Cymmetria has just released a honeypot for the detection of the Cisco ASA vulnerability that was recently made public:
- CVE-2018-0101 (Score: 10)
- Vulnerable: Cisco ASA 5500, ASA 5500-X
- The honeypot will detect exploitation attempts against SSL VPN and will capture data sent to an IKE listener that now holds the suspicious payload
The honeypot is available on Cymmetria Research’s GitHub, under the open source MIT License: https://github.com/Cymmetria/ciscoasa_honeypot
We will also shortly be releasing patches to MazeRunner Enterprise Edition and Community Edition so that as a user, you will get this new honeypot automatically. If your MazeRunner instance is not connected to the Internet, contact us directly to receive a download link for the patches.
- The honeypot will run a plain HTTP server by default and has a (recommended) option to enable HTTPS (you are welcome to supply your own certificate, but the honeypot will generate a self-signed certificate for you if you do not have one)
- The honeypot runs HTTP on port 8443 (instead of 80 or 443) and IKE on port 5000 (instead of 500). If you’d like to deploy the honeypot with standard ports, consider using the supplied docker-compose.yml file or add CAP_NET_BIND_SERVICE (we do not recommend running honeypots as root)
Vulnerability coverage notes:
- The vulnerability is triggered by a combination of multiple HTTP requests with specially crafted XML, in conjunction with binary payload that is sent over IKE. The honeypot will alert on suspicious XML requests and will capture the payload.
- Keep in mind the actual vulnerability requires two XML requests, but we’re capturing all suspicious XML requests for simplicity and completeness
- While we were able to reproduce and catch the DoS exploit caused by the malformed XML, we have not seen an in-the-wild sample of the RCE vulnerability, so we are capturing IKE payloads based on CVE-2016-1287
Other technical notes:
- While the honeypot will easily run outside of MazeRunner (Python code), on its own it is basic and is essentially a detection machine, doing “discover | print”. It does not include functions such as reporting and daemonization, which you may wish to add yourself.
- The honeypot is based on Python’s built-in HTTP server, plus custom code to detect the specific exploit
- The Python open source honeypot will not make your system vulnerable to the vulnerability
- As part of building the IKE monitor, we used a library that implements IKE in Python; however, the package was slightly broken so we patched it up and hope our changes will be merged soon for everyone: https://github.com/Cymmetria/ike
The honeypot was researched and developed by Greg Hazel and Omer Cohen