Fix Your ASAs - HTTP Escalation Vuln.

deanwebb · December 19, 2018, 01:59:14 PM

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface.

The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Otanx · December 19, 2018, 03:31:03 PM

Thankfully I only have privileged authenticated users. priv-lvl 15 for life.

-Otanx

Dieselboy · December 19, 2018, 10:01:35 PM

grr. I sometimes use local auth for RA VPN authentication.

icecream-guy · December 20, 2018, 09:01:02 AM

secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Dieselboy · December 20, 2018, 09:04:39 PM

Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).

Otanx · December 21, 2018, 05:53:36 PM

Quote from: Dieselboy on December 20, 2018, 09:04:39 PM
Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).

Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx

Nerm · December 21, 2018, 09:44:05 PM

Quote from: Otanx on December 21, 2018, 05:53:36 PM
Quote from: Dieselboy on December 20, 2018, 09:04:39 PM
Quote from: ristau5741 on December 20, 2018, 09:01:02 AM
secure your devices

http server enable
http 0.0.0.0 0.0.0.0 Outside

This is BAD!

Indeed. And once I saw a customer somehow disable AAA on the ASDM so when you loaded ASDM, put in the IP and click connect; it just loaded up as priv 15 without any username or password (via the internet).

Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx

Dieselboy · December 23, 2018, 09:10:52 AM

Betting it's a true story 😁

deanwebb · December 25, 2018, 09:05:21 AM

Quote from: Otanx on December 21, 2018, 05:53:36 PM
Luckily for them no attacker could figure out the right version of Java needed to actually use ASDM.

-Otanx

Ladies and gentlemen, here is the post of the year.