Crowdsourcing Your Cisco Firewall Administration 

Jonathan Claudius ¤  Trustwave SpiderLabs ¤  Lead Security Researcher ¤  Vulnerability Assessment Team (VAT) 

Laura Guay ¤  Dell SecureWorks ¤  Network Security Senior Advisor ¤  (aka: Senior Platform Engineer) ¤  SME for Cisco and Imperva ¤  Former Penetration Tester 

We hack together 

Want to crowdsource your firewall administration? 

Yeah… that makes no sense ¤  We tried it briefly (via Twitter) ¤  People trolled us… ¤  “debug all” ¤  “write erase” ¤  It’s a terrible idea ¤  Ideally, firewall management is limited to a set of trusted and experienced staff 

What this talk is really about ¤  A vulnerability we found in Cisco ASA that allows SSL VPN users to gain full administrative access to the firewall. ¤  We will Cover… ¤  Vulnerability Discovery ¤  Configuration Review ¤  Vulnerability Details ¤  Live Demonstration ¤  Take Away’s (Offense/Defense) 

Vulnerability Discovery How was this vulnerability discovered? 

ASDM Brute-forcing is slow… ¤  DEFCON 21 ¤  Had quick conversation with Barrett Weisshaar ¤  He said ASDM brute-forcing took forever ¤  Basic Process ¤  Download the Java client ¤  Authenticate like a normal Administrator ¤  See if you get lucky before your fingers fall off 

ASDM Brute-force MSF Module ¤  Created a Metasploit Module to make it easier 

Cisco SSL VPN Portal ¤  Cisco SSL VPN Portal ¤  Allows remote users access to extranet type website ¤  Simple form submission authentication ¤  Created a Metasploit Aux Module for this too ¤  *Realization* ¤  ASDM and SSL VPN authentication schemes use similar authentication pattern ¤  User-Agent based (ASDM vs. Browser Agent) 

Session Cookie Reuse Idea 

Filed this one under “Interesting, but not likely” 

Four months later ¤  At the kitchen table at my mom’s house over our Thanksgiving vacation. ¤  Finally revisited the idea. ¤  Set aside 15 minutes. 

And I was… 

Configuration Review Laura to the rescue!!! 

SSL VPN Options on ASA ¤  Clientless (WebVPN) ¤  Web portal that requires no external clients ¤  Thin-Client ¤  Web portal combined with a small java application ¤  AnyConnect ¤  Thick-Client VPN Access 

VPN Group Enforcement ¤  Group-policy (group-lock) ¤  Force users to connect to a specific tunnel-group ¤  Prevents unauthorized access to other VPN groups group-policy RemoteAccessVPN_GP attributes! vpn-tunnel-protocol ikev1 ssl-clientless! group-lock value RemoteAccessVPN_TG! 

VPN User Attributes ¤  Privilege ¤  Service-type ¤  Group-policy username sslvpn_user password encrypted privilege 0! username sslvpn_user attributes! service-type remote-access! group-lock value RemoteAccessVPN_TG! 

Authentication & Authorization ¤  AAA authentication (Local or External) ¤  Authorization aaa authentication ssh console LOCAL ! aaa authentication http console LOCAL! ! aaa authentication ssh console LDAP_SERVER LOCAL ! aaa authentication http console LDAP_SERVER LOCAL ! aaa authorization command LOCAL ! aaa authorization exec LOCAL! 

CVE-2014-2127 ¤  Cisco ASA SSL VPN Privilege Escalation Vulnerability ¤  Bug ID: CSCul70099 ¤  Security Advisory: cisco-sa-20140409-asa ¤  Coordinated disclosure on April 9th ¤  2 days after OpenSSL Heartbleed release ¤  1 day after Windows XP EOL 

Technical Details How the vulnerability works 

WebVPN – Post Auth 

How to learn the ASDM paths… ¤  Using a custom proxy listener in Burp with Redirection and Invisible Proxying to inspect the ASDM HTTPS transport layer traffic. ¤  Redirection – Bind local ports to remote ports ¤  Invisible Proxying – A transparent proxy in Burp ¤  “Reversing” Non-Proxy Aware HTTPS Thick Clients w/ Burp ¤  http://blog.spiderlabs.com/2014/02/reversing-non-proxy- aware-https-thick-clients-w-burp.htm 

Show Version 

Dump Config 

Make Changes 

Demonstration Show and tell 

Demonstration Context (Live) ¤  Malicious Service Provider w/ VPN Access ¤  User rights limited, Grouplock, Remote Service Type, AAA enabled, LDAP Auth, etc. (aka: best practice) ¤  We will show how this user can take full control of the firewall in seconds by exploiting this vulnerability ¤  Wrote a Metasploit Module for stability reasons ¤  Browsers are too flakey (Cookie Mgmt Problems) 

Takeaways Where do we go from here? 

Defensive Takeaways ¤  Patch to the latest version(s) ¤  All the settings I mentioned earlier ¤  If you don’t you will still be “vulnerable”!!! 8.2(5.48) 8.4(7.15) 9.0(4.1) 8.3(2.40) 8.6(1.13) 9.1(4.5) 

Workarounds ¤  Cisco says there are none… ¤  Host your SSL VPN / ASDM on different interfaces/port ¤  Implement ACLs for ASDM access 

Detection Logic ¤  Monitor for these log message IDs: %ASA-7-111009: User '' executed cmd: show version! %ASA-3-113021: Attempted console login failed user 'thinclient' did NOT have appropriate Admin Rights.! 

Offensive Takeaways Part 1 ¤  Social Engineering and MiTM ¤  LDAP – Attacking Active Directory aaa-server LDAP protocol ldap! aaa-server LDAP (inside) host 192.168.101.150! ldap-base-dn CN=Users,DC=cisco,DC=local! ldap-scope subtree! ldap-login-password MyADPassword!!! ldap-login-dn CN=Administrator,CN=Users,DC=cisco,DC=local! server-type auto-detect! ldap-attribute-map LDAP-Example! 

Offensive Takeaways Part 2 ¤  Attack ASA modules ¤  Denial of service ¤  Drop firewall rules ¤  Capture all traffic 

Parting Thoughts ¤  Understand the actual risk ¤  Patch your ASAs ¤  Review your ASA config 

Thank You! ¤  Jonathan Claudius ¤  Twitter: @claudijd ¤  Email: [email protected] ¤  Laura Guay ¤  Twitter: @L_ORA ¤  Email: [email protected]