Cisco logo

Hackers are exploiting a vulnerability in Cisco software to crash and/or retrieve information from affected devices.

Cisco is aware of the issue and has warned customers last week, Friday, June 22.

Hackers targeting CVE-2018-0296

Exploitation attempts leverage a vulnerability —tracked via the CVE-2018-0296 identifier— that affects Cisco ASA (Adaptive Security Appliance) software.

The vulnerability allows an attacker to view sensitive system information without authenticating on the ASA device by using directory traversal techniques. A side-effect of this vulnerability is a device crash, which is also why Cisco also describes it as a Denial of service (DoS) issue.

More details about this flaw can be found in a blog post (in Polish) from Michał Bentkowski, the security researcher who discovered and reported the issue to Cisco.

Exploitation started after the publication of PoC code

Cisco patched CVE-2018-0296 at the start of the month, on June 6. But in an update to a security advisory the company published earlier this month, Cisco said it is "aware of customer device reloads related to this vulnerability."

The company hints that the publication of a public proof-of-concept (PoC) exploit might have started these exploitation attempts.

Bleeping Computer has tracked two PoCs related to CVE-2018-0296 over the course of last month. One is a Python script released by HackerOne security analyst Yassine Aboukir, and the second is a Go script published by security researcher Keith Lee.

The Python PoC allows an attacker to retrieve data from a Cisco ASA device, while the Go script appears to have been crafted to extract usernames from Cisco ASA systems. The Go PoC script does not retrieve passwords.

It is unclear which of these two PoCs hackers are using in real-world attacks. At the time the two PoCs became public last week, there were no clear signs of mass-exploitation from the likes of router/IoT botnets, meaning they were most likely small-scale targeted exploitation attempts.

Earlier this year, hackers also exploited another Cisco ASA flaw (CVE-2018-0101), five days after Cisco released a patch.

Hackers also exploited CVE-2018-0171, a vulnerability in the Cisco SmartInstall feature, to deface Cisco equipment in Iran and Russia.

Related Articles:

Cisco discloses root escalation flaw with public exploit code

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

Cisco Duo warns third-party data breach exposed SMS MFA logs

Cisco warns of large-scale brute-force attacks against VPN services

Cisco warns of password-spraying attacks targeting VPN services