SAML Authentication System Vulnerability Affects Cisco Firepower, AnyConnect, and ASA Products
Recently, Cisco released a set of security patches to resolve the CVE-2018-0229 vulnerability in Security Assertion Markup Language (SAML). The vulnerability could allow an unauthenticated remote attacker to establish a verified AnyConnect session with an affected device running ASA or FTD software.
The CVE-2018-0229 vulnerability affects the following Cisco solutions:
- Single sign-on authentication for the AnyConnect desktop mobile client
- Adaptive Security Appliance (ASA) software
- Firepower Threat Defense (FTD) software
Cisco stated that this flaw exists because the ASA or FTD software does not implement any mechanism to detect whether the authentication request comes directly from the AnyConnect client so that an attacker can click on a specially crafted link and use the company’s identity provider (IdP ) Authenticate to exploit the CVE-2018-0229 vulnerability. In this scenario, an attacker could hijack a valid authentication token and use it to establish and establish an AnyConnect session with the affected device running the ASA or FTD software.
The CVE-2018-0229 vulnerability affects the Cisco AnyConnect Secure Mobility Client, and the ASA Software and FTD Software for the SAML 2.0-based SSO configuration for the following AnyConnect remote access VPNs running on Cisco products:
- 3000 Series Industrial Security Equipment (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewall
- ASA Service Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliances
- Firepower 4100 Series Security Appliances
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
Currently, Cisco confirms that only ASA software running version 9.7.1 and later, FTD software running version 6.2.1 and later, AnyConnect 4.4.00243 and later are vulnerable.
Source: SecurityAffairs
