New vulnerability discovered in Cisco ASA, ASAx and Firepower devices

New vulnerability discovered in Cisco ASA, ASAx and Firepower devices

A new vulnerability was publicly announced last Friday (22th of June). It effects all current Cisco ASA devices (all models) and Firepower appliances (please see full list below).

It allows a remote attacker to execute a DoS (Denial-Of-Service) attack towards the vulnerable device and potentially extract sensitive data from the device (credential usernames and active sessions). It exploits the HTTP(S) service on the devices and uses directory traversal to try to gather sensitive data and potential reload the device. The vulnerability is possible due to lack of proper input validation of the HTTP URLs.

The discovery was made by a Polish Security researcher named Michal Bentkowski and was initially shared only with Cisco, giving time for Cisco to prepare patches and updates to its software. There have already been real-life attempts in exploiting this vulnerability due its lack of complexity and how easy it is to do it – there is already a couple of scripts on the internet to automate the process (see links below). Cisco states there is no work-around for this problem and all its customers are urged to upgrade to the patched software that Cisco has released prior to the unveiling of the vulnerability.

How to check if your devices are vulnerable:

If you have not patched your devices since the 22th of June and are using ASDM/CSM or Anyconnect on a publicly facing interface then it is very likely you are affected.

Simple steps to validate if your devices are vulnerable

1. Check if your devices is listening on SSL ports

 ciscoasa# show asp table socket | include SSL|DTLS

Look for open sockets on public facing interfaces

2. Check for presence of a process called Unicorn Proxy Thread, if this process is present, your device is considered vulnerable

ciscoasa# show processes | include Unicorn
Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0
 3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

Look for open sockets on public facing interfaces

Affected models:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 1000V Cloud Firewall
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 and 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Fixed Releases:


Customers should upgrade to an appropriate release as indicated in the following tables.

Cisco ASA Software

Cisco ASA Software ReleaseFirst Fixed Release for This Vulnerability
Prior to 9.11Migrate to 9.1.7.29
9.1 9.1.7.29
9.29.2.4.33
9.3 Migrate to 9.4.4.18
9.49.4.4.18
9.5Migrate to 9.6.4.8
9.69.6.4.8
9.79.7.1.24
9.89.8.2.28
9.99.9.2.1

Cisco FTD Software

Cisco FTD Software ReleaseFirst Fixed Release for This Vulnerability
6.0Migrate to 6.1.0 HotFix or later
6.0.1Migrate to 6.1.0 HotFix or later
6.1.0Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms)
6.2.0Not vulnerable
6.2.1Migrate to 6.2.2.3
6.2.26.2.2.3
6.2.36.2.3.1
6.2.3-851
6.2.3-85.02

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *