CVE-2018-0296
Published: 07 June 2018
Summary
CVE-2018-0296 is a high-severity Improper Input Validation (CWE-20) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) software stems from insufficient input validation of HTTP URLs, tracked as Cisco Bug ID CSCvi16029. It affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software running on products such as the 3000 Series Industrial Security Appliance, ASA 1000V Cloud Firewall, ASA 5500 Series, ASA 5500-X Series, ASA Services Module, Adaptive Security Virtual Appliance, Firepower 2100/4100/9300 Series appliances, and their virtual counterparts. The flaw is also associated with CWE-20 and CWE-22, carries a CVSS 3.1 score of 7.5, and impacts both IPv4 and IPv6 HTTP traffic; on certain releases it enables directory traversal in addition to denial of service.
An unauthenticated remote attacker can trigger the issue by sending a specially crafted HTTP request to an affected device. Depending on the software release, this may cause an unexpected reload resulting in a denial-of-service condition or allow viewing of sensitive system information without authentication.
Public references, including the Cisco Security Advisory cisco-sa-20180606-asaftd, ICS-CERT advisory ICSA-18-184-01, SecurityTracker, SecurityFocus, and a Packet Storm entry describing path traversal, indicate that mitigation details and patch availability are addressed in vendor advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-1119
Vulnerability details
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on…
more
certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP URL inputs, eliminating the root cause of the crafted-request DoS and directory-traversal disclosure on the ASA web interface.
Mandates denial-of-service protection mechanisms that would block or rate-limit the malicious IPv4/IPv6 HTTP requests capable of triggering ASA reloads.
Boundary-protection devices or filters at the network perimeter can inspect and drop the specially crafted HTTP requests before they reach the vulnerable ASA web interface.