I know this is old thread here but I am getting flagged on PCI compliance scan for this vulnerability on ASA 9.15(1). WTH is up with this , I don't have a smartnet associated with the serial number for this ASA so I cannot open a TAC on it. This is pretty lousy to still have this come up in a scan with latest cisco release for this ASA. The only way forwatrd it looks like is to disable the webvpn since I cannot download  patch (If there even is one) Do you have any thoughts on this one Marvin 

CVE-2018-0101

hi,

are you running webvpn/anyconnect VPN on the ASA?

if not, just simple disable it (or remove its config).

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# no enable outside

Hey John thanks for the reply. We are using Webvpn where employees can download the anyconnect vpn client. They do use the anyconnect client to establish the VPN. I though about this same thing in removing webvpn but would it also effect the anyconnect client? I get confused on the anyconnect client I believe it also negotiates over SSL 443. If this is accurate then I'm in a bit of a conundrum in that trying to patch per this vulnerability I'd be disabling vpn access. I also read this vulnerability has been fixed in much earlier releases then the ASA code on running which is 9.15.1. I don't understand how I'm going to resolve and still keep the vpn 

i'm thinking of changing the  anyconnect listener port to 444 which would I believe would also disable dtls. I think this should work to remediate this CVE-2018-0101 "supposed" vulnerability

I am surprised to see this show up in 9.15(1) which initially came out just 6 months ago.

You can change the client services (and I believe even DTLS) to use something other than port 443; however that might just make the vulnerability not-so-easily detected by a scan while still being present.

The release notes for 9.15(1) interim builds don't mention it but have your tried the latest interim build 10?

https://www.cisco.com/web/software/280775065/155601/ASA-9151-Interim-Release-Notes.html

Thanks Marvin I don't see the 10 interim build as being available to download. All I see is the version I am running 9.15.1

Thanks Marvin I appreciate your response. Its a scan issue not an actual vulnerability. Pretty irritating as now I will have to fight the compliance scanning company to pass this firewall. 

Hi Keith,

Appreciate your patience and cooperation.

I have checked regarding the information, and it is evident that the issue is already fixed in the earlier versions of ASA, since the actual issue was with the XML parser of the Cisco ASA device with allocating and freeing memory when processing a malicious XML payload. The XML parser issue is already fixed in the earlier versions, and hence your device is not vulnerable as per the security bulletin.

Regarding the scan results, it detects this vulnerability on your device just because of the configuration related to web vpn and the sockets that are open, however the actual issue was related to the XML parser which is resolved in the earlier version as mentioned in the Security bulletin, and hence your version is not vulnerable to this CVE-ID.

This scan results could be a false alarm, and is only arising due the config present on your device.

That's a pretty weak answer from the company doing the scanning. Basically they seem to be saying the tool just does a first level pass and they don't have a human audit the results for accuracy unless you complain about it!

I ended up just changing ports to 444 which the scan passed. Could not get in contact with anyone at scanning company(Typical)  Just figured i'd let ya know sorry just never got back here.