Cisco: This VPN bug has a 10 out of 10 severity rating, so patch it now

cisco vpn security

The researcher who found the flaw will be telling the world how to exploit it this weekend.

Cisco has warned customers using its Adaptive Security Appliance (ASA) software to patch a dangerous VPN bug that a researcher will be revealing how to exploit this weekend.

Cisco’s ASA operating system for its network security devices has a severe double-free vulnerability in the Secure Sockets Layer VPN feature that it warns “could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code”.

A successful attack using multiple, specially crafted XML packets would allow an attacker to take “full control of the system”, according to Cisco’s advisory.

Due to the ease of exploitation and the impact, the bug — CVE-2018-0101 — has been given a Common Vulnerability Score System (CVSS) score of 10 out of a possible 10.

However, ASA devices are only exposed if the webvpn feature is enabled, it notes. Admins can see if the feature is enabled by using command-line interface instructions provided by Cisco.

According to a tweet by security researcher Kevin Beaumont, almost 200,000 internet-connected devices may be vulnerable.


The vulnerability affects the 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module, and Firepower Threat Defense Software (FTD).


The bug applies to FTD 6.2.2, which Cisco released in September and was the first version to support remote access VPN. Systems with major release FTD versions before 6.2.2 aren’t vulnerable.

Cisco has provided instructions for admins to see which versions of ASA and FTD they’re running. It has also provided a table detailing versions affected by the vulnerability and the first release that has a fix. Cisco advises customers to migrate to a supported release to receive the fix.

The company notes that it is not aware of any attacks that have used the vulnerability, but that situation could change soon.

The bug was reported by NCC Group security researcher Cedric Halbronn, who will explain how he exploited the flaw in Cisco’s AnyConnect/WebVPN on ASA devices.

He’s scheduled to give a talk on the subject, including the fuzzer he used to find the flaw, this weekend at the Recon Brussels 2018 conference.


“Our talk details the general architecture of the fuzzer used to find the double-free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices,” Halbronn writes in his conference notes.

“We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco, which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.”

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply