Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability

A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.

The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Note: Configuration changes after the software upgrade are necessary to address this vulnerability. See the Details section of this advisory for additional information.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS

This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3125

Related:

  • No Related Posts

Error “Invalid Login” on launch of FAS enabled Linux VDA Desktop.

You need to have the Kerberos Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.

1.On the domain controller, open mmc.

2.Click File, Click Add/Remove Snap-in.

3.Select Certificates, click Add, then select Computer account.

4.Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.

5.Press Next.

6.Select Kerberos Authentication and press Enroll.

Note: If you do not see the Kerberos Authentication on the Auto Enrollment in the Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.

Also, make sure you have configured krb5.conf on the VDA with the correct RootCA & Subordinate CA certificate information.

Refer ‘Incorrect root CA certificate configuration’ section in the below link:

https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration/federated-authentication-service.html/

Related:

  • No Related Posts

Proxy AD integration

I need a solution

In IWA direct AD integration for kerberos deployment below is suggested.

  1. Create a DNS “A” record for the ProxySG that resolves to the DNS name of the appliance’s Active Directory computer account name. For example, if you have an appliance named ProxySG1. With an IP address 1.2.3.4, in the blue9 Active Directory domain at acme.com. You can create the following DNS record:

    ProxySG1.blue9.acme.com     Host (A)     1.2.3.4
     

  2. Ensure that client requests are directed to the DNS name for the ProxySG appliance’s Active Directory computer account:
    • Explicit deployments—Configure the client browser explicit proxy settings to point to this DNS name.

We have two proxy boxes in active-active setup (explicit mode) with DNS entry created to resolve to two VIPs prsent on both the box and load balancing  is happening with the help of DNS 

Name:    abc.x.y.net
Addresses: x.x.x.1

                     x.x.x.2
 

Both the VIPs are configured on two proxy boxes.

x.x.x.1 Master on first  box and priority 100 on second

x.x.x.2 Master on second box and priority 100 on first

Client browsers are already pointed to abc.x.y.net.

As i undesrtand the requirement to create a DNS record for kerberos is already done and not required.Please confirm.Also this setup will not come under Kerberos load balancing scenario or will it ?If yes than what should be the steps to achieve kerberos deployemnt with this setup

0

Related:

Active Directory Login is Unavailable After Upgrade to Data Loss Prevention 15.5 MP1

I do not need a solution (just sharing information)

It looks like a regression bug like what was in 15.0 to 15.0 MP1  when it replaced the Kerberos Authentication “springSecurityContext.xml” with the default forms based template (REF https://support.symantec.com/en_US/article.TECH248556.embed.html ).

If you have not started this update, then make sure you backup the following folder in addition to best practice EnforceReinstallationResources.zip etc. Program FilesSymantecDataLossPreventionEnforceServer15.5ProtecttomcatwebappsProtectManagerWEB-INF

However, if you did not backup this file previously (since the MP patches no longer do their own auto-archive of the directory structure), you will need to perorm the following to be able to log in with AD Authenticated accounts again:

  1. Go into the following folder: Program FilesSymantecDataLossPreventionEnforceServer15.5ProtecttomcatwebappsProtectManagersecuritytemplate
  2. Grab and edit springSecurityContext-Kerberos.xml
  3. Replace <property name=”krbConfLocation” value=”C:SymantecDLPProtectconfigkrb5.ini”/> with the current location of your krb5.ini file (presumably Program FilesSymantecDataLossPreventionEnforceServer15.5Protectconfigkrb5.ini)
  4. Rename springSecurityContext-Kerberos.xml to springSecurityContext.xml
  5. Copy and overwrite the file in the following folder: Program FilesSymantecDataLossPreventionEnforceServer15.5ProtecttomcatwebappsProtectManagerWEB-INF
  6. Restart SymantecDLPManagerService
0

Related:

authenticate.credentials.address substitution failed

I need a solution

Hi,

In our ProxySG logfiles, we see a lot of messages like the following:

ProxySG: 250017 authenticate.credentials.address substitution failed: defaulting to transaction IP address(0) NORMAL_EVENT authutility.cpp 113

Searching the Web and different Forums haven’t shown any results. Does anyone experience the same? Our ProxySG today is configured to authenticate users via BCAAA with Kerberos. The auth is configured as “Proxy IP”.

Authentication is working fine, just that this log entry is filling up disk space. It would be good, to know the reason for this entry and potentially getting rid of it.

Many thanks for your input.

/R
Yves

0

Related:

How does ProxySG get the DN for an IWA user?

I need a solution

ProxySG is joined to a Windows domain with forest trusts to user domains. An IWA-direct realm is configured for split authorisation against an LDAP realm.

When a user from a trusted domain authenticates to an explicit proxy service, how does the proxy establish the user’s Distinguished Name to perform the LDAP search, for both Kerberos and NTLM clients?

The user’s DN is not in the NTLM negotiation, does the proxy need network access to the trusted domains to determine this or does it receive it from the DC (e.g. over s_channel)?

Thanks

Matt

0

Related:

Dell EMC Unity CIFS server is inaccessible due to error “No Response from KDC” (Dell EMC Correctable)

Article Number: 524955 Article Version: 2 Article Type: Break Fix



VNX1 Series,VNX2 Series,Dell EMC Unity Family

  • The CIFS server on Unity is not accessible

    Unity /EMC/C4Core/log/c4_safe_ktrace.log [indicates errors] below:

2018/08/20-15:48:29.177142 10 7FF16C907703 sade:KERBEROS: 4:[VDM] WARNING: no response from KDC xx.xx.xx.xx

2018/08/20-15:48:29.532994 5540 7FF16C96D705 sade:SMB: 4:[VDM] Unsupported authentication mode: authMethod:4, kerberosSupport:1, negoMethod:0

2018/08/20-15:48:29.533033 40 7FF16C96D705 sade:SMB: 3:[VDM] OpenAndBind[NETLOGON] DC=xxx failed: Bind_OpenXFailed NO_SUCH_PACKAGE

2018/08/20-15:48:29.533042 10 7FF16C96D705 sade:SMB: 3:[VDM] Can’t open NETLOGON file for DC=xxx

2018/08/20-15:48:29.760148 6 7FF16C96D703 sade:KERBEROS: 3:[VDM] krb5_sendto_kdc: udp RecvFromStream from addr xx.xx.xx.xx failed 91

  • Unity EMCSystemLogFile.log [indicates errors]:

“2018-08-20T15:50:53.588Z” “xxx_spa” “Kittyhawk_safe” “356” “unix/spa/root” “WARN” “13:10380008” :: “For the NAS server xxx in the domain xxx, the DC xxxhas the following error: compname xxx DC=xxx Step=’Logon IPC$’ get Kerberos credential failed, gssError=Miscellaneous failure. Cannot contact any KDC for requested realm. . compname xxx DC=xxx Step=’Open NETLOGON Secure Channel’ ‘ ‘ ‘DC cannot open NETLOGON pipe: status=DOMAIN_CONTROLLER_NOT_FOUND ‘. ” :: Category=Audit Component=DART_SMB

For some reason (firewall or MTU settings), the Kerberos ticket from Domain Controller cannot be delivered to the Datamover/SP Interface via UDP. From the network trace, there is only TGS-REQ but no TGS-REP.

User-added image

Force the Unity ‘nas server’ that is located on a SP [service processor] to use ‘TCP’ instead of ‘UDP’ for Kerberos TGS-REQ.

For Unity:

/nas/bin/server_param ALL -f security -m kerbTcpProtocol -v 1

For VNX:

server_param server_x -f security -m kerbTcpProtocol -v 1

This change takes effect immediately, no reboot is required.

[If issue was for a VNX filer] the server_log shows errors below:

2018-08-14 12:16:04: SMB: 6:[xxx] DC0x034134c008: setDCDown DC, refresh if needed (origin=ntStatus_DisconnectDC_onClose)

2018-08-14 12:16:05: KERBEROS: 4:[xxx] WARNING: no response from KDC xx.xx.xx.xx

2018-08-14 12:16:05: SMB: 3:[xxx] Thrd=2SMB334 KC_buildKrbCred Cannot create context for ‘CIFS/xxxx@xxxx.xxx’ failed, error=’Miscellaneous failure. Cannot contact any KDC for requested realm. ‘ (0xd0000,-1765328228)

2018-08-14 12:16:05: SMB: 3:[xxx] DC_GetBlob Srv=xxx Svc=CIFS@xxsx.xxx ‘Miscellaneous failure. Cannot contact any KDC for requested realm. ‘

2018-08-14 12:16:05: SMB: 3:[xxx] Open&Bind(lsarpc): No reply from DC=xxx DCStatus=27/ACCESS_DENIED Ems=Bind_CreateXFailed

Related:

Kerberos via IWA Direct

I need a solution

Hi together,

we use 2 ProxySG VA in a DMZ Environment were explicit DNS Servers ( only for DMZ Servers ) are used.
After a Domain Join the DNS Server replied the SRV Kerberos Entries from the LAN Environment.
The Domain Names of the DMZ and the LAN are the same.
Is it possible to join a Domain with a special RODC Name ??

DNS Answers give us only the Adresses of the DOC System

Regards

Thorsten

0

Related: