Cisco Blogs
Share
tweet

Cisco PSIRT – Notice about public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

- February 18, 2015 - 9 Comments

Cisco PSIRT is aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified by Cisco bug ID CSCup36829 (registered customers only) and CVE ID CVE-2014-3393. This vulnerability was disclosed on the 8th of October 2014 in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.

NOTE: The Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software should be used as the Single Source of Truth (SSoT) for all details of this vulnerability and for any revisions of information going forward.

Details

Cisco Clientless SSL VPN feature allows Cisco ASA administrator to customize the look of the Clientless SSL VPN portal. The customization can be done by modifying the default customization object, also called DfltCustomization, or by creating a new customization object starting from a Template object also provided within the Clientless SSL VPN feature.

Additional information about Clientless SSL VPN customization can be found at:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-customizing.html

A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework.

When Cisco ASDM is used to modify or create a customization object, a preview button is available for the Cisco ASA administrator that is used to visualize the modifications. When preview is used Cisco ASA will create a unique identifier that is used as session cookie and a folder on the system to include the content of the customization.

Due to a flaw in the way permission are checked, it is possible to remotely modify any object included on the RAMFS cache file system including the Clientless SSL VPN customization objects.

An exploit could allow an unauthenticated and unauthorized attacker to modify the content of the Clientless SSL VPN portal and include malicious code which could be used for several type of web based attack which include and are not limited to XSS, stealing of credential, serving malware etc…

Once the portal is compromised, changes are persistent. Reloading the device or changing the Cisco ASA Software does not delete the customization objects.

This vulnerability was reported to Cisco by Alec Stuart-Muirk and demonstrated at the Ruxcon 2014 security conference in October 2014.

An exploit script is public available on Metasploit and on other internet web sites.

Affected Configuration

Cisco ASA Software is affected by this vulnerability if the following conditions are met:

  1. Clientless SSL VPN portal functionality is enabled
  2. A default customization object or a newly created customization object for Clientless SSL VPN portal has been previewed in ASDM

To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled at least on one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface:

   ciscoasa# show running-config webvpn

webvpn

enable outside

[…]

There is no method to determine if a preview of a customization object has been done. The following method is used to preview a customization object. In ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION -> PREVIEW.

Indicators of Compromise

Customers that use Clientless SSL VPN Portal customization should review the content of the customization object and make sure it does not contain any malicious code.

This includes, but is not limited to, looking for iframe, scripts, embedded object, css, encoded links etc…

To export an SSL VPN portal customization object, use the export webvpn customization <object name> <dest fname> command, where the <object name> is the name of the SSL VPN portal customization object being exported and <dest fname> is the name of the file that will include a copy of the customization object.

The following example shows how to export the default customization object DfltCustomization to a file called Customization_to_verify

ciscoasa# export webvpn customization DfltCustomization Customization_to_verify

The Customization_to_verify file is stored on the device disk and can be exported for further analysis.

Customers should repeat this process for all of the customization objects that are present on the system. To find out all the customization object that should be verify use the export webvpn customization command followed by “?”

ciscoasa# export webvpn customization ?

Select customization object:

DfltCustomization

Object1

Template

 

Remediation

Customer should immediately upgrade to a non affected Cisco ASA Software release and verify whether any of the customization object has been compromised by using the method described in the “Indicators of Compromise” session.

Cisco ASA Software releases that fixed this vulnerability can be found in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

Important Note: the attack will make permanent modification to the customization object. Reloading or upgrading to a fixed version of Cisco ASA Softrware will not help against a successful attack that has already happened.

Customers that have found a compromised customization object should follow their incident response process.

Cisco PSIRT recommends to delete any compromised customization object. This can be done by using Cisco ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION. Select the object and then DELETE.

The default customization object (DfltCustomization) cannot be delete from the system. If the default customization object has been compromise, Cisco ASA administrator should consider to override this customization with the default Template file. This file can also be exported with the method indicated in the Indicator of Compromise section and then re-imported using the import webvpn customization command.

The following method can be used to restore the default customization object (DfltCustomization):

  1. Export the default template to a file. The following example shows how to export the default template to a file called default_template

       ciscoasa# export webvpn customization Template default_template

  1. Import the default template as default customization object (DfltCustomization):

       ciscoasa# import webvpn customization DfltCustomization default_template

Note: This will override any changes done to the default customization object (DfltCustomization).

The import webvpn customization command can also be used to restore non-default customization objects after these have been manually edited and verified.

Tags:

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

9 Comments

  1. If your default customization is not being compromised. Will the ugprade software update the default customization. So this won't occurr again. Or do you need to delete the default customization file. I try to figuring out in which scenario customers needs to create NEW ssl VPN customzation. Do you need to do this only if you're compromised, or when you did the initial preview in ASDM.

      Hi, As Stefano mentioned in the blog, a successful attack could make permanent modifications to customization objects. Reloading or upgrading to a fixed version of Cisco ASA Software will not help against a successful attack that has already happened. The steps highlighted above can be followed to verify if you have been compromised. If you cannot determine if the customization object has been modified, you should delete it. After upgrading, the fix prevents any modifications or redirections of these objects. Hope this helps! Omar

  2. I would like to know which version IOS this bug is fixed? Kind Regards, S. Water

      Hi, This vulnerability affects only ASA software and does not affect IOS. Please see the "Software Versions and Fixes" section of the PSIRT Advisory for the fixed versions of ASA software. Thank you!

      • Hi, Thank you for your reply and sorry for the misuse of the IOS term. We'll be upgrading our Software Version soon.

  3. Hi, if the 'show running-config webvpn' command returns: anyconnect-essentials does that mean that the Clientless SSL VPN portal is not enabled, and that I don't need to check the customisation file for malicious code? Thanks.

    Hi Gary, When you use AnyConnect Essentials clientless SSL VPN is not supported and restricted. This vulnerability only affects clientless VPN implementations. More information about AnyConnect Essentials restrictions are here: https://supportforums.cisco.com/document/51476/anyconnect-essentials-faq Hope this helps! Omar

    • Many thanks Omar.

  4. I tried disabling the Clientless SSL VPN Portal by unchecking "Enable Access" on the outside interface under Connection Profiles, but this killed all of my AnyConnect Essentials clients that were logged in. This also prevented new clients from connecting. Is it not possible to disable the VPN Portal and have AnyConnect enabled?

Share
tweet