A Vulnerability in Cisco Adaptive Security Appliance Software Could Allow for Security-Bypass

ITS Advisory Number: 
2018-049
Date(s) Issued: 
Tuesday, May 1, 2018
Subject: 
A Vulnerability in Cisco Adaptive Security Appliance Software Could Allow for Security-Bypass
Overview: 

A vulnerability has been discovered in Cisco Adaptive Security Appliance (ASA), which could allow for an unauthenticated, remote attacker to establish a Secure Sockets Layer (SSL) Virtual Private Network (VPN) connection to the device and bypass certain SSL certificate verification steps. The Cisco ASA family provides network security services such as firewall, intrusion prevention system (IPS), endpoint security (anti-x), and VPN. Successful exploitation of this vulnerability could allow the attacker to establish an SSL VPN connection to the ASA when the connection should have been rejected.

Systems Affected: 
  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been discovered in Cisco ASA, which could allow for an unauthenticated, remote attacker to establish a SSL VPN connection to the device and bypass certain SSL certificate verification steps. The vulnerability is due to incorrect verification of the SSL Client Certificate. An attacker could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. Successful exploitation of this vulnerability could allow the attacker to establish an SSL VPN connection to the ASA when the connection should have been rejected.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately install updates provided by Cisco.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.