CVE-2018-0296: Vulnerability in Cisco ASA and Firepower Appliances Sees Spike in Exploit Attempts
The Cisco Adaptive Security Appliance and Firepower Appliance vulnerability patched over a year ago continues to be targeted by attackers in the wild, as exploitation attempts have increased in frequency over the past several weeks.
Contexto
On December 20, researchers at Cisco Talos published a blog post warning that a previously patched flaw in Cisco Adaptive Security Appliance (ASA) and Firepower Appliance has seen “a sudden spike in exploitation attempts.”
Análise
CVE-2018-0296 is an improper input validation vulnerability in the ASA web interface. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable ASA or Firepower device. This results in unexpected reloads of the device, causing a denial of service (DoS) condition. However, in certain software versions of the ASA or Firepower Threat Defense (FTD), a reload will not occur, but an attacker could view sensitive information by sending a specially crafted HTTP request containing directory traversal sequences.
The vulnerability was originally patched on June 6, 2018, after it was disclosed by security researcher Michal Bentkowski of Securitum, who published a blog post detailing his findings soon after. Roughly translated, Bentkowski noted the following in his post, “The error was reported to Cisco just on the example as above, i.e. the possibility of obtaining information about logged in users.” This differed from Cisco’s public description of the vulnerability, which focused on DoS and mentioned the possibility of directory traversal in some instances, the latter potentially related to Bentkowski’s findings. Cisco updated the advisory for the flaw on June 22, 2018, announcing they had observed public exploitation of the vulnerability.
In March 2019, Cisco updated the advisory once again, and in April 2019, the vulnerability was identified as one of the flaws used in a DNS hijacking campaign called Sea Turtle.
Cisco issued a final update to their advisory on September 24, 2019, elevating the vulnerability to critical after observing more exploitation attempts.
Prova de conceito
The first proof of concept (PoC) for the vulnerability was published to GitHub on June 21, 2018, and was regularly updated, accepting pull requests all the way up until March 2019. The repository has not been updated since June 2019.
There have been other PoCs for CVE-2018-0296 published to GitHub, including an exploit script to enumerate usernames from vulnerable devices and another exploit script called the Cisco Pillager.
Solução
As previously mentioned, the vulnerability was patched back in June 2018. The following devices running Cisco ASA or FTD software are potentially vulnerable:
| Device | Status |
|---|---|
| Cisco Industrial Security Appliance 3000 (ISA) | Supported |
| Cisco ASA 1000V Cloud Firewall | End-of-Life |
| Cisco ASA 5500 Series Adaptive Security Appliances | Supported |
| Cisco ASA 5500-X Series Next-Generation Firewalls | Supported |
| Cisco Catalyst 6500 Series Switches ASA Services Module | Supported |
| Cisco 7600 Series Routers ASA Services Module | End of Life |
| Cisco Adaptive Security Virtual Appliance (ASAv) | Supported |
| Cisco Firepower 2100 Series Security Appliance | Supported |
| Cisco Firepower 4100 Series Security Appliance | Supported |
| Cisco Firepower 9300 Security Appliance | Supported |
| Cisco Firepower Threat Defense Virtual (FTDv) | Supported |
The devices may be vulnerable depending on the ASA or FTD software features and configuration. For a detailed breakdown of the features and configurations, please refer to the affected products section under Cisco’s advisory.
Identificação de sistemas afetados
A list of Tenable plugins to identify this vulnerability can be found here.
Obtenha mais informações
- Cisco Talos Blog Post on Recent Spike in Exploit Attempts for CVE-2018-0296
- Cisco Advisory for CVE-2018-0296
- Michał Bentkowski's Blog Post on CVE-2018-0296
- Yassine Aboukir's PoC for CVE-2018-0296
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Saiba mais sobre a Tenable, a primeira plataforma de Cyber Exposure para o gerenciamento holístico da sua superfície de ataque moderna.
Obtenha uma avaliação gratuita por 30 dias do Vulnerability Management da Tenable.io.
Artigos relacionados
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period
May 14, 2024The finding from the Tenable 2024 Cloud Security Outlook study is a clear sign of the need for proactive and robust cloud security. Read on to learn more about the study’s findings, including the main challenges cloud security teams face, their strategies for better protecting their cloud infrastructure and the tools they use to measure success.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
- Vulnerability Management