Cisco firewall bugs leave networks vulnerable to attacks

Cisco patched a dozen high-severity bugs in its Adaptive Security Appliance (ASA) and Firepower 1000 Series firewall appliances and Cisco Firepower Threat Defense (FTD) software used to protect corporate networks and data centers.

While Cisco says it isn’t aware of any malicious use of any of the 12 vulnerabilities, the bugs are notable because of the sheer number of companies that use Cisco firewalls. The Cisco ASA alone has more than 1 million deployments globally, according to Positive Technologies, whose threat researchers reported two of the vulnerabilities to Cisco.

The two security flaws that Positive Technologies found and helped remediate are in Cisco ASA firewalls. The threat researchers say exploitations of these vulnerabilities may prevent virtual private network (VPN) connections and allow attackers to penetrate corporate networks. They found that more than 220,000 internet-accessible devices are vulnerable to attacks within seconds.

VPN Blocking

Positive Technologies says one of the vulnerabilities (CVE-2020-3187) it found can be exploited even by a low-skilled hacker. By exploiting the vulnerability in WebVPN, an unauthorized external attacker can perform denial-of-service attacks on Cisco ASA devices by deleting files from the system. This may disable VPN connection in Cisco ASA, and it also allows attackers to read files related to the VPN web interface.

“VPN blocking may disrupt numerous business processes,” explained Positive Technologies threat researcher Mikhail Klyuchnikov. “For example, this can affect connection between branch offices in a distributed network, disrupt email, ERP, and other critical systems. Another problem is that internal resources may become unavailable to remote workers. This is especially dangerous now that many employees are working remotely due to the coronavirus outbreak.”

The second Cisco ASA bug (CVE-2020-3259) that Positive Technologies discovered allows attackers to read sections of the device dynamic memory and obtain current session IDs of users connected to a Cisco VPN. Using a Cisco VPN client, attackers can enter the stolen session ID and penetrate the company’s internal network.

Additionally, Cisco ASA memory may store other confidential information that can be used in future attacks, such as user names, email addresses, and certificates. This vulnerability can also be exploited remotely and does not require authorization.

Kerberos Exploit

Silverfort researchers discovered a third high-severity vulnerability (CVE-2020-3125). This bug lies in the Kerberos authentication feature of the ASA software. It could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.

Kerberos is the most common authentication protocol for on-premise authentication, and Cisco uses this protocol in many ASA interfaces including VPN, opening firewall sessions, and administrative access. “Therefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks,” according to a Silverfort blog.

The other 9 flaws were all discovered internally by Cisco. They affect Cisco ASA and Firepower 1000 Series firewall appliances as well as Cisco Firepower Threat Defense (FTD) software. These bug could allow hackers to wreak havoc on corporate networks and systems including launching denial-of-service attacks, causing memory leaks, crashing devices, retrieving memory contents, stealing confidential information, and deleting access to sensitive files.

―SDX Central