A vulnerability in Cisco Adaptive Security Appliance (ASA) Software could allow an attacker to retrieve files or replace software images on a device.
Tracked as CVE-2018-15465, the security flaw could be exploited by an unauthenticated, remote attacker to perform privileged operations using the web management interface, Cisco says.
To exploit the bug, the attacker would need to send specific HTTP requests via HTTPS to an affected device as an unprivileged user.
An attacker could exploit the flaw to change or download the running configuration as well as upload or replace the appliance firmware, Tenable, which discovered the vulnerability, explained. The attacker could replace the firmware with an older version and then leverage known vulnerabilities in it.
The issue is that user privileges are not properly validated when using the web management interface and can be triggered when command authorization is disabled on the Cisco ASA, which is the default status.
“When command authorization is not enabled, the ASA distinguishes only between unprivileged (levels 0 and 1) and privileged (levels 2 through 15) users. Privileged (levels 2 through 15) users are expected to have full administrative access to the ASA via the web management interface, even without knowing the enable password,” Cisco explains in an advisory.
Given that the vulnerability only works when command authorization is disabled, a workaround involves enabling command authorization to prevent exploitation. This, however, significantly changes the manner in which Cisco ASA interprets privilege levels and authorizes actions, and admins should clearly define actions allowed per privilege level.
“Administrators should not enable command authorization using the aaa authorization command command until they have defined these actions,” Cisco says.
Administrators who use the Adaptive Security Device Manager (ASDM) to manage the ASA should enable command authorization through ASDM, to ensure proper ASDM operation after command authorization is enabled.
The ASA Software running on any Cisco product that has web management access enabled is impacted by the issue. Cisco Firepower Threat Defense (FTD) Software is not affected by this vulnerability, the company says.
With ASA Software releases prior to Release 9.4 and ASA Software Releases 9.5 and 9.7 already at their end-of-software maintenance, Cisco advises customers to migrate to a supported release (9.4.4.29, 9.6.4.20, 9.8.3.18, 9.9.2.36, or 9.10.1.7).
“For the fix to be effective, customers who have web management access enabled must ensure that the AAA configuration is accurate and complete. In particular, the aaa authentication http console {LOCAL | } command must be present,” Cisco says.
Related: Default Account Exposes Cisco Switches to Remote Attacks