Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2018-0296)
Description
A path traversal vulnerability exists in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows unauthenticated remote attackers to exploit directory traversal techniques to access sensitive system files and information that should be restricted. In some cases, exploitation may cause the affected device to crash and reload, resulting in a denial of service condition. The vulnerability affects multiple Cisco product lines including ASA 5500 series, Firepower 2100/4100/9300 series, ASA 1000V Cloud Firewall, ASAv and FTDv virtual appliances, ISA 3000 series, and ASA Services Modules for Catalyst 6500 and 7600 series devices.
Remediation
Apply the appropriate software updates immediately by following these steps:
- Identify your current ASA or FTD software version using the
show versioncommand - Consult the Cisco Security Advisory (cisco-sa-20180606-asaftd) to determine the fixed software version for your platform
- Download the appropriate software update from Cisco's Software Download Center
- Schedule a maintenance window and create a backup of your current configuration using
write memoryandbackupcommands - Install the software update following Cisco's upgrade procedures for your specific platform
- Verify the update was successful and that the web interface is functioning properly
As no workarounds are available, upgrading to a fixed software version is the only effective mitigation. Until patches can be applied, consider restricting access to the web management interface using access control lists (ACLs) to trusted management networks only, though this does not fully eliminate the risk if the interface remains accessible.