In February 2017, Cisco released a security advisory indicating that vulnerability had been found in the software of their Adaptive Security Appliance, or ASA, as they like to call it. It’s found specifically in the Clientless SSL VPN functionality of the system. This security mistake could allow a remote attacker to cause a heap overflow in the system. According to the report, a developed exploit could even have the potential to reload the affected systems and allow the execution of code.
Is my system vulnerable?
Although a fix has since been released for several versions, outdated systems and those with affected releases are still vulnerable. According to Cisco, the list of products that may be compromised comprehends the following:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco ASA for Firepower 9300 Series
- Cisco ASA for Firepower 4100 Series
- Cisco ISA 3000 Industrial Security Appliance
It is important to note that to be considered vulnerable, these systems need to have the Clientless SSL VPN portal enabled. This can be verified by doing the following tasks:
a) First, you need to determine whether webvpn is enabled like the following example illustrates:
b) If a) is verified, then the administrator should check the group policy includes the SSL-clientless option configured in the VPN-tunnel-protocol command as follows:
c) Admin can also verify if a vulnerable version of ASA software is running by using the command show version | include Version keeping in mind that versions prior to 9.7 were affected and only 9.1, 9.4 and 9.6 have been partially fixed so far.
My system may be compromised, how do I solve it?
Although the best recommendation is to migrate to an unaffected release of the system’s software, there is a workaround that blocks offending URL that may be exploiting the security breach.
The first step is to configure the web type access list with the following input:
After this is set, the access list has to be applied in the group policy with the filter value command as follows:
Still, it is strongly recommended to implement a fixed version of the system. This practical solution concerning your security is just a tiny part of Accent Networks’ everyday labor to stay on top of the industry’s network security. The labor we’ve performed for many years and that’s granted us the solid spot in the network solutions industry that we occupy today. This is the seal of quality that ensures your business can trust in them for any service in IT.
The original security advisory can be found here: Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability.