Fix Your ASAs - HTTP Escalation Vuln.

Started by deanwebb, December 19, 2018, 01:59:14 PM

Previous topic - Next topic

deanwebb

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface.

The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Thankfully I only have privileged authenticated users. priv-lvl 15 for life.

-Otanx

Dieselboy

grr. I sometimes use local auth for RA VPN authentication.

icecream-guy

secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!
:professorcat:

My Moral Fibers have been cut.

Dieselboy

Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).  :'(

Otanx

Quote from: Dieselboy on December 20, 2018, 09:04:39 PM
Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).  :'(

Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx

Nerm

Quote from: Otanx on December 21, 2018, 05:53:36 PM
Quote from: Dieselboy on December 20, 2018, 09:04:39 PM
Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).  :'(

Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx


:haha3:

Dieselboy


deanwebb

Quote from: Otanx on December 21, 2018, 05:53:36 PM
Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx

:haha2:

Ladies and gentlemen, here is the post of the year.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.