Back on January 29th, there was a flurry of discussion in the IT world about the announcement from Cisco of an Adaptive Security Appliance (ASA) Remote Code Execution and Denial of Service Vulnerability.
Originally announced as only affecting the ASA and latest code versions of the Firepower Threat Defense firewalls, over the next few weeks this announcement was revised several times up through February 16th to include most of the ASA’s and Firepower firewalls running in our client’s networks.
The vulnerability can be exploited primarily via SSL features on the devices though also can be exploited via DTLS and IKEv2 as well.
For our clients, SSL is the primary potential attack vector and would come in two forms:
1. SSL use in device management – ASDM on the ASA, FMC management connections on the FTD firewall
2. SSL use in VPN via AnyConnect
The device management attack vector is not a very concerning exposure since all our managed firewalls are configured to accept management traffic from a very limited set of IP addresses. So, this means the exploit / attack on the firewall would have to come from one of those internal locations for the device to even begin to “listen” to the attack. An extremely low probability event.
The SSL AnyConnect attack vector is more problematic since this is open to the Internet by the very nature of the service. So, if AnyConnect is configured and in use on your firewall device and you’re not patched yet you want to make this a high priority.
However, if you are not running AnyConnect on your firewall, and many of you are not, this exposure does not exist.
So, for many of you, depending on the features being run this may not be a huge exposure. You still should move to patch as soon as practical, it just means it’s not a three-alarm fire.
Cisco provides a handy command you can run on the firewall device to see if you are vulnerable:
show asp table socket | include SSL|DTLS
You get at table back and look for the presence of a return of LISTEN entries labeled as SSL or DTLS. If you have them, you are vulnerable. If you get an empty table or blank return you are not.
The official Cisco announcement on the vulnerability is here:
This document also contains the tables for both the ASA and the FTD firewalls on the fixed versions of software or patches that should be applied to the devices to mitigate this issue.
CSI has completed, or is in the process, with many of our clients applying these patches. If you are unsure of your firewall status or need assistance with applying the patches, please feel free to reach out to our office via email@example.com and we will be happy to help.