Login Sign Up

CVE-2018-0101

10.0 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This critical vulnerability in Cisco ASA SSL VPN allows unauthenticated remote attackers to execute arbitrary code or cause system reloads via crafted XML packets. It affects multiple Cisco ASA and Firepower products with webvpn enabled. Attackers can gain full system control without authentication.

💻 Affected Systems

Products:
  • Cisco ASA 3000 Series ISA
  • ASA 5500 Series
  • ASA 5500-X Series
  • ASA Services Module
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series
  • Firepower 4110
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)
Versions: Multiple versions prior to fixes released in January 2018
Operating Systems: Cisco ASA OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires webvpn feature to be enabled. Affects both physical and virtual appliances.

📦 What is this software?

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Adaptive Security Appliance Software by Cisco

View all CVEs affecting Adaptive Security Appliance Software →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

Firepower Threat Defense by Cisco

View all CVEs affecting Firepower Threat Defense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attacker to gain full administrative control of the ASA device and pivot to internal networks.

🟠

Likely Case

Denial of service through system reloads, potentially disrupting VPN connectivity and network security functions.

🟢

If Mitigated

Limited impact if webvpn is disabled or proper network segmentation isolates vulnerable devices.

🌐 Internet-Facing: HIGH - Directly exploitable from internet when webvpn interface is exposed.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code publicly available. Multiple proof-of-concepts demonstrate reliable exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions depending on platform - see Cisco advisory for specific versions

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Restart Required: Yes

Instructions:

1. Check current ASA version with 'show version'. 2. Download appropriate fixed version from Cisco. 3. Upload new image via TFTP/SCP. 4. Configure boot system. 5. Reload device.

🔧 Temporary Workarounds

Disable webvpn

all

Temporarily disable the vulnerable webvpn feature if immediate patching isn't possible

no webvpn
write memory

Restrict access to webvpn interface

all

Apply access control lists to limit connections to webvpn interface

access-list WEBVPN_ACL deny ip any any
access-group WEBVPN_ACL in interface outside

🧯 If You Can't Patch

  • Disable webvpn feature entirely if not required
  • Implement strict network segmentation to isolate vulnerable devices from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if webvpn is enabled: 'show running-config | include webvpn'. Check ASA version against affected versions in Cisco advisory.

Check Version:

show version | include Software

Verify Fix Applied:

Verify ASA version is updated to fixed version: 'show version | include Software'. Confirm webvpn configuration if re-enabled.

📡 Detection & Monitoring

Log Indicators:

  • Multiple XML parsing errors in ASA logs
  • Unexpected system reloads
  • High volume of XML packets to webvpn interface

Network Indicators:

  • Multiple crafted XML packets to TCP/443 (webvpn)
  • Unusual traffic patterns to ASA webvpn interface

SIEM Query:

source="ASA" AND ("%ASA-3-722041" OR "webvpn" AND "XML")

📊 Metadata

CVE ID: CVE-2018-0101
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-415
Published: January 29, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-0101, you might also want to check these:

CVE-2018-14054 9.8

CVE-2018-14054 is a double-free vulnerability in MP4v2 library's MP4StringProperty class that allows...

Same vulnerability type (CWE-415)
CVE-2018-17825 9.8

This CVE describes a double-free vulnerability in AdPlug 2.3.1's CEmuopl class that can lead to memo...

Same vulnerability type (CWE-415)
CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)