Cisco ASA AnyConnect/WebVPN Double free Vulnerability : CVE-2018-0101

A double free vulnerability has been discovered in Cisco ASA devices in the SSL-VPN feature . The vulnerability has been assigned CVE-2018-0101. An attacker can exploit this vulnerability by sending custom crafted XML packets to the webvpn interface. Upon successful exploitation an attacker can achieve remote arbitrary code excution, reload the device or shutdown the device causing DoS. Cisco has addressed this vulnerability in cisco-sa-20180129-asa1 .

The following products are vulnerable to CVE-2018-0101:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Vulnerability
As mentioned before the issue is due to a double free vulnerability. More details about the vulnerability and how it can be exploited will released at recon.cx 2018 by Cedric Halbronn.

Mitigation
Currently there are no workarounds for this issue. We request Organizations to apply the latest patches provided by Cisco. Please scan your device using QID 316187 to detect vulnerable Cisco devices.The QID is an authenticated check that matches Cisco ASA version retrieved using “show version” command.

References
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
Robin Hood vs Cisco ASA AnyConnect
CVE-2018-0101

 

2 thoughts on “Cisco ASA AnyConnect/WebVPN Double free Vulnerability : CVE-2018-0101”

  1. I do not believe that this specific vulnerability involves IKE, this is related to the webvpn SSL VPN in the listed appliances, I believe the talk about IKE v1 is separate from this vulnerability (even though will be presented by the same researcher).

    1. Thank you for pointing it out. The fragmented IKEv1 packet method is a different topic, I have updated the post accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *