Enumerating Cisco ASA systems affected by CVE-2018-0101 using Shodan

By now you’ve almost certainly heard about CVE-2018-0101, an unauthenticated, remote code execution vulnerability affecting Cisco ASAs. If you haven’t, you should start planning to apply the update immediately to the ASAs in your environment. This vulnerability affects all ASAs that are configured to handle AnyConnect or clientless VPN connections. Some initial discussion in the security groups suggested that only clientless VPN was affected however this is not the case.

In smaller environments, you probably already know which systems are affected. However, this can be more challenging in larger environments. A quick Shodan search shows that there are 172,195 systems that appear to offer AnyConnect services, all of these systems will require patches.  If you register and log in with Shodan, you can search a specific IP address space. Here’s an example searching one of our networks to locate ASAs, to run this search you’ll need to be registered with Shodan, you can’t filter by IP address without registration.

Our Shodan search is based on the ASA behavior of setting a cookie called webvpn; other web applications that do so will also show in this search. We do see that thirty-five thousand of these devices, (search requires registration) have an SSL certificate named “ASA Temporary Self Signed” so we’re quite confident that a significant proportion of these systems are ASAs.

Using this search with your own network ranges will help you to find devices that are impacted by the issue, you may discover systems offering AnyConnect services that you aren’t already aware of. Because the search depends on the ASA cookie assignment behavior, this search may also detect other applications. Shodan is a powerful tool for identifying Internet-facing systems in your environment that are impacted by known vulnerabilities.