Re: CVE-2018-0101 - Is web-based ASDM vulnerable since it uses SSL as well?

Dean Romanelli · ‎02-09-2018

Cisco states the below exerpt regarding vulnerability to CVE-2018-0101

To be vulnerable the affected device must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface.

Regardless of the features, you can use the show asp table socket command and look for an SSL or a DTLS listen socket on any TCP port.

If a socket exists, you are vulnerable.

When I execute that command, I have SSL sockets in listen state, but they are for ASDM web access, not WebVPN/Anyconnect.

Does that count towards the vulnerability? If so, I need to lock down my outside ASDM rules further than they already are.

FW23Atlanta-SH5505# show asp table socket

Protocol Socket State Local Address Foreign Address
SSL 000275f8 LISTEN 192.168.23.1:10443 0.0.0.0:*
SSL 00054c68 LISTEN 50.xxx.xx.121:10443 0.0.0.0:*
TCP 000646a8 LISTEN 192.168.23.1:23 0.0.0.0:*
TCP 0008c758 LISTEN 192.168.23.1:22 0.0.0.0:*
TCP 000abed8 LISTEN 50.xxx.xx.121:22 0.0.0.0:*
TCP 0032dd38 ESTAB 192.168.23.1:23 Dean_Romanelli:52718

Dean Romanelli · ‎02-09-2018

Pretty sure I just answered my own question:

The vulnerability is reportedly a seven-year-old flaw within a Cisco XML parser. Using a crafted XML payload, a remote, unauthenticated attacker could cause a reload on an affected device or potentially execute arbitrary code. The original exploit, as written by NCC Group, uses IKEv1 fragmentation to leverage the XML vulnerability into code execution. As such, the additional interfaces added in the February 5, 2018, update (ASDM, CSM, Cut-Through Proxy, Local CA, MDM Proxy, and REST API) may only be vulnerable to denial-of-service attacks.