Avatar

Cisco PSIRT is aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified by Cisco bug ID CSCup36829 (registered customers only) and CVE ID CVE-2014-3393. This vulnerability was disclosed on the 8th of October 2014 in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.

NOTE: The Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software should be used as the Single Source of Truth (SSoT) for all details of this vulnerability and for any revisions of information going forward.

Details

Cisco Clientless SSL VPN feature allows Cisco ASA administrator to customize the look of the Clientless SSL VPN portal. The customization can be done by modifying the default customization object, also called DfltCustomization, or by creating a new customization object starting from a Template object also provided within the Clientless SSL VPN feature.

Additional information about Clientless SSL VPN customization can be found at:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-customizing.html

A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework.

When Cisco ASDM is used to modify or create a customization object, a preview button is available for the Cisco ASA administrator that is used to visualize the modifications. When preview is used Cisco ASA will create a unique identifier that is used as session cookie and a folder on the system to include the content of the customization.

Due to a flaw in the way permission are checked, it is possible to remotely modify any object included on the RAMFS cache file system including the Clientless SSL VPN customization objects.

An exploit could allow an unauthenticated and unauthorized attacker to modify the content of the Clientless SSL VPN portal and include malicious code which could be used for several type of web based attack which include and are not limited to XSS, stealing of credential, serving malware etc…

Once the portal is compromised, changes are persistent. Reloading the device or changing the Cisco ASA Software does not delete the customization objects.

This vulnerability was reported to Cisco by Alec Stuart-Muirk and demonstrated at the Ruxcon 2014 security conference in October 2014.

An exploit script is public available on Metasploit and on other internet web sites.

Affected Configuration

Cisco ASA Software is affected by this vulnerability if the following conditions are met:

  1. Clientless SSL VPN portal functionality is enabled
  2. A default customization object or a newly created customization object for Clientless SSL VPN portal has been previewed in ASDM

To determine whether the Clientless SSL VPN portal is enabled use the show running-config webvpn command and verify that webvpn is enabled at least on one interface. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface:

   ciscoasa# show running-config webvpn

webvpn

enable outside

[…]

There is no method to determine if a preview of a customization object has been done. The following method is used to preview a customization object. In ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION -> PREVIEW.

Indicators of Compromise

Customers that use Clientless SSL VPN Portal customization should review the content of the customization object and make sure it does not contain any malicious code.

This includes, but is not limited to, looking for iframe, scripts, embedded object, css, encoded links etc…

To export an SSL VPN portal customization object, use the export webvpn customization <object name> <dest fname> command, where the <object name> is the name of the SSL VPN portal customization object being exported and <dest fname> is the name of the file that will include a copy of the customization object.

The following example shows how to export the default customization object DfltCustomization to a file called Customization_to_verify

ciscoasa# export webvpn customization DfltCustomization Customization_to_verify

The Customization_to_verify file is stored on the device disk and can be exported for further analysis.

Customers should repeat this process for all of the customization objects that are present on the system. To find out all the customization object that should be verify use the export webvpn customization command followed by “?”

ciscoasa# export webvpn customization ?

Select customization object:

DfltCustomization

Object1

Template

 

Remediation

Customer should immediately upgrade to a non affected Cisco ASA Software release and verify whether any of the customization object has been compromised by using the method described in the “Indicators of Compromise” session.

Cisco ASA Software releases that fixed this vulnerability can be found in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

Important Note: the attack will make permanent modification to the customization object. Reloading or upgrading to a fixed version of Cisco ASA Softrware will not help against a successful attack that has already happened.

Customers that have found a compromised customization object should follow their incident response process.

Cisco PSIRT recommends to delete any compromised customization object. This can be done by using Cisco ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION. Select the object and then DELETE.

The default customization object (DfltCustomization) cannot be delete from the system. If the default customization object has been compromise, Cisco ASA administrator should consider to override this customization with the default Template file. This file can also be exported with the method indicated in the Indicator of Compromise section and then re-imported using the import webvpn customization command.

The following method can be used to restore the default customization object (DfltCustomization):

  1. Export the default template to a file. The following example shows how to export the default template to a file called default_template

       ciscoasa# export webvpn customization Template default_template

  1. Import the default template as default customization object (DfltCustomization):

       ciscoasa# import webvpn customization DfltCustomization default_template

Note: This will override any changes done to the default customization object (DfltCustomization).

The import webvpn customization command can also be used to restore non-default customization objects after these have been manually edited and verified.



Authors

Stefano De Crescenzo

Business Development Manager - Strategic Country Enablement

Security and Trust Organization