Data: CASIE
Trigger word:
xtract
Negative Trigger
the
fix
for
a
recently
disclosed
denial-of-service
flaw
a
ffecting
Vulnerability-related.DiscoverVulnerability
a
number
of
its
security
appliances
.
The
flaw
,
t
racked as
Vulnerability-related.DiscoverVulnerability
CVE-2018-0296
,
was
detailed
in
an
advisory
on
June
6
and
a
ffects
Vulnerability-related.DiscoverVulnerability
Cisco
ASA
Software
and
Cisco
Firepower
Threat
Defense
(
FTD
)
Software
.
``
Cisco
strongly
recommends
that
customers
u
pgrade
Vulnerability-related.PatchVulnerability
to
a
fixed
software
release
to
r
emediate
Vulnerability-related.PatchVulnerability
this
issue
,
''
Omar
Santos
of
Cisco
's
Product
Security
Incident
Response
Team
w
arned
Vulnerability-related.DiscoverVulnerability
on
June
22
.
The
attacks
follow
the
publication
of
proof-of-concept
exploits
for
the
flaw
.
Santos
n
otes
Vulnerability-related.DiscoverVulnerability
that
a
unauthenticated
,
remote
attacker
could
cause
a
device
to
reload
unexpectedly
and
cause
a
denial-of-service
(
DoS
)
condition
.
Additionally
,
an
exploit
could
cause
a
DoS
or
unauthenticated
disclosure
of
information
.
However
,
Santos
said
:
``
Only
a
denial-of-service
condition
(
device
reload
)
has
been
observed
by
Cisco
.
''
Cisco
h
as also updated
Vulnerability-related.PatchVulnerability
the
advisory
for
CVE-2018-0296
with
details
about
the
attacks
.
The
researcher
who
f
ound
Vulnerability-related.DiscoverVulnerability
the
flaw
,
MichaĆ
Bentkowski
from
Polish
security
firm
Securitum
,
gave
a
brief
description
of
the
root
cause
in
a
tweet
shortly
after
Cisco
d
isclosed
Vulnerability-related.DiscoverVulnerability
the
bug
.
Bentkowsky
r
eported
Vulnerability-related.DiscoverVulnerability
the
issue
to
Cisco
as
a
way
to
use
directory-traversal
techniques
to
disclose
information
to
an
unauthenticated
attacker
.
Cisco
labeled
its
primary
impact
as
a
DoS
condition
,
but
said
it
is
possible
that
on
certain
releases
of
ASA
a
device
reload
would
not
occur
,
yet
still
allow
an
attacker
to
use
directory-traversal
techniques
to
view
sensitive
system
information
.
Bleeping
Computer
i
dentified
Vulnerability-related.DiscoverVulnerability
two
proof-of-concept
exploits
for
CVE-2018-0296
on
GitHub
.
One
attempts
to
e
xtract
Attack.Databreach
user
names
from
Cisco
ASA
.
The
other
states
:
``
If
the
web
server
is
vulnerable
,
the
script
will
dump
in
a
text
file
both
the
content
of
the
current
directory
,
files
in
+CSCOE+
and
active
sessions
.
''