Crowdsourcing Your Cisco Firewall Administration... WAT

Transcript

1. Crowdsourcing Your Cisco Firewall Administration

2. Jonathan Claudius ¤  Trustwave SpiderLabs ¤  Lead Security Researcher ¤ 

   Vulnerability Assessment Team (VAT)

3. Laura Guay ¤  Dell SecureWorks ¤  Network Security Senior Advisor

   ¤  (aka: Senior Platform Engineer) ¤  SME for Cisco and Imperva ¤  Former Penetration Tester

4. We hack together

5. Want to crowdsource your firewall administration?

6. Yeah… that makes no sense ¤  We tried it briefly

   (via Twitter) ¤  People trolled us… ¤  “debug all” ¤  “write erase” ¤  It’s a terrible idea ¤  Ideally, firewall management is limited to a set of trusted and experienced staff

7. What this talk is really about ¤  A vulnerability we

   found in Cisco ASA that allows SSL VPN users to gain full administrative access to the firewall. ¤  We will Cover… ¤  Vulnerability Discovery ¤  Configuration Review ¤  Vulnerability Details ¤  Live Demonstration ¤  Take Away’s (Offense/Defense)

8. Vulnerability Discovery How was this vulnerability discovered?

9. ASDM Brute-forcing is slow… ¤  DEFCON 21 ¤  Had quick

   conversation with Barrett Weisshaar ¤  He said ASDM brute-forcing took forever ¤  Basic Process ¤  Download the Java client ¤  Authenticate like a normal Administrator ¤  See if you get lucky before your fingers fall off

10. ASDM Brute-force MSF Module ¤  Created a Metasploit Module to

    make it easier

11. Cisco SSL VPN Portal ¤  Cisco SSL VPN Portal ¤ 

    Allows remote users access to extranet type website ¤  Simple form submission authentication ¤  Created a Metasploit Aux Module for this too ¤  *Realization* ¤  ASDM and SSL VPN authentication schemes use similar authentication pattern ¤  User-Agent based (ASDM vs. Browser Agent)

12. Session Cookie Reuse Idea

13. Filed this one under “Interesting, but not likely”

14. Four months later ¤  At the kitchen table at my

    mom’s house over our Thanksgiving vacation. ¤  Finally revisited the idea. ¤  Set aside 15 minutes.

15. And I was…

16. Configuration Review Laura to the rescue!!!

17. SSL VPN Options on ASA ¤  Clientless (WebVPN) ¤  Web

    portal that requires no external clients ¤  Thin-Client ¤  Web portal combined with a small java application ¤  AnyConnect ¤  Thick-Client VPN Access

18. VPN Group Enforcement ¤  Group-policy (group-lock) ¤  Force users to

    connect to a specific tunnel-group ¤  Prevents unauthorized access to other VPN groups group-policy RemoteAccessVPN_GP attributes! vpn-tunnel-protocol ikev1 ssl-clientless! group-lock value RemoteAccessVPN_TG!

19. VPN User Attributes ¤  Privilege ¤  Service-type ¤  Group-policy username

    sslvpn_user password <removed> encrypted privilege 0! username sslvpn_user attributes! service-type remote-access! group-lock value RemoteAccessVPN_TG!

20. Authentication & Authorization ¤  AAA authentication (Local or External) ¤ 

    Authorization aaa authentication ssh console LOCAL ! aaa authentication http console LOCAL! ! aaa authentication ssh console LDAP_SERVER LOCAL ! aaa authentication http console LDAP_SERVER LOCAL ! aaa authorization command LOCAL ! aaa authorization exec LOCAL!

21. CVE-2014-2127 ¤  Cisco ASA SSL VPN Privilege Escalation Vulnerability ¤ 

    Bug ID: CSCul70099 ¤  Security Advisory: cisco-sa-20140409-asa ¤  Coordinated disclosure on April 9th ¤  2 days after OpenSSL Heartbleed release ¤  1 day after Windows XP EOL

22. Technical Details How the vulnerability works

23. WebVPN – Post Auth

24. How to learn the ASDM paths… ¤  Using a custom

    proxy listener in Burp with Redirection and Invisible Proxying to inspect the ASDM HTTPS transport layer traffic. ¤  Redirection – Bind local ports to remote ports ¤  Invisible Proxying – A transparent proxy in Burp ¤  “Reversing” Non-Proxy Aware HTTPS Thick Clients w/ Burp ¤  http://blog.spiderlabs.com/2014/02/reversing-non-proxy- aware-https-thick-clients-w-burp.htm

25. Show Version

26. Dump Config

27. Make Changes

28. Demonstration Show and tell

29. Demonstration Context (Live) ¤  Malicious Service Provider w/ VPN Access

    ¤  User rights limited, Grouplock, Remote Service Type, AAA enabled, LDAP Auth, etc. (aka: best practice) ¤  We will show how this user can take full control of the firewall in seconds by exploiting this vulnerability ¤  Wrote a Metasploit Module for stability reasons ¤  Browsers are too flakey (Cookie Mgmt Problems)

30. Takeaways Where do we go from here?

31. Defensive Takeaways ¤  Patch to the latest version(s) ¤  All

    the settings I mentioned earlier ¤  If you don’t you will still be “vulnerable”!!! 8.2(5.48) 8.4(7.15) 9.0(4.1) 8.3(2.40) 8.6(1.13) 9.1(4.5)

32. Workarounds ¤  Cisco says there are none… ¤  Host your

    SSL VPN / ASDM on different interfaces/port ¤  Implement ACLs for ASDM access

33. Detection Logic ¤  Monitor for these log message IDs: %ASA-7-111009:

    User '' executed cmd: show version! %ASA-3-113021: Attempted console login failed user 'thinclient' did NOT have appropriate Admin Rights.!

34. Offensive Takeaways Part 1 ¤  Social Engineering and MiTM ¤ 

    LDAP – Attacking Active Directory aaa-server LDAP protocol ldap! aaa-server LDAP (inside) host 192.168.101.150! ldap-base-dn CN=Users,DC=cisco,DC=local! ldap-scope subtree! ldap-login-password MyADPassword!!! ldap-login-dn CN=Administrator,CN=Users,DC=cisco,DC=local! server-type auto-detect! ldap-attribute-map LDAP-Example!

35. Offensive Takeaways Part 2 ¤  Attack ASA modules ¤  Denial

    of service ¤  Drop firewall rules ¤  Capture all traffic

36. Parting Thoughts ¤  Understand the actual risk ¤  Patch your

    ASAs ¤  Review your ASA config

37. Thank You! ¤  Jonathan Claudius ¤  Twitter: @claudijd ¤  Email:

    [email protected] ¤  Laura Guay ¤  Twitter: @L_ORA ¤  Email: [email protected]