Cisco has announced a suite of patches against a bug in its Security Assertion Markup Language (SAML) implementation.
As is so often the case with a language slip, the bug is inherited by multiple products. In the case of CVE-2018-0229, the affected systems are:
- Single sign-on authentication for the AnyConnect desktop mobility client;
- Adaptive Security Appliance (ASA) software; and
- Firepower Threat Defense (FTD) software.
Cisco's advisory said the bug provided a vector for an attacker to access ASA or FTD software, if they tricked someone into connecting to the security appliances.
As the advisory explained: “The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly.
“An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company's Identity Provider (IdP).”
With a successful phishing attack, an attacker could hijack a user's authentication token, and set up an AnyConnect session to an enterprise's network via ASA or FTD software.
ASA and FTD software is vulnerable if it's configured to offer SAML 2.0-based single sign-on via an AnyConnect VPN, and the session is terminated on a 3000 Series industrial security appliance, ASA 5500 and 5500-X appliances, the ASA module in Catalyst 6500 switches or 7600 routers; the virtualised ASA (ASAv), Firepower 2100 or 4100 appliances, the Firepower 9300 ASA module, or the virtual FTD software (FTDv).
The vulnerability was introduced in ASA software version 9.7.1; in FTD software 6.2.1; and in AnyConnect 4.4.00243. ®