Headline
CVE-2019-1714: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability
A vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to successfully establish a VPN session to an affected device. The vulnerability is due to improper credential management when using NT LAN Manager (NTLM) or basic authentication. An attacker could exploit this vulnerability by opening a VPN session to an affected device after another VPN user has successfully authenticated to the affected device via SAML SSO. A successful exploit could allow the attacker to connect to secured networks behind the affected device.
This vulnerability affects the following Cisco products that are running Cisco ASA Software Release 9.7.1 or later or Cisco FTD Software Release 6.2.1 or later configured for SAML 2.0-based SSO for Clientless SSL VPN (WebVPN) or AnyConnect Remote Access VPN:
- 3000 Series Industrial Security Appliances (ISAs)
- Adaptive Security Appliance (ASA) 5500-X Series Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- Firepower Threat Defense Virtual
For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory.
ASA and FTD Features
Cisco ASA Software and FTD Software are vulnerable only if all of the following features are configured:
- SAML 2.0 Identity Provider (IdP)
- SAML 2.0 Service Provider (SP)
- AnyConnect Remote Access VPN or Clientless SSL VPN (WebVPN)
Note: SAML 2.0 for AnyConnect features are first supported as of ASA Release 9.7.1, FTD Release 6.2.1, and AnyConnect Secure Mobility Client Release 4.4.00243.
To determine whether ASA or FTD is configured with a SAML 2.0 IdP, administrators can use the show webvpn saml idp CLI command. The following output shows an ASA configured with a SAML 2.0 IdP:
ciscoasa# show webvpn saml idp saml idp my_domain_idp url sign-in https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect url sign-out https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect trustpoint idp my_domain_trustpoint trustpoint sp asa_trustpoint
To determine whether ASA or FTD is configured with SAML 2.0 SP, administrators can use the show running-config tunnel-group | include remote-access|webvpn-attributes|saml CLI command. The following output shows an ASA configured with SAML 2.0 SP:
ciscoasa# show running-config tunnel-group | include remote-access|webvpn-attributes|saml
tunnel-group cloud_idp_onelogin type remote-access
tunnel-group cloud_idp_onelogin webvpn-attributes
authentication saml
saml identity-provider my_domain_idp
To determine whether ASA or FTD is configured for AnyConnect Remote Access VPN or Clientless SSL VPN (WebVPN), administrators can use the show running-config CLI command and consult the following table for vulnerable configurations:
Determining the Cisco ASA Software Release
To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18:
ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . .
If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane.
Determining the Cisco FTD Software Release
To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0:
> show version
---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco ASA Software or FTD Software running on the following platforms:
- ASA 1000V Cloud Firewall
- ASA 5505 Adaptive Security Appliance1
1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities.