Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2644
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Trustpoint Configuration Defaults
3 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Adaptive Security Appliance
Cisco Firepower Threat Defense
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-racerts-WvuYpxew
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Trustpoint Configuration Defaults
Priority: Informational
Advisory ID: cisco-sa-racerts-WvuYpxew
First Published: 2020 July 31 16:00 GMT
Last Updated: 2020 July 31 22:35 GMT
Version 1.1: Final
Workarounds: YesCisco Bug IDs: CSCvt50528CSCvv11051CSCvv11100
CWE-295
Summary
o Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat
Defense (FTD) Software can be configured for certificate authentication in
remote access VPN deployments.
An external researcher has identified several misconfigured Cisco ASA and
FTD Software remote access devices where the ASA/FTD device may admit VPN
remote access to users who possess a valid certificate from a public
certificate authority (CA) when the VPN endpoint is configured to have its
server identity certificate issued from the same public CA.
Cisco would like to raise awareness for customers in regard to how Cisco
ASA and FTD Software apply default settings to trustpoints for imported
certificates, and how to ensure a trustpoint is configured for its desired
function only.
Cisco does not consider this a vulnerability in Cisco ASA or FTD Software
or the digital certificates authentication feature, but a configuration
issue.
Future releases of Cisco ASA and FTD Software, including Cisco Adaptive
Security Device Manager (ASDM), Cisco Security Manager, and Cisco Firepower
Management Center (FMC), will raise warning alerts when importing
certificates to alert customers of the default behavior and to provide
guidance how to harden the configuration via Cisco bug IDs CSCvt50528,
CSCvv11100, and CSCvv11051.
However, it is not a requirement to run code integrated with these Cisco
bug IDs to take the appropriate hardening actions. Customers are advised to
review this advisory and make any respective configuration changes.
Details
o The target audiences for this informational advisory are customers who have
deployed Cisco ASA/FTD devices as remote access VPN endpoints and are
performing any client-based certificate authentication.
When a new certificate is imported to the configuration, the default
settings for the trustpoint usage are for ipsec-client and ssl-client
validation, so by default, that trustpoint can be used to authenticate VPN
users. If the trustpoint's intended use is only as a server identity
certificate and the corresponding certificate authority trust should not be
used for VPN validation, the ASA/FTD administrator has to configure the
device as such using the validation-usage command.
Without altering the configuration, if using client certificate
authentication without other authentication and authorization methods, it
may be possible to authenticate using any user identity certificate that is
issued by the same certificate authority as the ASA/FTD device's identity
certificate. Installations that use additional authentication and
authorization would either prevent or require the additional steps to be
passed before being granted access to the network.
Recommendations
o Identification
While all trustpoint configurations should be reviewed to ensure they are
configured for their desired purpose, the primary risk is when using:
The ASA/FTD devices as a remote access VPN endpoint.
Client certificate authentication where certificates are issued by
certificate authority A.
A certificate for the identity of the ASA/FTD device issued by
certificate authority B.
The intention would be that the administrators of the ASA/FTD VPN endpoint
only wish to consider client certificates issued by certificate authority
A. For example, the client-issued certificates could come from a company's
private CA (CA A), while the ASA/FTD identity certificate may have been
issued by a public CA (CA B).
To determine whether a Cisco ASA or FTD device is affected by the issue
described in this advisory, use this process:
1) Confirm if the device is configured to allow remote access VPN.
Cisco ASA Feature Identification Configuration
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(with client services) client-services port <port #>
AnyConnect SSL VPN webvpn
enable <interface_name>
Clientless SSL VPN webvpn
enable <interface_name>
Alternatively, on FMC, go to Devices -> VPN -> Remote Access and see if any
profiles exist.
If enabled, proceed to the next step.
2) Confirm if using client certificate authentication.
Administrators can use the show running-config all tunnel-group command
from either the ASA CLI or FTD CLI to determine whether any of the
connection profiles are using an authentication method that contains a
certificate. If either the Authentication, Authorization and Accounting
(AAA) or Security Assertion Markup Language (SAML) 2.0 method alone is
used, the device is not affected. The following example shows the output of
the command for an ASA device that is using both AAA and client certificate
authentication:
ciscoasa# show running-config all tunnel-group
authentication aaa certificate
.
Alternatively, on FMC, go to Devices -> VPN -> Remote Access and click the
Remote Access profile name. For the different connection profiles, examine
the AAA column; if any of the Authentication fields indicate Client
Certificate Only or Client Certificate & AAA , then client certificates are
in use. Proceed to the next step.
Note : If alternative authentication methods are configured, those
authentication methods will still need to be fulfilled to pass
authentication and be granted access to the network.
3) Determine if using a certificate for the identity of the ASA/FTD issued
by a certificate authority that the administrator doesn't control.
Administrators can first use the show running-config ssl | include
trust-point command to identify the device's identity certificate used on
the remote access VPN-enabled interface:
ciscoasa# show running-config ssl | include trust-point
ssl trust-point IDENTITY outside
In the previous example, the interface named outside is associated with the
identity certificate configured within the trustpoint named IDENTITY .
Administrators can view the certificates included in this trustpoint and
specifically look at the Subject Name of the CA Certificate to identify
whether this certificate has been issued by a public CA:
ciscoftd# show crypto ca certificate IDENTITY
Certificate
.
.
Issuer Name:
l=Sydney
c=AU
o=GoDaddy.com\, Inc.
ou=http://certs.godaddy.com/repository/
cn=Go Daddy Secure Certificate Authority - G2
Subject Name:
.
.
cn=FPR2100-FTD
Validity Date:
start date: 07:16:53 UTC Jul 26 2020
end date: 07:16:53 UTC Jul 26 2021
Storage: config
Associated Trustpoints: FPR2100-FTD.cisco.com
Alternatively, on FMC, go to Devices -> VPN -> Remote Access and click the
Remote Access profile name. Click Access Interfaces . This will show you
the identity certificate presented on the remote access VPN interface in
the SSL Global Identity Certificate field.
Remediation
When a new certificate is imported to the configuration, the default
settings for the trustpoint usage are for ipsec-client and ssl-client
validation, so by default, that trustpoint can be used to authenticate VPN
users. Administrators should review all their trustpoint usage
configurations. If the trustpoint holds the certificates for server
authentication, that trustpoint should be configured with the
validation-usage ssl-server configuration command. Any trustpoint not used
explicitly for client authentication should have the no validation-usage
configuration applied as per the following procedures:
For ASA, administrators can log into the device and reconfigure the
trustpoint using the validation-usage command:
crypto ca trustpoint <name of identity trustpoint>
no validation-usage
For FTD managed via FMC, administrators can use FlexConfig. Proceed with
the following steps:
1. Validate the configuration of the trustpoint that needs reconfiguring
via the show running-config all crypto ca trustpoint FTD CLI command and
confirm that validation-usage is set to ipsec-client ssl-client .
2. On FMC, go to Objects -> Object Management -> FlexConfig -> FlexConfig
Object, and fill in the Name and Description fields. Complete the text box
with the command as shown in the following example. Note you could define
the TrustPointName as a variable or just enter the name of the
TrustPointName you wish to alter:
Name: NoValidationUsage
Description: no validation-usage ipsec-client ssl-client
Text Box:
crypto ca trustpoint TrustPointName
no validation-usage
3. Apply FlexConfig to the affected devices by selecting Devices ->
FlexConfig .
4. Click New Policy , create a name, and select the devices to assign the
policy to. On the next screen, select Add FlexConfig Object and click the
object you created in the previous steps; in this example,
NoValidationUsage .
5. Save the FlexConfig.
6. Deploy the FlexConfig.
7. Validate the configuration was a success by logging into the device and
issuing the show running-config all crypto ca trustpoint FTD CLI command.
Under the public trustpoint, it should say no validation-usage.
If the client certificates are issued from a different CA than the identity
certificate, that trustpoint will still be required to have the default
settings of validation-usage ipsec-client ssl-client or just
validation-usage ssl-client , depending on the designed usage.
For FTD managed via Firepower Device Management (FDM), there is currently
no way to alter the trustpoint configuration via FlexConfig. A new version
will be released that supports the ability to reconfigure the trustpoint.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Mike Guy of CenturyLink for reporting this issue.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-racerts-WvuYpxew
Revision History
o +---------+------------------------------+---------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+------------------------------+---------+--------+-------------+
| 1.1 | Republish for external email | - | Final | 2020-JUL-31 |
| | notification. | | | |
+---------+------------------------------+---------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-JUL-31 |
+---------+------------------------------+---------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyee8ONLKJtyKPYoAQiv5hAAsIxKNr3YA11kLPGFLFyTL6z0FsNPSebn
RwblN8oFqA7QqrVqAlM3kJk1kKflIvAJtd7lgMf2Co5QrWC4LPJEerWKWN0+Zln1
C9RbqG8PSWcxZFE7RH1jBB+wxMgBA4qELSGb7W7j8huiXrOfGAecPuec52onFney
71/jAwFO0dKGMNPOVOWtRZFqctGAyamMTbrfLie9u2Mi/p9eAmUC0/PRLb1jRF2h
8HttZylixEPTfcu2UNfOI5cEIrB1Doi1p2SeTZOs/o6Jg16Gg62btrttbVxbNH06
XuKJGCANUpCOw2yh2Rx34bOFcRuhIst7wzbSnMK40dpweq+HwraPIKAkaGMOIyYs
t2fggAOEM+1fLarfpCMhL6OjdagAtsb7ddJFLjPj+OytcIY5JVVltdqJNQZjd4yg
AvYq0z15cdu20EnUyren2bKhTMsJDUwB4zSTOTlF2k1GsSt/QXFbc6try0KWQo9d
llh6pZvYZg3g51nzWmdFk9tL8LGIUL6d5xwGb1i8iB28GdaoFP/2AH5p6qqXsSVV
2nLXeJ8kDrsj/2IDsaMqG70sVarUShaR9mbdMqvk23xdMQuf6x8RhZeOnAiTTIwG
jvJj5Rin3diludWAqw1o0pZPpvB+A6PH/xe/r3ZOVDADMBB/IVLe9AXriCKQA0oV
RYQf3ywLNFE=
=8n4A
-----END PGP SIGNATURE-----