Information disclosure in Cisco AnyConnect Secure Mobility Client

1) Session fixation

EUVDB-ID: #VU12088

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0229

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication due to there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. A remote attacker can trick the victim into clicking a specially crafted link and authenticate using the company's Identity Provider (IdP), hijack a valid authentication token, use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software and gain access to potentially sensitive information.

Mitigation

Update Cisco ASA 5500-X Series to versions 99.2(10.2), 97.1(17.1), 9.9(2.230), 9.9(2.1), 9.8(2.244), 9.8(2.243), 9.8(2.219), 9.8(2.217), 9.8(2.216), 9.8(2.215), 9.8(2.28), 9.7(1.111), 9.7(1.110), 9.7(1.24) and install update from vendor's website for Cisco AnyConnect Secure Mobility Client.

Vulnerable software versions

Cisco AnyConnect Secure Mobility Client: 4.6.200

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnec...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.