Vulnerability identifier: #VU12088

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0229

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco ASA 5500-X Series
Hardware solutions / Security hardware applicances
Cisco AnyConnect Secure Mobility Client
Client/Desktop applications / Other client software

Vendor: Cisco Systems, Inc

Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication due to there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. A remote attacker can trick the victim into clicking a specially crafted link and authenticate using the company's Identity Provider (IdP), hijack a valid authentication token, use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software and gain access to potentially sensitive information.

Mitigation
Update Cisco ASA 5500-X Series to versions 99.2(10.2), 97.1(17.1), 9.9(2.230), 9.9(2.1), 9.8(2.244), 9.8(2.243), 9.8(2.219), 9.8(2.217), 9.8(2.216), 9.8(2.215), 9.8(2.28), 9.7(1.111), 9.7(1.110), 9.7(1.24) and install update from vendor's website for Cisco AnyConnect Secure Mobility Client.

Vulnerable software versions

Cisco ASA 5500-X Series: 9.8.1.245

Cisco AnyConnect Secure Mobility Client: 4.6.200

---

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnec...

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.