Pratum Blog

Jason Moulder, one of Pratum's valued information security consultants (penetration testers) discovered a critical WebVPN Denial of Service Vulnerability within Cisco's Adaptive Security Appliance Software and Firepower Threat Defense Software. This vulnerability received a CVSS Score of 8.6. We are proud of Jason and the excellent work he performs for our clients. Jason tells the story of his findings in the following article.

For many of us that conduct penetration testing for clients, we discover bugs on a regular basis. Sometimes they are just quirky things that produce interesting output that, may or may not, be the intended function of the developers.

During a recent client engagement, I ran into such an issue with a Cisco ASA device. Most of the time, testing firewalls is a pretty mundane task, but you still follow your testing methodology. From time to time, it pays off for the good guys.

To me, being a penetration tester isn’t just about popping boxes and owning the network. While this is REALLY fun, there is a lot of critical thinking that goes into your daily work. Being able to think “outside-of-the-box” will get you a lot further.

There are tons of products on the market, both free and commercial, that help testers every day. While automation helps a great deal and helps reduce the amount of time you dedicate to an engagement, it only catches the known issues. This could be from a rule or signature incorporated within the tool. If whatever it is that you are testing is properly updated, most likely it has received something to prevent the attack you are trying to discover. The best way to find the unknown is by manually testing your devices and applications utilizing a solid methodology process..

Discovering the Cisco ASA Critical Denial of Service Bug

While going through my manual testing process, I began looking at all the pages the application reported back to me. To start out, I usually open the links, see what they are and monitor the responses I receive. One particular link stuck out.

Currently, we will not be disclosing details of how to exploit this vulnerability, but stay tuned for a future update in coming weeks.

When I visited the link, I received the following error page.

Cisco Adaptive Security Appliance (ASA) Error from Critical Denial of Service Bug

It seemed benign at first glance, but I noticed the browser was still trying to load the page. Well not exactly… the address bar icons jumped between Stop and Reload. This wouldn’t stop unless you manually closed the tab that was opened. It appeared something was executing on the back end to establish a connection. All this while I was unauthenticated.

When the link was loaded into any browser, it was observed that a connection was established and tore down. It seemed like that is what it should do, but not infinitely, however. The best way to describe the connection is like an infinite loop scenario within an application.

When more tabs were opened in the browser to the same location, utilization of CPU and RAM on the ASA began to increase significantly (4 open tabs from two IP addresses increased utilization from 9% to 27%+ in a 1-minute timeframe) and continued to grow on its own. Now, that is a big increase for two hosts!

Connection count rose in upwards of 200+ connections by itself, and tear down times began to increase from 1 second to, in some observations, over 30 seconds. The ASA was struggling from this simple test in one minute.

The size of the packet began to increase as well, even though no manipulation was done. The connection had to be forcibly closed in the browser by either closing the tab or by stopping the loading of the page, otherwise it would continue to make the request. Looks like DoS to me.

Since this was a client’s production system, I didn’t want to really do much more testing at this point and inadvertently bring it down.

Disclosing the Issue to Cisco

I began the disclosure process with Cisco’s PSIRT team at the beginning of May 2018. All the findings we had collected at this point were disclosed to them for further testing. An immediate response was received. Within two days, Cisco confirmed the finding. In late August 2018, Cisco contacted me and informed me that they had an anticipated disclosure date for the beginning of October 2018. After some further testing on the Cisco side, the fix was not adequate, but on May 1, 2019 Cisco released an alert and software updates addressing the vulnerability. As of the time of this article, there is no workaround for this vulnerability.

Notes about Pratum and its clients.
  • The client was also notified of the issue from the beginning.
  • As a managed services provider, we were able to create our own custom rule to detect for this activity for our clients.

There’s no replacement for robust cyber security and training programs but having these programs in place doesn’t mean you should avoid implementing a cyber liability insurance policy. Cyber insurance has proven to be a critical component of an enterprise risk management program, and if properly aligned with business needs, it can provide coverage for many of the costs associated with a cyber breach.

To ensure your organization has appropriate cyber insurance and a plan for responding to security incidents as they happen, you need to develop and implement an incident response plan. Developing the plan will force you to examine your risks from inside and outside your organization. Once you have identified and categorized your risks you will be able to make the appropriate business decision to either accept the risk (take no action because it doesn’t concern you enough), mitigate the risk (develop new policies and procedures to reduce risk), or transfer risk (purchase cyber liability insurance to help with the cost in the event of a security incident).

The categorization of your risks will guide you in selecting an insurance policy that aligns with business needs. Whether you are developing your response plan internally or with a 3rd party, your organization will be responsible for complying with the terms of policy to ensure you qualify for usable coverage. Terms include things like identifying when (how quickly) you need to contact your insurance provider and who is approved to handle the data involved in the breach.

In addition to helping select the appropriate insurance policy, developing an incident response plan will take you through the steps to identify key contacts from skilled firms that specialize in various areas of expertise. Adding these contacts to your incident response plan will ensure you are prepared to take immediate action when an incident arises.

Each group of specialists provides services to help ease the burden of cyber events. Let’s look at a few of these specialists and how they can help you:

  • Information Security/Forensics Firms — These are information security experts, like Pratum, who can assist with developing an incident response plan. These same experts can also help determine the extent of a security breach and provide remediation services.
  • Agents/Brokers — These individuals help you understand your exposure and tailor insurance programs to meet the unique needs of your organization.
  • Insurance Carriers — Carriers help you transfer liability to the carrier as a third-party via insurance contract. Coverage provides balance sheet protection, and often times, policies provide access to and pay for pre-qualified breach response experts and vendors.
  • Breach Coaches — These specialized attorney firms help navigate the turbulent waters after a cyber breach. You gain legal privilege by working with these firms, and they’re experts in handling cyber events and coordinating the specialists on this list to mitigate exposures to your organization.
  • Notification/Call Centers/Credit Monitoring/Identity Monitoring Services — These are professional firms that provide services required in the event of a breach. Many of these services are required by various state and federal laws in the event of a breach.
  • Public Relations — A firm will provide crisis management communications that help with loss of reputation and consumer confidence. What you say as well as how and when you say it matters.

Cyber liability insurance is an important part of an information security program and gives your organization a helping hand with the access it grants you to cyber experts. Make sure to incorporate these experts into your incident response plans and do your research on which firms best fit your organization’s needs. Planning is a critical step in ensuring events are handled properly and in helping your organization avoid additional liabilities from third parties. If you’ve planned properly, you will not be alone when an incident occurs, and you will be in a better position to minimize damage.

A special thank you to Miles Weis at Holmes Murphy for helping provide some of the content featured in this article.

2019 Prometheus Awards CEO of the Year

The Technology Association of Iowa Announced the Finalist for the 2019 Prometheus Awards

Dave Nelson, CEO at Iowa-based cybersecurity firm Pratum, has been named a finalist for the 2019 Prometheus Awards’ CEO of the Year. The most prestigious recognition for Iowa’s technology industry, The Prometheus Awards presented by LWBJ brings together leaders from technology, business, education and government to celebrate the year’s most momentous innovations.

The winner in each of the 14 award categories will be announced during the Prometheus Awards celebration on Thursday, April 11, 2019, at the Community Choice Credit Union Convention Center in Des Moines.

Here are the 2019 CEO of the Year finalist:

  • Jim Masterson, LightEdge Solutions
  • Ben Milne, Dwolla
  • Dave Nelson, Pratum
  • Hank Norem, Maple Ventures
  • Beth Trejo. Chatterkick

Reserve a table or purchase individual tickets here.

Learn More About Prometheus Awards
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.