This article is more than 1 year old
Hackers now popping Cisco VPN portals
Customise tool makes screwy GUIs
Crackers are popping customised Cisco virtual private networks, stealing credentials and spraying malware using a flaw reported by Aussie hacker Alec Stuart-Muirk, the company warns.
Organisations running the Cisco Clientless SSL VPN portal in customised configurations risk attack if they do not update to versions released 8 October.
It's not users' fault their custom rigs are in trouble: Cisco says the flaw (CVE-2014-3393) appeared thanks to improper implementation of authentication checks in the customisation framework. Here's the detail:
"[The hole] could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.
"When Cisco ASDM (Adaptive Security Device Manager) is used to modify or create a customisation object, a preview button is available for the Cisco ASA administrator that is used to visualise the modifications. When preview is used Cisco ASA will create a unique identifier that is used as session cookie and a folder on the system to include the content of the customisation.
"Due to a flaw in the way permission are checked, it is possible to remotely modify any object included on the RAMFS cache file system including the Clientless SSL VPN customisation objects."
Cisco says unauthenticated attackers could pull of a host of attacks including modifying Clientless SSL VPN portal content, injecting malware, stealing credentials and launch cross-site scripting. The company says reloading or changing the Cisco ASA software will not remove the attacker's handiwork.
Stuart-Muirk detailed (pdf, slides) the then patched vulnerability at the Ruxcon hacker confab in Melbourne last year.
Exploit script has been since added to Metasploit.
Compromised kit can be detected thanks to the presence of embedded objects, scripts, and iframes, Cisco says.
"Customers that have found a compromised customization object should follow their incident response process," Cisco says. ®