Vulnerability identifier: #VU12088
Vulnerability risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-384
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco ASA 5500-X Series
Hardware solutions /
Security hardware applicances
Cisco AnyConnect Secure Mobility Client
Client/Desktop applications /
Other client software
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication due to there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. A remote attacker can trick the victim into clicking a specially crafted link and authenticate using the company's Identity Provider (IdP), hijack a valid authentication token, use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software and gain access to potentially sensitive information.
Mitigation
Update Cisco ASA 5500-X Series to versions 99.2(10.2), 97.1(17.1), 9.9(2.230), 9.9(2.1), 9.8(2.244), 9.8(2.243), 9.8(2.219), 9.8(2.217), 9.8(2.216), 9.8(2.215), 9.8(2.28), 9.7(1.111), 9.7(1.110), 9.7(1.24) and install update from vendor's website for Cisco AnyConnect Secure Mobility Client.
Vulnerable software versions
Cisco ASA 5500-X Series: 9.8.1.245
Cisco AnyConnect Secure Mobility Client: 4.6.200
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnec...
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.