Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability  





Published on: 22 Feb, 2018

It has been intimated that a vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.

The vulnerability is due to an issue with allocating and freeing memory when processing a malicious XML payload. An attacker could exploit this vulnerability by sending a crafted XML packet to a vulnerable interface on an affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.

Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code version are now available on Cisco Website.

To be vulnerable the ASA must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN Services enable on an interface. The risk of the vulnerability being exploited also depends on the accessibility of the interface of the attackers.

The following four IPs are host that have been recently attempting to trigger the DOC condition for CVE-2018-0101.

Attacking IPs:


  1. 199.247.0.79 (Choopa)
  2. 46.101.112.75 (Digital Ocean)
  3. 46.101.224.132 (Digital Ocean)
  4. 45.32.146.139 (Choopa)

Additionally, It has been reported in scanning activity from the following hosts in what appears to be attempts to identify possible ASA devices.

Scanning IPs:


  1. 5.16.83.95 (SPB, RU)
  2. 176.193.122.197 (TI, RU)
  3. 95.24.201.54 (Corbina, RU)
  4. 188.255.21.94 (NCNET, RU)

Reference: