Crowdsourcing Your Cisco Firewall Administration... WAT

Crowdsourcing Your Cisco Firewall Administration... WAT

In this presentation, Laura Guay and I talk about a vulnerability we discovered in Cisco ASA (CVE-2014-2127) that allows SSL VPN users to administer Cisco ASAs. We talk about how the vulnerability works, how it was fixed and discuss some offensive and defensive take aways for our fellow security professionals.

If you are interested in the demo that accompanied this presentation you can find that here:

https://vimeo.com/93010946

Edb7903a55645abee02925213e0d25b2?s=128

Jonathan Claudius

April 25, 2014
Tweet

Transcript

  1. 3.

    Laura Guay ¤  Dell SecureWorks ¤  Network Security Senior Advisor

    ¤  (aka: Senior Platform Engineer) ¤  SME for Cisco and Imperva ¤  Former Penetration Tester
  2. 6.

    Yeah… that makes no sense ¤  We tried it briefly

    (via Twitter) ¤  People trolled us… ¤  “debug all” ¤  “write erase” ¤  It’s a terrible idea ¤  Ideally, firewall management is limited to a set of trusted and experienced staff
  3. 7.

    What this talk is really about ¤  A vulnerability we

    found in Cisco ASA that allows SSL VPN users to gain full administrative access to the firewall. ¤  We will Cover… ¤  Vulnerability Discovery ¤  Configuration Review ¤  Vulnerability Details ¤  Live Demonstration ¤  Take Away’s (Offense/Defense)
  4. 9.

    ASDM Brute-forcing is slow… ¤  DEFCON 21 ¤  Had quick

    conversation with Barrett Weisshaar ¤  He said ASDM brute-forcing took forever ¤  Basic Process ¤  Download the Java client ¤  Authenticate like a normal Administrator ¤  See if you get lucky before your fingers fall off
  5. 11.

    Cisco SSL VPN Portal ¤  Cisco SSL VPN Portal ¤ 

    Allows remote users access to extranet type website ¤  Simple form submission authentication ¤  Created a Metasploit Aux Module for this too ¤  *Realization* ¤  ASDM and SSL VPN authentication schemes use similar authentication pattern ¤  User-Agent based (ASDM vs. Browser Agent)
  6. 14.

    Four months later ¤  At the kitchen table at my

    mom’s house over our Thanksgiving vacation. ¤  Finally revisited the idea. ¤  Set aside 15 minutes.
  7. 17.

    SSL VPN Options on ASA ¤  Clientless (WebVPN) ¤  Web

    portal that requires no external clients ¤  Thin-Client ¤  Web portal combined with a small java application ¤  AnyConnect ¤  Thick-Client VPN Access
  8. 18.

    VPN Group Enforcement ¤  Group-policy (group-lock) ¤  Force users to

    connect to a specific tunnel-group ¤  Prevents unauthorized access to other VPN groups group-policy RemoteAccessVPN_GP attributes! vpn-tunnel-protocol ikev1 ssl-clientless! group-lock value RemoteAccessVPN_TG!
  9. 19.

    VPN User Attributes ¤  Privilege ¤  Service-type ¤  Group-policy username

    sslvpn_user password <removed> encrypted privilege 0! username sslvpn_user attributes! service-type remote-access! group-lock value RemoteAccessVPN_TG!
  10. 20.

    Authentication & Authorization ¤  AAA authentication (Local or External) ¤ 

    Authorization aaa authentication ssh console LOCAL ! aaa authentication http console LOCAL! ! aaa authentication ssh console LDAP_SERVER LOCAL ! aaa authentication http console LDAP_SERVER LOCAL ! aaa authorization command LOCAL ! aaa authorization exec LOCAL!
  11. 21.

    CVE-2014-2127 ¤  Cisco ASA SSL VPN Privilege Escalation Vulnerability ¤ 

    Bug ID: CSCul70099 ¤  Security Advisory: cisco-sa-20140409-asa ¤  Coordinated disclosure on April 9th ¤  2 days after OpenSSL Heartbleed release ¤  1 day after Windows XP EOL
  12. 24.

    How to learn the ASDM paths… ¤  Using a custom

    proxy listener in Burp with Redirection and Invisible Proxying to inspect the ASDM HTTPS transport layer traffic. ¤  Redirection – Bind local ports to remote ports ¤  Invisible Proxying – A transparent proxy in Burp ¤  “Reversing” Non-Proxy Aware HTTPS Thick Clients w/ Burp ¤  http://blog.spiderlabs.com/2014/02/reversing-non-proxy- aware-https-thick-clients-w-burp.htm
  13. 29.

    Demonstration Context (Live) ¤  Malicious Service Provider w/ VPN Access

    ¤  User rights limited, Grouplock, Remote Service Type, AAA enabled, LDAP Auth, etc. (aka: best practice) ¤  We will show how this user can take full control of the firewall in seconds by exploiting this vulnerability ¤  Wrote a Metasploit Module for stability reasons ¤  Browsers are too flakey (Cookie Mgmt Problems)
  14. 31.

    Defensive Takeaways ¤  Patch to the latest version(s) ¤  All

    the settings I mentioned earlier ¤  If you don’t you will still be “vulnerable”!!! 8.2(5.48) 8.4(7.15) 9.0(4.1) 8.3(2.40) 8.6(1.13) 9.1(4.5)
  15. 32.

    Workarounds ¤  Cisco says there are none… ¤  Host your

    SSL VPN / ASDM on different interfaces/port ¤  Implement ACLs for ASDM access
  16. 33.

    Detection Logic ¤  Monitor for these log message IDs: %ASA-7-111009:

    User '' executed cmd: show version! %ASA-3-113021: Attempted console login failed user 'thinclient' did NOT have appropriate Admin Rights.!
  17. 34.

    Offensive Takeaways Part 1 ¤  Social Engineering and MiTM ¤ 

    LDAP – Attacking Active Directory aaa-server LDAP protocol ldap! aaa-server LDAP (inside) host 192.168.101.150! ldap-base-dn CN=Users,DC=cisco,DC=local! ldap-scope subtree! ldap-login-password MyADPassword!!! ldap-login-dn CN=Administrator,CN=Users,DC=cisco,DC=local! server-type auto-detect! ldap-attribute-map LDAP-Example!
  18. 35.

    Offensive Takeaways Part 2 ¤  Attack ASA modules ¤  Denial

    of service ¤  Drop firewall rules ¤  Capture all traffic
  19. 37.

    Thank You! ¤  Jonathan Claudius ¤  Twitter: @claudijd ¤  Email:

    jclaudius@trustwave.com ¤  Laura Guay ¤  Twitter: @L_ORA ¤  Email: lguay@secureworks.com