Critical Cisco ASA and Firepower flaw already exploited in DoS attacks

• Hackers can at least access usernames and login information of active user sessions
• Major product features affected by the vulnerability

A critical vulnerability in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software have been exploited in the wild in denial-of-service (DoS) attacks, the company said. According to Michael Bentkowski, the bug hunter who discovered and reported the vulnerability to Cisco, it could be leveraged by any attacker to launch a DoS attack or even extract sensitive system information such as usernames of logged-in users or details about active sessions.

The vulnerability in question - tracked as CVE-2018-0296 - was classified “high severity” and already addressed by Cisco in patches released in early June. Cisco also released an advisory on June 6 about the vulnerability that “could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition."

Now, Cisco has updated the advisory notifying users that the exploit has been exploited to cause a DoS condition.

“Cisco PSIRT has become aware of a public proof-of-concept exploit and is aware of customer device reloads related to this vulnerability. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue,” Cisco wrote in its advisory.

About the Vulnerability

The vulnerability exists due to improper validation of HTTP URL.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information," Cisco said. The vulnerability also affects IPv4 and IPv6 HTTP traffic.

Devices affected by the vulnerability

Cisco products running Cisco ASA software and Cisco Firepower Threat Defense(FTD) software are affected by this vulnerability. The following are the list of product vulnerable.

• 3000 Series Industrial Security Appliance (ISA)
• ASA 1000V Cloud Firewall
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 and 4100 Series Security Appliance
• Firepower 9300 ASA Security Module
• FTD Virtual (FTDv)

The vulnerability applies to all Cisco FTD Software releases except Release 6.2.0, which is not vulnerable,” the vulnerability report reads.

“With the security of our customers’ networks being a top priority, we’re taking active steps to raise awareness of this issue. Customers with affected devices are urged to consider necessary steps to assess and remediate any potential exposure within their network,” Cisco said.

The company has noted that it has not seen any attacks attempting to exploit the flaw to extract sensitive information.

“Cisco strongly recommends that customers upgrade to a fixed software release to remediate this issue,” the company said.