topic CVE-2018-0101 – Cisco ASA Remote Code in Network Security

CVE-2018-0101 – Cisco ASA Remote Code

tianwen.zhao — Fri, 21 Feb 2020 16:36:45 GMT

Hello everyone,

I have found the CVE-2018-0101 vulnerability recently.Our ASA(5515) had enable the webvpn.

Here is the show version output:

ASA5515# sho version | in Version
Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 7.2(2)1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

Had the Version 9.2(2)4 affected by CVE-2018-0101 vulnerability ?

Thank you.

Re: CVE-2018-0101 – Cisco ASA Remote Code

Marvin Rhoads — Thu, 27 Dec 2018 03:03:21 GMT

Yes your ASA software is affected.

Please refer to the actual Cisco Security Advisory for confirmation and details on the fixed releases:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Re: CVE-2018-0101 – Cisco ASA Remote Code

johnd2310 — Thu, 27 Dec 2018 03:04:46 GMT

Hi,

Yes, 9.2(2)4 is affected. You need to be running at least 9.2(4)27. The following link gives you versions that have the fix:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Thanks

John

Re: CVE-2018-0101 – Cisco ASA Remote Code

tianwen.zhao — Fri, 28 Dec 2018 00:32:30 GMT

Thank you

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Thu, 08 Apr 2021 13:24:22 GMT

I know this is old thread here but I am getting flagged on PCI compliance scan for this vulnerability on ASA 9.15(1). WTH is up with this , I don't have a smartnet associated with the serial number for this ASA so I cannot open a TAC on it. This is pretty lousy to still have this come up in a scan with latest cisco release for this ASA. The only way forwatrd it looks like is to disable the webvpn since I cannot download patch (If there even is one) Do you have any thoughts on this one Marvin

CVE-2018-0101

Re: CVE-2018-0101 – Cisco ASA Remote Code

johnlloyd_13 — Fri, 09 Apr 2021 01:58:04 GMT

hi,

are you running webvpn/anyconnect VPN on the ASA?

if not, just simple disable it (or remove its config).

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# no enable outside

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Fri, 09 Apr 2021 11:25:43 GMT

Hey John thanks for the reply. We are using Webvpn where employees can download the anyconnect vpn client. They do use the anyconnect client to establish the VPN. I though about this same thing in removing webvpn but would it also effect the anyconnect client? I get confused on the anyconnect client I believe it also negotiates over SSL 443. If this is accurate then I'm in a bit of a conundrum in that trying to patch per this vulnerability I'd be disabling vpn access. I also read this vulnerability has been fixed in much earlier releases then the ASA code on running which is 9.15.1. I don't understand how I'm going to resolve and still keep the vpn

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Fri, 09 Apr 2021 16:49:16 GMT

i'm thinking of changing the anyconnect listener port to 444 which would I believe would also disable dtls. I think this should work to remediate this CVE-2018-0101 "supposed" vulnerability

Re: CVE-2018-0101 – Cisco ASA Remote Code

Marvin Rhoads — Fri, 09 Apr 2021 17:07:49 GMT

I am surprised to see this show up in 9.15(1) which initially came out just 6 months ago.

You can change the client services (and I believe even DTLS) to use something other than port 443; however that might just make the vulnerability not-so-easily detected by a scan while still being present.

The release notes for 9.15(1) interim builds don't mention it but have your tried the latest interim build 10?

https://www.cisco.com/web/software/280775065/155601/ASA-9151-Interim-Release-Notes.html

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Fri, 09 Apr 2021 18:15:10 GMT

Thanks Marvin I don't see the 10 interim build as being available to download. All I see is the version I am running 9.15.1

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Wed, 21 Apr 2021 13:41:53 GMT

Thanks Marvin I appreciate your response. Its a scan issue not an actual vulnerability. Pretty irritating as now I will have to fight the compliance scanning company to pass this firewall.

Hi Keith,

Appreciate your patience and cooperation.

I have checked regarding the information, and it is evident that the issue is already fixed in the earlier versions of ASA, since the actual issue was with the XML parser of the Cisco ASA device with allocating and freeing memory when processing a malicious XML payload. The XML parser issue is already fixed in the earlier versions, and hence your device is not vulnerable as per the security bulletin.

Regarding the scan results, it detects this vulnerability on your device just because of the configuration related to web vpn and the sockets that are open, however the actual issue was related to the XML parser which is resolved in the earlier version as mentioned in the Security bulletin, and hence your version is not vulnerable to this CVE-ID.

This scan results could be a false alarm, and is only arising due the config present on your device.

Re: CVE-2018-0101 – Cisco ASA Remote Code

Marvin Rhoads — Wed, 21 Apr 2021 17:44:53 GMT

That's a pretty weak answer from the company doing the scanning. Basically they seem to be saying the tool just does a first level pass and they don't have a human audit the results for accuracy unless you complain about it!

Re: CVE-2018-0101 – Cisco ASA Remote Code

keithcclark71 — Tue, 22 Jun 2021 17:40:29 GMT

I ended up just changing ports to 444 which the scan passed. Could not get in contact with anyone at scanning company(Typical) Just figured i'd let ya know sorry just never got back here.