Crowdsourcing Your Cisco Firewall Administration... WAT

Transcript

1. Crowdsourcing Your Cisco
   Firewall Administration
   

   View Slide

2. Jonathan Claudius
   ¤  Trustwave SpiderLabs
   ¤  Lead Security Researcher
   ¤  Vulnerability Assessment Team (VAT)
   

   View Slide

3. Laura Guay
   ¤  Dell SecureWorks
   ¤  Network Security Senior Advisor
   ¤  (aka: Senior Platform Engineer)
   ¤  SME for Cisco and Imperva
   ¤  Former Penetration Tester
   

   View Slide

4. We hack together
   

   View Slide

5. Want to crowdsource your firewall
   administration?
   

   View Slide

6. Yeah… that makes no sense
   ¤  We tried it briefly (via Twitter)
   ¤  People trolled us…
   ¤  “debug all”
   ¤  “write erase”
   ¤  It’s a terrible idea
   ¤  Ideally, firewall management is limited to a set of trusted
   and experienced staff
   

   View Slide

7. What this talk is really about
   ¤  A vulnerability we found in Cisco ASA that allows SSL VPN
   users to gain full administrative access to the firewall.
   ¤  We will Cover…
   ¤  Vulnerability Discovery
   ¤  Configuration Review
   ¤  Vulnerability Details
   ¤  Live Demonstration
   ¤  Take Away’s (Offense/Defense)
   

   View Slide

8. Vulnerability Discovery
   How was this vulnerability discovered?
   

   View Slide

9. ASDM Brute-forcing is slow…
   ¤  DEFCON 21
   ¤  Had quick conversation with Barrett Weisshaar
   ¤  He said ASDM brute-forcing took forever
   ¤  Basic Process
   ¤  Download the Java client
   ¤  Authenticate like a normal Administrator
   ¤  See if you get lucky before your fingers fall off
   

   View Slide

10. ASDM Brute-force MSF Module
    ¤  Created a Metasploit Module to make it easier
    

    View Slide

11. Cisco SSL VPN Portal
    ¤  Cisco SSL VPN Portal
    ¤  Allows remote users access to extranet type website
    ¤  Simple form submission authentication
    ¤  Created a Metasploit Aux Module for this too
    ¤  *Realization*
    ¤  ASDM and SSL VPN authentication schemes use similar
    authentication pattern
    ¤  User-Agent based (ASDM vs. Browser Agent)
    

    View Slide

12. Session Cookie Reuse Idea
    

    View Slide

13. Filed this one under
    “Interesting, but not likely”
    

    View Slide

14. Four months later
    ¤  At the kitchen table at my mom’s house over our
    Thanksgiving vacation.
    ¤  Finally revisited the idea.
    ¤  Set aside 15 minutes.
    

    View Slide

15. And I was…
    

    View Slide

16. Configuration Review
    Laura to the rescue!!!
    

    View Slide

17. SSL VPN Options on ASA
    ¤  Clientless (WebVPN)
    ¤  Web portal that requires no external clients
    ¤  Thin-Client
    ¤  Web portal combined with a small java application
    ¤  AnyConnect
    ¤  Thick-Client VPN Access
    

    View Slide

18. VPN Group Enforcement
    ¤  Group-policy (group-lock)
    ¤  Force users to connect to a specific tunnel-group
    ¤  Prevents unauthorized access to other VPN groups
    group-policy RemoteAccessVPN_GP attributes!
    vpn-tunnel-protocol ikev1 ssl-clientless!
    group-lock value RemoteAccessVPN_TG!
    

    View Slide

19. VPN User Attributes
    ¤  Privilege
    ¤  Service-type
    ¤  Group-policy
    username sslvpn_user password encrypted privilege 0!
    username sslvpn_user attributes!
    service-type remote-access!
    group-lock value RemoteAccessVPN_TG!
    

    View Slide

20. Authentication & Authorization
    ¤  AAA authentication (Local or External)
    ¤  Authorization
    aaa authentication ssh console LOCAL !
    aaa authentication http console LOCAL!
    !
    aaa authentication ssh console LDAP_SERVER LOCAL !
    aaa authentication http console LDAP_SERVER LOCAL !
    aaa authorization command LOCAL !
    aaa authorization exec LOCAL!
    

    View Slide

21. CVE-2014-2127
    ¤  Cisco ASA SSL VPN Privilege Escalation Vulnerability
    ¤  Bug ID: CSCul70099
    ¤  Security Advisory: cisco-sa-20140409-asa
    ¤  Coordinated disclosure on April 9th
    ¤  2 days after OpenSSL Heartbleed release
    ¤  1 day after Windows XP EOL
    

    View Slide

22. Technical Details
    How the vulnerability works
    

    View Slide

23. WebVPN – Post Auth
    

    View Slide

24. How to learn the ASDM paths…
    ¤  Using a custom proxy listener in Burp with Redirection and
    Invisible Proxying to inspect the ASDM HTTPS transport
    layer traffic.
    ¤  Redirection – Bind local ports to remote ports
    ¤  Invisible Proxying – A transparent proxy in Burp
    ¤  “Reversing” Non-Proxy Aware HTTPS Thick Clients w/ Burp
    ¤  http://blog.spiderlabs.com/2014/02/reversing-non-proxy-
    aware-https-thick-clients-w-burp.htm
    

    View Slide

25. Show Version
    

    View Slide

26. Dump Config
    

    View Slide

27. Make Changes
    

    View Slide

28. Demonstration
    Show and tell
    

    View Slide

29. Demonstration Context (Live)
    ¤  Malicious Service Provider w/ VPN Access
    ¤  User rights limited, Grouplock, Remote Service Type, AAA
    enabled, LDAP Auth, etc. (aka: best practice)
    ¤  We will show how this user can take full control of the
    firewall in seconds by exploiting this vulnerability
    ¤  Wrote a Metasploit Module for stability reasons
    ¤  Browsers are too flakey (Cookie Mgmt Problems)
    

    View Slide

30. Takeaways
    Where do we go from here?
    

    View Slide

31. Defensive Takeaways
    ¤  Patch to the latest version(s)
    ¤  All the settings I mentioned earlier
    ¤  If you don’t you will still be “vulnerable”!!!
    8.2(5.48) 8.4(7.15) 9.0(4.1)
    8.3(2.40) 8.6(1.13) 9.1(4.5)
    

    View Slide

32. Workarounds
    ¤  Cisco says there are none…
    ¤  Host your SSL VPN / ASDM on different interfaces/port
    ¤  Implement ACLs for ASDM access
    

    View Slide

33. Detection Logic
    ¤  Monitor for these log message IDs:
    %ASA-7-111009: User '' executed cmd: show version!
    %ASA-3-113021: Attempted console login failed user 'thinclient'
    did NOT have appropriate Admin Rights.!
    

    View Slide

34. Offensive Takeaways Part 1
    ¤  Social Engineering and MiTM
    ¤  LDAP – Attacking Active Directory
    aaa-server LDAP protocol ldap!
    aaa-server LDAP (inside) host 192.168.101.150!
    ldap-base-dn CN=Users,DC=cisco,DC=local!
    ldap-scope subtree!
    ldap-login-password MyADPassword!!!
    ldap-login-dn CN=Administrator,CN=Users,DC=cisco,DC=local!
    server-type auto-detect!
    ldap-attribute-map LDAP-Example!
    

    View Slide

35. Offensive Takeaways Part 2
    ¤  Attack ASA modules
    ¤  Denial of service
    ¤  Drop firewall rules
    ¤  Capture all traffic
    

    View Slide

36. Parting Thoughts
    ¤  Understand the actual risk
    ¤  Patch your ASAs
    ¤  Review your ASA config
    

    View Slide

37. Thank You!
    ¤  Jonathan Claudius
    ¤  Twitter: @claudijd
    ¤  Email: [email protected]
    ¤  Laura Guay
    ¤  Twitter: @L_ORA
    ¤  Email: [email protected]
    

    View Slide