A vulnerability in Cisco Adaptive Security Appliance (ASA) Software could allow an attacker to retrieve files or replace software images on a device.
Tracked as CVE-2018-15465, the security flaw could be exploited by an unauthenticated, remote attacker to perform privileged operations using the web management interface, Cisco says.
To exploit the bug, the attacker would need to send specific HTTP requests via HTTPS to an affected device as an unprivileged user.
An attacker could exploit the flaw to change or download the running configuration as well as upload or replace the appliance firmware, Tenable, which discovered the vulnerability, explained. The attacker could replace the firmware with an older version and then leverage known vulnerabilities in it.
The issue is that user privileges are not properly validated when using the web management interface and can be triggered when command authorization is disabled on the Cisco ASA, which is the default status.
“When command authorization is not enabled, the ASA distinguishes only between unprivileged (levels 0 and 1) and privileged (levels 2 through 15) users. Privileged (levels 2 through 15) users are expected to have full administrative access to the ASA via the web management interface, even without knowing the enable password,” Cisco explains in an advisory.
Given that the vulnerability only works when command authorization is disabled, a workaround involves enabling command authorization to prevent exploitation. This, however, significantly changes the manner in which Cisco ASA interprets privilege levels and authorizes actions, and admins should clearly define actions allowed per privilege level.
“Administrators should not enable command authorization using the aaa authorization command command until they have defined these actions,” Cisco says.
Administrators who use the Adaptive Security Device Manager (ASDM) to manage the ASA should enable command authorization through ASDM, to ensure proper ASDM operation after command authorization is enabled.
The ASA Software running on any Cisco product that has web management access enabled is impacted by the issue. Cisco Firepower Threat Defense (FTD) Software is not affected by this vulnerability, the company says.
With ASA Software releases prior to Release 9.4 and ASA Software Releases 9.5 and 9.7 already at their end-of-software maintenance, Cisco advises customers to migrate to a supported release (9.4.4.29, 9.6.4.20, 9.8.3.18, 9.9.2.36, or 9.10.1.7).
“For the fix to be effective, customers who have web management access enabled must ensure that the AAA configuration is accurate and complete. In particular, the aaa authentication http console {LOCAL | <aaa-server>} command must be present,” Cisco says.
Related: Default Account Exposes Cisco Switches to Remote Attacks
Related: Cisco Patches Code Execution in Webex Player
More from Ionut Arghire
- US, Israel Provide Guidance on Securing Remote Access Software
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
Latest News
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
