Thoughts on the handling CVE-2018-0101 / Cisco Bug CSCvg35618

Update: 02/05/2018 – Cisco’s advisory and fixed software versions have changed.  For current info, refer to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1.  The tables and fixed releases listed below are stale.  All currently recommended ASA Software versions to fix CVE-2018-0101 were published on Feb 3. If you patched before that, you need to patch again.

Original Post:

I want to rant for a few moments.  It was never my intention to use this blog as an outlet for ranting, but I don’t seem to find the time to publish much content, and I needed a place to let this out.  Maybe this doesn’t even qualify as a rant.  Either way, let’s get to it.

I want to talk about Cisco Bug ID CSCvg35618, CVE-2018-0101, which received a CVSS 3.0 score of 10.  This is the highest (most critical) rating that a vulnerability can receive.  Cisco published an advisory for this bug here on January 29, 2018 at 17:00 GMT.

The table below is pulled directly from that advisory.  It lists Cisco ASA major software versions that are affected in the column on the left, and the ASA Interim Software Version that the vulnerability was fixed in on the right.

Cisco ASA Major Release	First Fixed Release
8.x1	Affected; migrate to 9.1.7.20 or later
9.0	Affected; migrate to 9.1.7.20 or later
9.1	9.1.7.20
9.2	9.2.4.25
9.3	Affected; migrate to 9.4.4.14 or later
9.4	9.4.4.14
9.5	Affected; migrate to 9.6.3.20 or later
9.6	9.6.3.20
9.7	9.7.1.16
9.8	9.8.2.14
9.9	9.9.1.2

The next table is something that I just put together.  It has all of the First Fixed Releases from the table above on the left, and the date that they were made available for download from Cisco’s support website on the right.

First Fixed Release	Release Date
9.1.7.20	November 15, 2017
9.2.4.25	January 8, 2018
9.4.4.14	December 8, 2017
9.6.3.20	November 28, 2017
9.7.1.16	November 10, 2017
9.8.2.14	November 10, 2017
9.9.1.2	Unavailable?

Eighty days.  Eighty days is the amount of time that passed between the earliest software version that fixed the vulnerability being released, and the advisory being published.  Eighty Days!

Other Major Release versions had interim versions released more recently, but for some versions, it was eighty days.

To reiterate – this is a critical vulnerability, with a CVSS Score of 10.  The vulnerability can result in Remote Code Execution and Denial of Service when it’s exploited.

If I were to draw a network diagram for most organizations that own Cisco ASAs, where do you think those devices are placed on that diagram?  That’s right – most of the time an ASA is at the edge of the network and accessible from the Internet.  In fact, if you have an account for Shodan (https://www.shodan.io/), go ahead and run a query “Set-Cookie: webvpn”, and you can find over 160,000 devices connected to the internet that certainly look like ASAs, and they might be running vulnerable versions of the webvpn / AnyConnect services.

I can understand some of the challenges that Cisco and their peers are up against.  But even with that, I’m not sure that customers should be willing to accept that an advisory like this can be withheld for eighty days after some fixes are already available.  Eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the internet.

I know what at least one person reading this is going to think – “But… the updates were available already, so you should have patched your systems in a timely manner regardless of an advisory like this being published.”  Yes, customers need to take responsibility for installing patches in a timely manner.  However, customers also need to have access to adequate information so that they can appropriately prioritize among myriad workloads.  The advisory that Cisco published on January 29, 2018 contains the information that is so critical for customers to have at their disposal.

Beyond the need for customers to have access to critical information, there is another problem that Cisco could help to resolve.  There are many customers and engineers at VARs that only install Cisco “Suggested” releases that receive a “gold star” icon to attest to their quality, stability, longevity, and adoption rate.  None of the interim releases that fix CVE-2018-0101 are “suggested” “gold star” releases.  That needs to change.  Cisco needs to do more to encourage customers and VARs to install software versions that include security fixes.

By the inherent nature of interim releases that contain critical security fixes, those releases are never going to have a “gold star” – they have not been available long enough for Cisco to attest to their quality, stability, longevity, and adoption rate.  The criteria for a release receiving the “gold star” icon needs to change, or there needs to be another icon next to the release that indicates a severity level.  With a fix for a critical vulnerability included in a release, all of the interim releases listed above would be identified as Critical releases if there were somewhere that Cisco shared that type of rating.

Transparency is important.  Share critical security information as soon as possible.  Help us protect our systems.  Strive to be a better technology partner.