AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
-
Cisco ASA Adaptive Security Appliance Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that have been configured to accept Clientless SSL VPN connections contain a vulnerability that could allow an unauthenticated, remote attacker to steal user account credentials. Versions 7.x are not affected.
The vulnerability is due to insufficient warnings and restrictions when the software is using Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. If an unauthenticated, remote attacker can convince a user to visit a malicious CIFS or FTP site while the user is logged in to the secure portal, the attacker could use this vulnerability as part of a phishing or spoofing attack to obtain user site credentials.
Cisco has confirmed this vulnerability and released updated software.
The vulnerability is due to a failure to properly protect the CIFS and FTP sharing features that the Clientless SSL VPN uses. The attacker must convince the user to follow a malicious URL while the user is logged in to the SSL VPN. The attacker may use social engineering techniques to make the user more likely to follow the link. If an exploit is successful, the attacker could capture user credentials to remote servers and possibly use these credentials in future attacks.
Exploit code that demonstrates the credential theft vulnerability is publicly available.
-
Cisco has released a Release Note Enclosure for Cisco bug ID CSCsy80709.
This vulnerability was reported to Cisco by Charles Henderson and David Byrne of Trustwave's SpiderLabs.
Vulnerable Products
Cisco ASA Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) are affected when they are running on Cisco ASA 5505, 5510, 5520, 5540, 5550, and 5580 devices.
Cisco ASA Software versions 7.x are not affected.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to configure the Clientless SSL VPN web portal to restrict users to administratively defined websites.
Administrators are advised to configure Web Access Control Lists (ACLs) to restrict users to internal or authorized resources only.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
Users are advised not to visit untrusted websites or links.
-
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
A special download page on the Software Center contains fixed software releases at the following link: ASA-PSIRT
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2009-Jun-24
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.