A new vulnerability was publicly announced last Friday (22th of June). It effects all current Cisco ASA devices (all models) and Firepower appliances (please see full list below).
It allows a remote attacker to execute a DoS (Denial-Of-Service) attack towards the vulnerable device and potentially extract sensitive data from the device (credential usernames and active sessions). It exploits the HTTP(S) service on the devices and uses directory traversal to try to gather sensitive data and potential reload the device. The vulnerability is possible due to lack of proper input validation of the HTTP URLs.
The discovery was made by a Polish Security researcher named Michal Bentkowski and was initially shared only with Cisco, giving time for Cisco to prepare patches and updates to its software. There have already been real-life attempts in exploiting this vulnerability due its lack of complexity and how easy it is to do it – there is already a couple of scripts on the internet to automate the process (see links below). Cisco states there is no work-around for this problem and all its customers are urged to upgrade to the patched software that Cisco has released prior to the unveiling of the vulnerability.
If you have not patched your devices since the 22th of June and are using ASDM/CSM or Anyconnect on a publicly facing interface then it is very likely you are affected.
Simple steps to validate if your devices are vulnerable
1. Check if your devices is listening on SSL ports
ciscoasa# show asp table socket | include SSL|DTLS
Look for open sockets on public facing interfaces
2. Check for presence of a process called Unicorn Proxy Thread, if this process is present, your device is considered vulnerable
ciscoasa# show processes | include Unicorn
Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0
3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218
Look for open sockets on public facing interfaces
Customers should upgrade to an appropriate release as indicated in the following tables.
| Cisco ASA Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Prior to 9.11 | Migrate to 9.1.7.29 |
| 9.1 | 9.1.7.29 |
| 9.2 | 9.2.4.33 |
| 9.3 | Migrate to 9.4.4.18 |
| 9.4 | 9.4.4.18 |
| 9.5 | Migrate to 9.6.4.8 |
| 9.6 | 9.6.4.8 |
| 9.7 | 9.7.1.24 |
| 9.8 | 9.8.2.28 |
| 9.9 | 9.9.2.1 |
| Cisco FTD Software Release | First Fixed Release for This Vulnerability |
|---|---|
| 6.0 | Migrate to 6.1.0 HotFix or later |
| 6.0.1 | Migrate to 6.1.0 HotFix or later |
| 6.1.0 | Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms) |
| 6.2.0 | Not vulnerable |
| 6.2.1 | Migrate to 6.2.2.3 |
| 6.2.2 | 6.2.2.3 |
| 6.2.3 | 6.2.3.1 6.2.3-851 6.2.3-85.02 |
If you would like any help or guidance please contact www.4cornernetworks.com today.
