Risk with Custom VPN Portals

Tuesday, February 24, 2015 @ 05:02 PM gHale

Hackers are able to get into customized Cisco virtual private networks and pilfer credentials.

Companies running the Cisco Clientless SSL VPN portal in customized configurations risk attack if they do not update to versions released October 8.

RELATED STORIES
Complex Security Should be Easy
SAS: Security for Accelerator
DDoS Attack Costs on Rise
Security a Differentiator for Users

Cisco’s Product Security Incident Response Team (PSIRT) said Wednesday it is “aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified [as] CVE-2014-3393.”

“All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions,” said PSIRT incident manager Stefano De Crescenzo.

Cisco said the flaw appeared because of an improper implementation of authentication checks in the customization framework:

“[The hole] could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

“When Cisco ASDM (Adaptive Security Device Manager) is used to modify or create a customization object, a preview button is available for the Cisco ASA administrator that is used to visualize the modifications. When preview is used Cisco ASA will create a unique identifier that is used as session cookie and a folder on the system to include the content of the customization.

“Due to a flaw in the way permission are checked, it is possible to remotely modify any object included on the RAMFS cache file system including the Clientless SSL VPN customization objects,” Cisco said.

Cisco also said unauthenticated attackers could pull of a host of attacks including modifying Clientless SSL VPN portal content, injecting malware, stealing credentials and launch cross-site scripting.

Network security specialist Alec Stuart-Muirk demonstrated an attack on Cisco’s WebVPN Portal last October at the Ruxcon security conference, which exploited the fact Cisco’s Adaptive Security Device Manager retained old code in new versions of the software and ran all customizations through a public facing web browser.



Leave a Reply

You must be logged in to post a comment.