UPDATED: 5th February @ 18:08
Updated Patch Required

After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. It was also found that the original fix was incomplete so new fixed code versions have now been made available.

The full details of this update, the relevant services, show commands and new Fixed Release details can be found here.

 

Broader Impact than initially understood

It should be noted that this information indicates a broader vulnerability that essentially impacts any SSL related functionality on the ASA platform, thus broader services such as HTTPS or REST API management interfaces are also impacted.

 

Recommendation

Block recommends customers who have already patched based on the previous communication update once again to the versions listed below as soon as possible.

 

Current Fixed Releases

In summary the First Fixed Release versions are as follows:

Cisco ASA

  • 8.x1     migrate to       9.1.7.23
  • 9.01     migrate to       9.1.7.23
  • 9.1       migrate to       9.1.7.23
  • 9.2       migrate to       9.2.4.27
  • 9.31     migrate to       9.4.4.16
  • 9.4       migrate to       9.4.4.16
  • 9.51     migrate to       9.6.4.3
  • 9.6       migrate to       9.6.4.3
  • 9.7       migrate to       9.7.1.21
  • 9.8       migrate to       9.8.2.20
  • 9.9       migrate to       9.9.1.2

 

Cisco FTD

6.0.0

  • Affected; migrate to 6.0.1 HotFix or later

 

6.0.1

  • Cisco_FTD_Hotfix_BH-6.0.1.5-1.sh (All FTD hardware platforms except 21xx)
  • Cisco_FTD_SSP_Hotfix_BH-6.0.1.5-1.sh (21xx FTD hardware platform)

 

6.1.0

  • Cisco_FTD_Hotfix_DZ-6.1.0.7-1.sh (All FTD hardware platforms except 21xx)
  • Cisco_FTD_SSP_Hotfix_DZ-6.1.0.7-1.sh (21xx FTD hardware platform)

 

6.2.0

  • Cisco_FTD_Hotfix_BN-6.2.0.5-3.sh (All FTD hardware platforms except 21xx)
  • Cisco_FTD_SSP_Hotfix_BN-6.2.0.5-3.sh (21xx FTD hardware platform)

 

6.2.1

  • Affected; migrate to 6.2.2 HotFix

 

6.2.2

  • Cisco_FTD_SSP_FP2K_Hotfix_AN-6.2.2.2-4.sh.REL.tar (21xx FTD hardware platform)
  • Cisco_FTD_SSP_Hotfix_AO-6.2.2.2-1.sh.REL.tar (41xx and 9300 FTD hardware platforms)
  • Cisco_FTD_Hotfix_AO-6.2.2.2-1.sh.REL.tar (all other FTD hardware platforms)
PUBLISHED: 30th January 2017 @ 11:17
Overview

Cisco has announced a critical vulnerability in the Remote Access VPN feature for the ASA and Firepower Threat Defence [FTD] product families.

This vulnerability affects deployments where the system runs a vulnerable code release and the WebVPN feature is enabled. No workaround is available without disabling the WebVPN feature.

Block recommends that customers using WebVPN should consider upgrading to a fixed release as soon as possible.

If exploited the vulnerability could allow an unauthenticated remote attacker to remotely execute code or force a reload of the affected system.

This vulnerability is now public knowledge, though at the time of writing we are not aware of any exploits in the wild.

 

Vulnerable Platforms
  • ASA 5500 Series Firewalls
  • ASA 5500-X Series Firewalls
  • ASA Services Module for 6500/7600 series switches
  • ASA 1000v & ASAv virtual firewalls
  • Firepower 2100, 4110, 9300 and FTDv firewalls

 

Fixed Software Releases

Please note that ASA releases 8.x, 9.0, 9.3 and 9.5 are now past the end of software maintenance, customers using these versions should migrate to supported releases as per the table below.

 

ASA Software families

8.x       Migrate to 9.1.7.20 or later

9.0       Migrate to 9.1.7.20 or later

9.1       Migrate to 9.1.7.20 or later

9.2       Migrate to 9.2.4.25 or later

9.3       Migrate to 9.4.4.14 or later

9.4       Migrate to 9.4.4.14 or later

9.5       Migrate to 9.6.3.20 or later

9.6       Migrate to 9.6.3.20 or later

9.7       Migrate to 9.7.1.16 or later

9.8       Migrate to 9.8.2.14 or later

9.9       Migrate to 9.9.1.2 or later

 

FTD Software families

Please note that support for Remote Access VPN is introduced in Firepower 6.2.2 releases, versions prior to this are therefore not vulnerable.

6.2.2    For Firepower 2100 series appliances install hotfix Cisco_FTD_SSP_FP2K_Hotfix_AC-6.2.2.2-6.sh.REL.tar

For all other FTD Appliances, install hotfix Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar

 

Further information

Cisco’s security advisory for this vulnerability can be found here

Overview

Cisco has announced a critical vulnerability in the Remote Access VPN feature for the ASA and Firepower Threat Defence [FTD] product families.

This vulnerability affects deployments where the system runs a vulnerable code release and the WebVPN feature is enabled. No workaround is available without disabling the WebVPN feature.

Block recommends that customers using WebVPN should consider upgrading to a fixed release as soon as possible.

If exploited the vulnerability could allow an unauthenticated remote attacker to remotely execute code or force a reload of the affected system.

This vulnerability is now public knowledge, though at the time of writing we are not aware of any exploits in the wild.

 

Vulnerable Platforms
  • ASA 5500 Series Firewalls
  • ASA 5500-X Series Firewalls
  • ASA Services Module for 6500/7600 series switches
  • ASA 1000v & ASAv virtual firewalls
  • Firepower 2100, 4110, 9300 and FTDv firewalls

 

Fixed Software Releases

Please note that ASA releases 8.x, 9.0, 9.3 and 9.5 are now past the end of software maintenance, customers using these versions should migrate to supported releases as per the table below.

 

ASA Software families

8.x       Migrate to 9.1.7.20 or later

9.0       Migrate to 9.1.7.20 or later

9.1       Migrate to 9.1.7.20 or later

9.2       Migrate to 9.2.4.25 or later

9.3       Migrate to 9.4.4.14 or later

9.4       Migrate to 9.4.4.14 or later

9.5       Migrate to 9.6.3.20 or later

9.6       Migrate to 9.6.3.20 or later

9.7       Migrate to 9.7.1.16 or later

9.8       Migrate to 9.8.2.14 or later

9.9       Migrate to 9.9.1.2 or later

 

FTD Software families

Please note that support for Remote Access VPN is introduced in Firepower 6.2.2 releases, versions prior to this are therefore not vulnerable.

6.2.2    For Firepower 2100 series appliances install hotfix Cisco_FTD_SSP_FP2K_Hotfix_AC-6.2.2.2-6.sh.REL.tar

For all other FTD Appliances, install hotfix Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar

 

Further information

Cisco’s security advisory for this vulnerability can be found here

Should you have any queries at all, please don’t hesitate to contact our Security & Vulnerability Team

BLOCKResponse@block.co.uk