cnvd - cnvd-2018-08434

cnvd-2018-08434

Vulnerability from cnvd

Title: Cisco多个产品会话固定漏洞

Description:

Cisco 3000 Series Industrial Security Appliances（ISA）等都是美国思科（Cisco）公司的不同系列的安全防火墙设备。AnyConnect Secure Mobility Client、Adaptive Security Appliance（ASA）Software和Firepower Threat Defense（FTD）Software都是使用在其中的软件。AnyConnect Secure Mobility Client是一款用于管理防火墙的桌面应用程序。Adaptive Security Appliance（ASA）Software和Firepower Threat Defense（FTD）Software都是运行在设备中的防火墙系统。

多款Cisco产品中的AnyConnect Secure Mobility Client（桌面平台）、ASA Software和FTD Software的Security Assertion Markup Language(SAML)Single Sign-On(SSO)身份验证的实现存在会话固定漏洞，该漏洞源于ASA或FTD软件未能实现任何机制来检测认证请求是否直接来自AnyConnect客户端。远程攻击者可通过诱使用户打开特制的链接并使用该公司的身份提供商（IdP）利用该漏洞劫持有效的身份验证令牌并创建已认证的AnyConnect会话。

Severity: 高

Patch Name: Cisco多个产品会话固定漏洞的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect https://www.securityfocus.com/bid/103939

Impacted products

Name
['Cisco ASA 5500-X Series Next-Generation Firewalls', 'Cisco Adaptive Security Virtual Appliance (ASAv)', 'Cisco Firepower 9300 ASA Security Module', 'Cisco ASA Services Module for Cisco 7600 Series Routers', 'Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches', 'Cisco ASA 5500 Series Adaptive Security Appliances', 'Cisco Firepower 4100 Series Security Appliances', 'Cisco Firepower 2100 Series Security Appliance', 'Cisco 3000 Series Industrial Security Appliances (ISA)', 'Cisco FTD Virtual (FTDv)']

Name

['Cisco ASA 5500-X Series Next-Generation Firewalls', 'Cisco Adaptive Security Virtual Appliance (ASAv)', 'Cisco Firepower 9300 ASA Security Module', 'Cisco ASA Services Module for Cisco 7600 Series Routers', 'Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches', 'Cisco ASA 5500 Series Adaptive Security Appliances', 'Cisco Firepower 4100 Series Security Appliances', 'Cisco Firepower 2100 Series Security Appliance', 'Cisco 3000 Series Industrial Security Appliances (ISA)', 'Cisco FTD Virtual (FTDv)']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "103939"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0229"
    }
  },
  "description": "Cisco 3000 Series Industrial Security Appliances\uff08ISA\uff09\u7b49\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5b89\u5168\u9632\u706b\u5899\u8bbe\u5907\u3002AnyConnect Secure Mobility Client\u3001Adaptive Security Appliance\uff08ASA\uff09Software\u548cFirepower Threat Defense\uff08FTD\uff09Software\u90fd\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u8f6f\u4ef6\u3002AnyConnect Secure Mobility Client\u662f\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u9632\u706b\u5899\u7684\u684c\u9762\u5e94\u7528\u7a0b\u5e8f\u3002Adaptive Security Appliance\uff08ASA\uff09Software\u548cFirepower Threat Defense\uff08FTD\uff09Software\u90fd\u662f\u8fd0\u884c\u5728\u8bbe\u5907\u4e2d\u7684\u9632\u706b\u5899\u7cfb\u7edf\u3002\r\n\r\n\u591a\u6b3eCisco\u4ea7\u54c1\u4e2d\u7684AnyConnect Secure Mobility Client\uff08\u684c\u9762\u5e73\u53f0\uff09\u3001ASA Software\u548cFTD Software\u7684Security Assertion Markup Language(SAML)Single Sign-On(SSO)\u8eab\u4efd\u9a8c\u8bc1\u7684\u5b9e\u73b0\u5b58\u5728\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eASA\u6216FTD\u8f6f\u4ef6\u672a\u80fd\u5b9e\u73b0\u4efb\u4f55\u673a\u5236\u6765\u68c0\u6d4b\u8ba4\u8bc1\u8bf7\u6c42\u662f\u5426\u76f4\u63a5\u6765\u81eaAnyConnect\u5ba2\u6237\u7aef\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u7279\u5236\u7684\u94fe\u63a5\u5e76\u4f7f\u7528\u8be5\u516c\u53f8\u7684\u8eab\u4efd\u63d0\u4f9b\u5546\uff08IdP\uff09\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u6709\u6548\u7684\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u5e76\u521b\u5efa\u5df2\u8ba4\u8bc1\u7684AnyConnect\u4f1a\u8bdd\u3002",
  "discovererName": "Cisco",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-08434",
  "openTime": "2018-04-26",
  "patchDescription": "Cisco 3000 Series Industrial Security Appliances\uff08ISA\uff09\u7b49\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e0d\u540c\u7cfb\u5217\u7684\u5b89\u5168\u9632\u706b\u5899\u8bbe\u5907\u3002AnyConnect Secure Mobility Client\u3001Adaptive Security Appliance\uff08ASA\uff09Software\u548cFirepower Threat Defense\uff08FTD\uff09Software\u90fd\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u8f6f\u4ef6\u3002AnyConnect Secure Mobility Client\u662f\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u9632\u706b\u5899\u7684\u684c\u9762\u5e94\u7528\u7a0b\u5e8f\u3002Adaptive Security Appliance\uff08ASA\uff09Software\u548cFirepower Threat Defense\uff08FTD\uff09Software\u90fd\u662f\u8fd0\u884c\u5728\u8bbe\u5907\u4e2d\u7684\u9632\u706b\u5899\u7cfb\u7edf\u3002\r\n\r\n\u591a\u6b3eCisco\u4ea7\u54c1\u4e2d\u7684AnyConnect Secure Mobility Client\uff08\u684c\u9762\u5e73\u53f0\uff09\u3001ASA Software\u548cFTD Software\u7684Security Assertion Markup Language(SAML)Single Sign-On(SSO)\u8eab\u4efd\u9a8c\u8bc1\u7684\u5b9e\u73b0\u5b58\u5728\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eASA\u6216FTD\u8f6f\u4ef6\u672a\u80fd\u5b9e\u73b0\u4efb\u4f55\u673a\u5236\u6765\u68c0\u6d4b\u8ba4\u8bc1\u8bf7\u6c42\u662f\u5426\u76f4\u63a5\u6765\u81eaAnyConnect\u5ba2\u6237\u7aef\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u7279\u5236\u7684\u94fe\u63a5\u5e76\u4f7f\u7528\u8be5\u516c\u53f8\u7684\u8eab\u4efd\u63d0\u4f9b\u5546\uff08IdP\uff09\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u6709\u6548\u7684\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u5e76\u521b\u5efa\u5df2\u8ba4\u8bc1\u7684AnyConnect\u4f1a\u8bdd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco\u591a\u4e2a\u4ea7\u54c1\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco ASA 5500-X Series Next-Generation Firewalls",
      "Cisco Adaptive Security Virtual Appliance (ASAv)",
      "Cisco Firepower 9300 ASA Security Module",
      "Cisco ASA Services Module for Cisco 7600 Series Routers",
      "Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches",
      "Cisco ASA 5500 Series Adaptive Security Appliances",
      "Cisco Firepower 4100 Series Security Appliances",
      "Cisco Firepower 2100 Series Security Appliance",
      "Cisco 3000 Series Industrial Security Appliances (ISA)",
      "Cisco FTD Virtual (FTDv)"
    ]
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect\r\nhttps://www.securityfocus.com/bid/103939",
  "serverity": "\u9ad8",
  "submitTime": "2018-04-24",
  "title": "Cisco\u591a\u4e2a\u4ea7\u54c1\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e"
}

CVE-2018-0229 (GCVE-0-2018-0229)

Vulnerability from cvelistv5

Published

2018-04-19 20:00

Modified

2024-11-29 15:18

Severity ?

CWE

CWE-384

Summary

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party, aka Session Fixation. The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company's Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. This vulnerability affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvg65072, CSCvh87448.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/103939	vdb-entry, x_refsource_BID
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1040712	vdb-entry, x_refsource_SECTRACK
	http://www.securitytracker.com/id/1040711	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client	Version: Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:21:13.934Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "103939",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103939"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect"
          },
          {
            "name": "1040712",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040712"
          },
          {
            "name": "1040711",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040711"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2018-0229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-29T14:38:43.148231Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-29T15:18:44.245Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client"
            }
          ]
        }
      ],
      "datePublic": "2018-04-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party, aka Session Fixation. The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company\u0027s Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. This vulnerability affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvg65072, CSCvh87448."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "CWE-384",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-24T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "103939",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103939"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect"
        },
        {
          "name": "1040712",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040712"
        },
        {
          "name": "1040711",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040711"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2018-0229",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party, aka Session Fixation. The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company\u0027s Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. This vulnerability affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvg65072, CSCvh87448."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-384"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "103939",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103939"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect"
            },
            {
              "name": "1040712",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040712"
            },
            {
              "name": "1040711",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040711"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2018-0229",
    "datePublished": "2018-04-19T20:00:00",
    "dateReserved": "2017-11-27T00:00:00",
    "dateUpdated": "2024-11-29T15:18:44.245Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted