Fuzz the Heap and make it Chunk
A recently announced vulnerability by Cisco about their WebVPN client used on their Adaptive Security Appliances (Cisco ASA) has been given a rating of 10 on the Common Vulnerability Scoring System (CVSS) scale. These types of vulnerabilities are not new and this particular one was brought to light recently by two French security researchers, Cedric Halbronn and Aaron Adams of the NCC Group.
But first. A few definitions.
A software testing technique that uses deliberate malformed data injection to expose vulnerabilities
A method used for the dynamic allocation of random access memory (RAM)
Describes fragments of code or metadata that are returned for analysis
By expanding on research that had previously exposed a heap overflow vulnerability in the protocol used for establishing Secure VPN Connections on ASAs, Halbronn and Adams discovered this latest vulnerability by using special tools known as fuzzers to cause a deliberate memory overflow conditions on target devices to track what happens for analysis. The process has been around since the 1950s and used to be called random testing and is actually much more complex than this simple explanation.
These days, there are organizations such as the NCC Group that hire researchers to specialize in doing this as their business model. The whole process is designed to see how someone can gain control of a device by learning how it reacts so exploit vectors can be understood and the vulnerabilities can be brought to the attention of the code manufacturers through proper channels. Manufacturers pay handsomely for this information and as you would guess, so do bad guys working for certain Nation States. In those cases, the details of the research commands higher profits for those who would use the information for developing exploit code for nefarious purposes.
A Journey In Analysing Heaps
Halbronn presented the exact details of the vulnerability and possible exploit vectors or paths in an Information Security conference on August 17th, 2017 and the video is posted on YouTube. Halbronn is expected to present a very detailed talk this week on how the vulnerability was discovered and how it could potentially be exploited at RECON BRUSSELS 2018...so it is imperative that these devices are patched as soon as possible.
So what does all this mean?
Because this information is out there in great detail, the threat is real and the severity is rated at the highest level even if there are no reported exploits in the wild as of this writing. We want you our customers and prospects to know that we understand it, take it very seriously and are well underway on efforts to contain it.
What can you do now to prepare?
Use preventive countermeasures such as:
- Conduct a comprehensive Assessment of Risk and Technical Infrastructure Security
- Re-visit the design or re-design your network architecture
- Utilize DNS and IP layer, intelligent proxy and C2 blocking tools
- Employ Multi-Factor Authentication solutions
- Conduct Security Awareness and Anti-Phishing Training for you and your staff
- Consider use of APT Advanced Sensors to protect your network
- Utilize email anti-spam filtering and set as high as possible to block malware attachments
- Consider 24x7x365 Cyber Security Operations Center security monitoring for your network
- Ensure that your Anti-Virus scan engines are up to date and contain Endpoint Detection & Response (EDR)
- Employ monthly external vulnerability scans
- Conduct periodic external penetration tests of your networks
- Use a Managed Services Provider that offers Managed Security as a Service that you can rely on
- Cisco. (2016, September 16). IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
- Ferguson, J. (2007). Understanding the Heap by Breaking it, Case Study Draft . Retrieved from http://www.blackhat.com: http://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf
- Halbronn, C. (2017, August 18). 2017 - Cisco ASA Episode 3: A Journey In Analyzing Heaps by Cedric Halbronn. Retrieved from https://www.youtube.com: https://www.youtube.com/watch?v=ADYdToi6Wn0
- Halbronn, C. (2018, February 16). Upcoming Offensive Con Talk by Cedric Halbronn, ROBIN HOOD VS CISCO ASA ANYCONNECT - DISCOVERING AND EXPLOITING A VULNERABILITY IN YOUR FIREWALL. Retrieved from https://www.offensivecon.org: https://www.offensivecon.org/speakers/2018/cedric-halbronn.html
- Huang, Y. (2016). Heap Overflows and Double-Free Attacks. Retrieved from http://homes.soic.indiana.edu: http://homes.soic.indiana.edu/yh33/Teaching/I433-2016/lec13-HeapAttacks.pdf
- Kapil, D. (2017, October). Heap Exploitation, GitBook . Retrieved from https://heap-exploitation.dhavalkapil.com: https://heap-exploitation.dhavalkapil.com/attacks/double_free.html
- Mason, A. (2002, February 22). IPSec Overview Part Four: Internet Key Exchange (IKE), by Andrew Mason of Cisco, 2/22/2002 for good definition of the Security Association used between two IKE Peers for describing how the two will use security services to communicate. Retrieved from http://www.ciscopress.com: http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=1
- Oliveria, P. (2007, September 3). Trend Micro TrendLabs Security Intelligence Blog . Retrieved from https://blog.trendmicro.com/trendlabs-security-intelligence: https://blog.trendmicro.com/trendlabs-security-intelligence/heaps-and-bounds/
- Wikipedia. (2017, December 5). Memory Management . Retrieved from https://en.wikipedia.org: https://en.wikipedia.org/wiki/Memory_management#HEAP
- Wikipedia. (2018, January 1). Fuzzing. Retrieved from https://en.wikipedia.org: https://en.wikipedia.org/wiki/Fuzzing
- Wikipedia. (2018, January 17). Internet_Key_Exchange. Retrieved from https://en.wikipedia.org: https://en.wikipedia.org/wiki/Internet_Key_Exchange