Identifying Systems Affected by Cisco ASA Critical Vulnerability (CVE-2018-0101)

On January 29, Cisco released an advisory for a critical vulnerability in their Adaptive Security Appliance (ASA) software. The critical flaw, assigned CVE-2018-0101, has a CVSS score of 10.0 and could allow for a denial-of-service attack and remote code execution. On February 5, Cisco updated the advisory indicating they’d found additional attack vectors and more affected products. They also determined the original fix was incomplete. Early adopters of the patch will need to revisit the advisory and apply the latest update to their devices. Vulnerability details The vulnerability was originally found by NCC Group and has since been presented at REcon Brussels. The slides have been made available and the details of the vulnerability are now widely available. A denial-of-service proof of concept has already been published to Pastebin as well. The vulnerability is reportedly a seven-year-old flaw within a Cisco XML parser. Using a crafted XML payload, a remote, unauthenticated attacker could cause a reload on an affected device or potentially execute arbitrary code. The original exploit, as written by NCC Group, uses IKEv1 fragmentation to leverage the XML vulnerability into code execution. As such, the additional interfaces added in the February 5, 2018, update (ASDM, CSM,...
Read more

Apache Struts REST Plugin XStream XML Request Deserialization RCE (CVE 2017-9805)

A new critical vulnerability (S2-052) in the Apache Struts framework (CVE 2017-9805) could allow an unauthenticated attacker to run arbitrary commands on a server using the Struts framework with the popular REST communication plugin. Vulnerability details A remote code execution vulnerability exists in Apache Struts due to an unsafe deserialization of Java code in the REST plugin. The REST plugin uses XStream to deserialize XML requests without first sanitizing user-supplied input. This allows a remote unauthenticated attacker to execute arbitrary code using a crafted XML payload passed to the REST plugin. A code sample used by lgtm to identify the flaw is listed here: /** The ContentTypeHandler Java class in Struts **/ class ContentTypeHandler extends Interface { ContentTypeHandler() { this.hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler") } } /** The method `toObject` */ class ToObjectDeserializer extends Method { ToObjectDeserializer() { this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and this.getSignature = "toObject(java.io.Reader,java.lang.Object)" } } Tenable coverage Tenable has released two plugins to detect vulnerable Apache Struts installs in your environment. Unauthenticated Remote Check Plugin 102977 is a remote plugin which will attempt to exploit the vulnerability and send an ICMP echo (ping) request from the remote host back to the scanner host to verify...
Read more