Patched Cisco Web VPNs Hit by Attack

Wednesday, October 14, 2015 @ 03:10 PM gHale

Cisco is having a bad run of it as late as attackers are targeting one more Cisco product, researchers said.

“The Cisco Clientless SSL VPN (Web VPN) is a web-based portal that can be enabled on an organization’s Cisco Adaptive Security Appliance (ASA) devices,” said researchers at Volexity. “Once a user is authenticated to the Web VPN, based on the permissions the user has, they may be able to access internal web resources, browse internal file shares, and launch plug-ins that allow them to telnet, ssh, or VNC to internal resources.”

Cisco Tool to Detect Router Attacks
Smart Attacks Break into Routers
Cisco Working on Security Appliances Holes
Cisco Patches Data Center Holes

The attackers are either leveraging a vulnerability in the product or gaining administrator access in other ways so they can plant JavaScript code on the login pages to the VPN in order to harvest employee credentials.

The vulnerability (CVE-2014-3393) did get a patch one a year ago. But as it is in most cases, companies have not moved quickly to implement the fix, and attackers are taking advantage of the flaw.

The malicious, data stealing JavaScript injected in the Cisco Web VPN login page of targeted organizations usually ends up hosted on legitimate but compromised sites.

Attacks were against medical and academic institutions, electronics/manufacturing businesses, as well as think tanks, NGOs, and governments, the researchers said.

“Volexity knows it is 100 percent possible and surmises it may be likely in some cases that the attackers leveraged credentialed administrative access to a Cisco ASA appliance in order to modify the login page,” the researchers said in a blog post. This can occur via the Cisco Adaptive Security Device Manager (ASDM), a Java administrative interface for Cisco firewalls that can end up accessed via a web browser.

“Access to the devices ASDM should be restricted through access control lists (ACLs) as tightly as possible. At minimum, this is not an interface that should be open to the Internet. Attackers that are able to access this interface by having access to a victim’s environment or due to an ACL misconfiguration can easily modify code that is loaded via the Cisco Web VPN login page,” the researchers said.

Two-factor authentication would not help prevent this particular attack, as the attackers could easily modify the code of the login page in order to steal session cookies, or steal and reuse the authentication token.

As this type of attack against network devices is difficult to spot with the usual security tools and measures, administrators would do well to make sure to often check networking gear for indicators of compromise.