How was a Cisco firewall vulnerability exploited by threat actors?

Cisco confirmed that a critical, zero-day vulnerability in its firewall software was actively exploited by threat actors. What is the Cisco firewall vulnerability, and how were attackers exploiting it?

The Cisco firewall vulnerability points to an issue in the XML parser of Cisco Adaptive Security Appliance (ASA) that was found after the first software fix. The attack took place when threat actors sent a malicious XML packet to a vulnerable interface of the impacted Cisco products. Because authentication credentials were not required to gain remote code execution, full control of the firewalls or the system, the attack was successful. Furthermore, the vulnerability, which was rated a 10 in the Common Vulnerability Scoring System (CVSS), caused Cisco to reload the firewall software, causing low memory conditions and prevented processing of incoming VPN authentication requests.

Initially discovered by a research at cybersecurity company NCC Group, the Cisco firewall vulnerability was first made public in a Jan. 29 advisory from the networking giant. However, a short time later Cisco warned that the flaw was under attack. To exploit the vulnerability, the VPN must be turned on and the ASA must have SSL and DTSL services or Internet Key Exchange (IKEv2) remote access VPN services must be enabled on an interface. IKEv2 protocol is suited for VPN implementations requiring network changes, such as going from wireless to wired, and providing support for mobile users.

Cisco products that were impacted include: ASA 5000-X Series Next-Generation Firewalls, ASA 1000V Cloud Firewall, Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, FireFirepower 4150 Security Appliance, Firepower 9300 ASA Security Module and Firepower Threat Defense Software.

The Feb. 18 update of Cisco security advisory provides a list of the vulnerable Cisco ASA features and the vulnerable configuration from the command-line interface (CLI). Hackers can determine if a device is vulnerable if either an SSL or a DTLS listen sockets for any TCP port is present or if the ASA device is configured for one or more of the ASA features.

The following shows how legitimate users and hackers can use a CLI command to find the sockets:

ciscoasa# show asp table socket | include SSL|DTLS

SSL   00185038  LISTEN  172.16.0.250:443     0.0.0.0:*

SSL   00188638  LISTEN  10.0.0.250:443       0.0.0.0:*

DTLS  0018f7a8  LISTEN  10.0.0.250:443       0.0.0.0:*

 Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)