Cisco Adaptive Security Appliance Software Web-Based Management Interface Privilege Escalation Vulnerability

A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to elevate privileges and execute administrative functions on an affected device.

The vulnerability is due to insufficient authorization validation. An attacker could exploit this vulnerability by logging in to an affected device as a low-privileged user and then sending specific HTTPS requests to execute administrative functions using the information retrieved during initial login.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-asa-privescala

Security Impact Rating: High

CVE: CVE-2019-1934

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software VPN Denial of Service Vulnerability

A vulnerability in the remote access VPN session manager of Cisco Adaptive Security Appliance (ASA) Software could allow a unauthenticated, remote attacker to cause a denial of service (DoS) condition on the remote access VPN services.

The vulnerability is due to an issue with the remote access VPN session manager. An attacker could exploit this vulnerability by requesting an excessive number of remote access VPN sessions. An exploit could allow the attacker to cause a DoS condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-vpn-dos

Security Impact Rating: Medium

CVE: CVE-2019-1705

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability

A vulnerability in the implementation of Security Assertion Markup
Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and
AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA)
Software and Cisco Firepower Threat Defense (FTD) Software could allow
an unauthenticated, remote attacker to successfully establish a VPN
session to an affected device.

The vulnerability is due to
improper credential management when using NT LAN Manager (NTLM) or basic
authentication. An attacker could exploit this vulnerability by opening
a VPN session to an affected device after another VPN user has
successfully authenticated to the affected device via SAML SSO. A successful
exploit could allow the attacker to connect to secured networks behind
the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn

Security Impact Rating: High

CVE: CVE-2019-1714

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability

A vulnerability in the software cryptography module of the Cisco Adaptive Security Virtual Appliance (ASAv) and Firepower 2100 Series running Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an unexpected reload of the device that results in a denial of service (DoS) condition.

The vulnerability is due to a logic error with how the software cryptography module handles IPsec sessions. An attacker could exploit this vulnerability by creating and sending traffic in a high number of IPsec sessions through the targeted device. A successful exploit could cause the device to reload and result in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ipsec-dos

Security Impact Rating: High

CVE: CVE-2019-1706

Related:

  • No Related Posts

CISCO ASA DSM doesn’t work with year in syslog header ?

Dear Community,

I have some logs (below an example of logs) from a CISCO ASA device, and they are not auto discovered in QRADAR.

So I created a log source with the field log source identifier matching the hostname in the syslog header : MYCISCOASA.
It doesn’t work.

If you try to inject this log without “2017” (date in the syslog header), it works.
Is it normal ?
Is there a solution to this problem?
Also I followed the DSM guide for my device configuration.

Thanks for your help

Log example:

Aug 07 2017 02:01:55 MYCISCOASA : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 4147

Related:

Cisco ASA running FTD unified image support in DSM?

Cisco ASA firewalls now have the Firepower Threat Defense (FTD) unified image software to run instead of the legacy ASA and Sourcefire code images.

The Cisco ASA running FTD image has an option in the policy rules to send connection events via syslog. These syslog messages are independent of the Firepower Management Center estreamer events.

I have successfully setup the Firepower Management Center estreamer in Qradar and it is receiving events.

I have setup syslog pointing at Qradar for the Cisco ASA / FTD image firewall and Qradar receives the events, sourced from the firewall IP address (vs the FMC management IP address) and they show up as SIM Generic Log DSM-7 / Unknown Generic Log Events.

Is there support for the Cisco ASA running FTD image in any of the existing Cisco DSM or is it in development yet?

Cisco is recommending to only send security events (IPS/AMP/etc) to the FMC and any general connection events via syslog to a SIEM or other logging server.

Related:

ASA Remote VPN and event mapping

Hello

I have problem with some specific event mappings the Cisco ASA.
%ASA-4-722051: Group User IP Address assigned to session
%ASA-6-725001: Starting SSL handshake with client outside:x.x.x.x/51239 to x.x.x.x/443 for TLS session

They are not present in the DSM so i cannot change properties specific for these events only. That Qradar is seeing them as local to remote (the public ip) instead of the other way around. Which can generate some false positives.

I could not find out how to properly add a new event mapping for these events.

Is there a solutions for this?

Best Regards

Related:

Error backing up Cisco ASA firewall

We have risk manager 7.2.8. We are having issues backing up Cisco ASA firewalls. The error we are getting is as below:

rg.ziptie.server.job.AdapterException: ERROR: UNEXPECTED_RESPONSE encountered on the device’IP ADDRESS’
[RESPONSE FROM THE DEVICE]
Error thrown while waiting for timeout of 900 seconds or regular expression ‘ICL-HP-SHI-REG-ASA5525#s*$’.
Started waiting at: Wed Feb 8 18:47:43 2017 — Ended waiting at: Wed Feb 8 18:52:43 2017 — Command took 300 seconds
[INPUT]
show running-config
[ACTUAL RESPONSE]
show running-config
: Saved
:
: Serial Number: FCH1838JERV
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.1(6)10
!
hostname ()
domain-name ideaconnect.com
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd HSGXCRy0SM8.9aCr encrypted
names
!
interface GigabitEthernet0/0
description ****ITIN****
speed 1000
duplex full
nameif IT-IN
security-level 100
ip address standby
!
interface GigabitEthernet0/1
description description ****Connected to REGION Zone****

[DETAILED ERROR MESSAGE]
at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2016.09_05-28064856/scripts/ZipTie/SSH.pm line 473

at org.ziptie.server.job.PerlErrorParserElf.parse(PerlErrorParserElf.java:88)
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:153)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java:100)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(OperationExecutor.java:684)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(OperationExecutor.java:561)

We are using cisco security appliance adapter with latest adapter bundle.We are already using privilege level 15 for the user.

Any inputs are most welconme.

Related: