CVE-2018-0101 proof-of-concept code became available soon after news of vulnerability became public, most likely fueling the recent attacks against Cisco ASA devices. Nonetheless, the code only crashed Cisco ASA devices, and did not include the exploitation chain to take over devices.

Cisco reissues initial patch. New update is necessary.

Companies rushed to patch the issue, but by Monday this week, Cisco reissued security updates to deliver additional patches.

According to a security advisory the company is maintaining, Cisco said engineers discovered that the bug was far more wide-reaching than initially thought.

In an update, the company said that the flaw also affected other internal components of the Cisco ASA operating system, such as:

Adaptive Security Device Manager (ASDM)
AnyConnect IKEv2 Remote Access and SSL VPN
Cisco Security Manager
Clientless SSL VPN
Cut-Through Proxy
Local Certificate Authority
Mobile Device Manager Proxy
Mobile User Security
Proxy Bypass
ASA's REST API
Security Assertion Markup Language (SAML) Single Sign-on (SSO)

The update introduced additional exploitation vectors, and Cisco users are advised to update their ASA-based devices again, with Cisco's updated patch.

The company also added four new device models to the list of vulnerable equipment. The list now comprises of:

⯮  3000 Series Industrial Security Appliance (ISA)
⯮  ASA 5500 Series Adaptive Security Appliances
⯮  ASA 5500-X Series Next-Generation Firewalls
⯮  ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
⯮  ASA 1000V Cloud Firewall
⯮  Adaptive Security Virtual Appliance (ASAv)
⯮  Firepower 2100 Series Security Appliance
⯮  Firepower 4110 Security Appliance
⯮  Firepower 4120 Security Appliance
⯮  Firepower 4140 Security Appliance
⯮  Firepower 4150 Security Appliance
⯮  Firepower 9300 ASA Security Module
⯮  Firepower Threat Defense Software (FTD)
⯮  FTD Virtual

Updated article to clarify that the PoC code could only be used to crash Cisco ASA devices.