Cisco ASA Firewall – CVE 2018-0296 Vulnerability
We look at how to verify if Cisco ASA firewall is vulnerable or not to CVE 2018-0296. This vulnerability allows an attacker to view sensitive system information without authentication by using directory traversal techniques.
As first step, the bug is exploitable only for ASA running SSL VPN service, you can verify by browsing to https://<domain_or_IP_of_firewall.
Once you reach login page, you notice a request in Burp suite for GET /+CSCOE+/logon.html. Instead, use this endpoint /+CSCOU+/../+CSCOE+/files/file_list.json to detect if the target device is vulnerable. You will get results as shown in the picture.
Once you are successful, further exploit to get session tokens, using the endpoint /+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions
In the next step, enumerate user name from session token to carryout brute force attack.
Vulnerable version of Cisco ASA can be read here – Cisco ASA Versions Vulnerable for CVE 2018-0296
You can find all recent public bugs announced here – Security Advisories of Cisco ASA Firewall