A privilege escalation vulnerability tracked as CVE-2018-15465 affects the Cisco Adaptive Security Appliance (ASA) software. The flaw could be exploited by an unauthenticated, remote attacker to perform privileged operations using the web management interface.
An attacker could trigger the flaw exploit by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user.
The flaw was discovered by experts at Tenable that explained that an authenticated remote unprivileged user can change or download the running configuration or replace the appliance firmware where they shouldn’t.
“A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface.” reads the security advisory published by Cisco.
“The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.”
According to Tenable, an attacker could overwrite the firmware with an older version that is known to be affected by vulnerabilities that could be exploited to carry out
“When command authorization is not enabled, an authenticated remote unprivileged (level 0 or 1)
Cisco released software updates to address the flaw, according to its advisory there are workarounds that address this vulnerability.
To mitigate the flaw it is possible to enable command authorization.
“Enabling command authorization significantly changes the way that the Cisco ASA interprets privilege levels and authorizes actions. Before enabling the feature, administrators must clearly define which actions are allowed per privilege level using the privilege command in global configuration mode.” continues the Cisco Advisory.
“Administrators should not enable command authorization using the aaa authorization
Administrators who use the Adaptive Security Device Manager (ASDM) to manage the ASA should enable command authorization by using the ASDM.
The flaw impacts an ASA Software running on any Cisco product that has web management access enabled.
The tech giant confirmed that Cisco Firepower Threat Defense (FTD) Software is not affected by this flaw.
Cisco urges customers to migrate to a supported release (220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, or 188.8.131.52).
“For the fix to be effective, customers who have web management access enabled must ensure that the AAA configuration is accurate and complete. In particular, the aaa authentication
(SecurityAffairs –Cisco ASA, hacking)