Cisco VPN Danger

Earlier this week Cisco revealed a major vulnerability affecting devices configured with their WebVPN clientless VPN software. This VPN software is featured in the Secure Sockets Layer (SSL) of numerous Cisco hardware devices. Companies around the world use WebVPN so that their employees can connect to the corporate intranet from the outside. The successful exploitation of this vulnerability could have potentially devastating consequences for an organization.
When WebVPN functionality is enabled, devices are vulnerable to a flaw that allows hackers to “double-free” memory on the system. To accomplish this, an attacker submits custom crafted XML messages to the WebVPN interface of the target device. The messages instruct the system to free a specific memory address multiple times, which may lead to memory leakage, giving an attacker the power to write malicious commands to memory. With this power an attacker has the ability to execute arbitrary code, monitor traffic, and corrupt memory. This flaw can even be exploited for the purposes of a DDoS attack by forcing the system to continuously reboot itself.

Figure 1: Affected Cisco Devices


The vulnerability has been labeled CVE-2018-0101 and has been given a 10/10, or critical rating, on the Common Vulnerability Scoring System (CVSS) scale. WebVPN is often enabled on edge firewalls, meaning that is possible for an attacker to exploit this from the outside over the Internet. Although this vulnerability seems simple to exploit, successfully crafting the necessary XML messages would require a deep understanding of the system memory layout of an affected device. Patches for the vulnerability have been released; however it is the responsibility of the company to make sure they are applied. We have yet to observe any exploits built to take advantage of this flaw, but this warning should not be taken lightly as successful exploitation would likely lead to massive consequences.

•– vulnerability-alert-for-vpn-devices/
•– vulnerability-patched-against-remote-attacks

Source CIP report