Firefox

vSOC SPOT Report: Mozilla Firefox Arbitrary Code Execution Vulnerability

Overview

On January 29th, Mozilla developer Johann Hofmann reported that there was a major Arbitrary Code Execution vulnerability (CVE-2018-5124) within the browser’s user interface (UI) that allows a remote attacker to execute specially crafted code by exploitation of the unsanitized HTML output in the browser’s “Chrome” component. The UI vulnerability has received a CVSS score of 8.8 out of 10 due to the ability for it to be easily exploited without the user’s knowledge.

Technical Overview

The attacker hides unsanitized HTML code within the Firefox “Chrome” component, which does not run separately from the HTML present on a web page. If the attacker hides unsanitized HTML inside the browser’s UI code, the execution chain can be broken away from Firefox’s UI component and allow commands to be run on the computer. The code itself runs with whatever the current user’s privileges are. For example, if the user is an administrator then the code can run SYSTEM level commands. Due to the fact CVE-2018-5124 relies on running untrusted code, it has the ability to be hidden within an iframe, loaded-off screen, or loaded via a drive-by download without the user’s knowledge.

Potential Impact

Exploit kit developers are expected to jump on this vulnerability and add CVE-2018-5124 to their arsenal of targeted vulnerabilities in order to load malware on users’ machines. The biggest impact would come from exploitation of this flaw involving a user with administrative privileges and could allow an attacker to gain a foothold due to the factors involving this vulnerability by running SYSTEM level commands on the compromised system. This security flaw allows an attacker to easily deliver malware and potentially gain control over the user’s machine. This vulnerability is not currently known to affect Firefox for Android and Firefox 52 ESR.

What You Should Do

It is recommended that users update their version of Mozilla Firefox if it is one of the following versions:

  • Mozilla Firefox 56.x
  • Mozilla Firefox 57.x
  • Mozilla Firefox 58.0.0

Mozilla has fixed the flaw by sanitizing the code executed by its chrome UI component, and this is included as part of the new patch released for the vulnerable versions.

Supporting Information

Cisco Logo

vSOC SPOT Report: Cisco Adaptive Security Appliance RCE & Denial of Service Vulnerability

Update (2018-01-31): SNORT Signatures

After further research, vSOC has located Snort signatures published by the fox-srt team, which can detect exploitation of this vulnerability.

# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:

alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02 08 |"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)

alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

These alerts have been provided by fox-srt and can be found at their GitHub site: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Overview

On Monday January 29th, Cisco released a statement to customers that they had identified a vulnerability (CVE-2018-0101) affecting Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense Appliances via the Secure Sockets Layer (SSL) VPN functionality of the devices which could allow an unauthenticated remote attacker to create a denial of service condition by reloading the device to remotely execute specially crafted malicious code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is turned on for the Cisco ASA device.

Attack Details

The vulnerability makes this very easy to exploit and as a result, it was rated a 10 out of 10 on the CVSS (Common Vulnerability Scoring System). The attack involves an attacker sending multiple crafted malformed XML packets to the Cisco ASA devices and Cisco Firepower software. If the exploit is successful, the attacker will then have the ability to execute unauthorized code on the devices. Depending on the nature of the code, the attacker can gain full control over the device. This attack does not require physical access and can be carried out remotely. The ASA device(s) are only vulnerable if they have the webvpn feature enabled within the OS settings.

Attack Detection and Prevention

Attack patterns will vary once exploits are developed and used in the wild. Some possible detection methods include monitoring XML packets sent to Cisco ASA hosts via packet capture, or to monitor for sudden regular spikes in traffic sent to Cisco ASA hosts, as these spikes would likely be an attempt to force constant restarts on the device. To determine whether the webvpn service is enabled, administrators can use the command show running-config webvpn at the command line. Additionally, the show version command can be run to verify which version of Cisco ASA Software is running on the device. The Cisco Adaptive Security Device Manager (ASDM) can also show the software release in the table that appears by the login window, or in the upper-left corner of the ASDM interface.

The show version command will also show the release version for Cisco Firepower Threat Defense (FTD) devices. Version 6.2.2 of FTD devices are vulnerable because it incorporates code from both Firepower and ASA devices, as it was the first release that supported the Remote Access VPN feature.

Affected Systems

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software

Recommendations

Cisco has released several tables showing the versions to update to and the original ASA major release. It is recommended to ensure both the ASA devices and FTD software is updated to the version released to counteract the vulnerability.

Cisco ASA Major Releases

[1] Cisco ASA Major release table (Cisco, 2018)

Cisco FTD Major Relases[1] Cisco FTD Major release table (Cisco, 2018)

Workarounds

There are no workarounds for this vulnerability. However, Cisco has already released updates that address this vulnerability. Versions that include this fix are listed in the ASA Major release table above.

Additional Resouces