Patch now: Cisco warns its firewall appliance is under attack

Cisco has warned customers that hackers are attacking un-patched versions of software that run its Adaptive Security Appliance (ASA) firewall.

Organisations using Cisco’s ASA firewall software are being urged to review a security update that the company released in October last year to address vulnerabilities in its ASA Clientless SSL VPN that exposed enterprises to remote attacks or could have allowed their infrastructure to serve up malware to others.

Cisco’s Product Security Incident Response Team (PSIRT) said on Wednesday that it is “aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified [as] CVE-2014-3393”.

“All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions,” PSIRT incident manager Stefano De Crescenzo warned.

The vulnerability in the portal’s customization framework could allow an unauthenticated, remote attacker to modify its content, allowing the attacker to serve up cross-site scripting attacks, steal credentials or serve up malware, De Crescenzo said.

“Once the portal is compromised, changes are persistent. Reloading the device or changing the Cisco ASA Software does not delete the customization objects,” he added.

Network security specialist Alec Stuart-Muirk demonstrated an attack on Cisco’s WebVPN Portal last October at the Ruxcon security conference, which exploited the fact that Cisco’s Adaptive Security Device Manager retained old code in new versions of the software and ran all customisations through a public facing web browser.

The update that followed Stuart-Muirk’s presentation addressed 13 vulnerabilities in ASA, including two for its Clienteless SSL VPN — one which could trigger information leaks or a denial of service and a second, demonstrated by Stuart-Muirk, that could expose the software to numerous attacks.

It’s the latter of the two issues that’s been under attack since at least February 11, according to Cisco.

The warning from Cisco’s PSIRT comes after an exploit script was made available in the Metasploit penetration testing database and on other internet web sites.

Systems that are affected will have Clientless SSL VPN portal functionality enabled and a “default customization object or a newly created customization object for Clientless SSL VPN portal has been previewed in ASDM”.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)