Cisco ASA is affacted by a privilege escalation flaw. Patch it now!

Cisco Adaptive Security Appliance (ASA) Software is affected by a vulnerability that could be exploited by an attacker to retrieve files or replace software images on a device.

A privilege escalation vulnerability tracked as CVE-2018-15465 affects the Cisco Adaptive Security Appliance (ASA) software. The flaw could be exploited by an unauthenticated, remote attacker to perform privileged operations using the web management interface.

An attacker could trigger the flaw exploit by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user.

The flaw was discovered by experts at Tenable that explained that an authenticated remote unprivileged user can change or download the running configuration or replace the appliance firmware where they shouldn’t.

“A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.”

According to Tenable, an attacker could overwrite the firmware with an older version that is known to be affected by vulnerabilities that could be exploited to carry out variosu attacks.

“When command authorization is not enabled, an authenticated remote unprivileged (level 0 or 1) user can change or download the running configuration as well as upload or replace the appliance firmware. ” reads analysis from Tenable.
Cisco released software updates to address the flaw, according to its advisory there are workarounds that address this vulnerability.

To mitigate the flaw it is possible to enable command authorization.

“Enabling command authorization significantly changes the way that the Cisco ASA interprets privilege levels and authorizes actions. Before enabling the feature, administrators must clearly define which actions are allowed per privilege level using the privilege command in global configuration mode.” continues the Cisco Advisory.

“Administrators should not enable command authorization using the aaa authorization command until they have defined these actions.”

Administrators who use the Adaptive Security Device Manager (ASDM) to manage the ASA should enable command authorization by using the ASDM.

The flaw impacts an ASA Software running on any Cisco product that has web management access enabled.

The tech giant confirmed that Cisco Firepower Threat Defense (FTD) Software is not affected by this flaw. 

Cisco urges customers to migrate to a supported release (9.4.4.29, 9.6.4.20, 9.8.3.18, 9.9.2.36, or 9.10.1.7). 

“For the fix to be effective, customers who have web management access enabled must ensure that the AAA configuration is accurate and complete. In particular, the aaa authentication http console {LOCAL | <aaa-server>} command must be present,” Cisco concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –Cisco ASA, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]