Vulnerabilities > CVE-2018-0227 - Improper Certificate Validation vulnerability in Cisco products
Summary
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to establish an SSL VPN connection and bypass certain SSL certificate verification steps. The vulnerability is due to incorrect verification of the SSL Client Certificate. An attacker could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the attacker to establish an SSL VPN connection to the ASA when the connection should have been rejected. This vulnerability affects Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliances (ASAv), Firepower 4110 Security Appliances, Firepower 9300 ASA Security Modules. Cisco Bug IDs: CSCvg40155.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family CISCO NASL id CISCO-SA-20180418-ASA1.NASL description According to its self-reported version the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by multiple vulnerabilities. Please see the included Cisco BIDs and Cisco Security Advisories for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 109404 published 2018-04-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109404 title Cisco ASA Multiple Vulnerabilities (cisco-sa-20180418-asa1 / cisco-sa-20180418-asa2 / cisco-sa-20180418-asa3 / cisco-sa-20180418-asaanyconnect / cisco-sa-20180418-asa_inspect) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109404); script_version("1.7"); script_cvs_date("Date: 2020/01/17"); script_cve_id( "CVE-2018-0227", "CVE-2018-0228", "CVE-2018-0229", "CVE-2018-0231", "CVE-2018-0240" ); script_bugtraq_id(103934, 103939); script_xref(name:"CISCO-BUG-ID", value:"CSCvg40155"); script_xref(name:"CISCO-BUG-ID", value:"CSCvf63718"); script_xref(name:"CISCO-BUG-ID", value:"CSCve18902"); script_xref(name:"CISCO-BUG-ID", value:"CSCve34335"); script_xref(name:"CISCO-BUG-ID", value:"CSCve38446"); script_xref(name:"CISCO-BUG-ID", value:"CSCvg65072"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh87448"); script_xref(name:"CISCO-BUG-ID", value:"CSCve61540"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh23085"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh95456"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa1"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa2"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa3"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asaanyconnect"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa_inspect"); script_name(english:"Cisco ASA Multiple Vulnerabilities (cisco-sa-20180418-asa1 / cisco-sa-20180418-asa2 / cisco-sa-20180418-asa3 / cisco-sa-20180418-asaanyconnect / cisco-sa-20180418-asa_inspect)"); script_summary(english:"Checks the ASA version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by multiple vulnerabilities. Please see the included Cisco BIDs and Cisco Security Advisories for more information."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3022fd51"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d86bee0f"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa3 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?72e6e924"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?496f5656"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa_inspect script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dcd24031"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg40155"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf63718"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve18902"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve34335"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve38446"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg65072"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh87448"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve61540"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh23085"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh95456"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco security advisory cisco-sa-20180418-asa1."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0227"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); asa = get_kb_item_or_exit('Host/Cisco/ASA'); model = get_kb_item_or_exit('Host/Cisco/ASA/model'); version = extract_asa_version(asa); if (isnull(version)) audit(AUDIT_FN_FAIL, 'extract_asa_version'); if ( model !~ '^55[0-9][0-9]($|[^0-9])' && # 5500 & 5500-X model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500 model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600 model !~ '^93[0-9][0-9]($|[^0-9])' && # Firepower 9300 ASA model !~ '^21[0-9][0-9]($|[^0-9])' && # Firepower 2100 SSA model !~ '^411[0-9]($|[^0-9])' && # Firepower 4110 SA model !~ '^30[0-9][0-9]($|[^0-9])' && # ISA 3000 model != 'v' # ASAv ) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product"); cbi = 'CSCvg40155, CSCvf63718, CSCve18902, CSCve34335, CSCve38446, CSCvg65072, CSCvh87448, CSCve61540, CSCvh23085, and CSCvh95456'; if (version =~ "^[0-8]\.") fixed_ver = "9.1(7.20)"; else if (version =~ "^9\.0[^0-9]") fixed_ver = "9.1(7.20)"; else if (version =~ "^9\.1[^0-9]" && check_asa_release(version:version, patched:"9.1(7.20)")) fixed_ver = "9.1(7.20)"; else if (version =~ "^9\.2[^0-9]" && check_asa_release(version:version, patched:"9.2(4.27)")) fixed_ver = "9.2(4.27)"; else if (version =~ "^9\.3[^0-9]") fixed_ver = "9.4(4.14)"; else if (version =~ "^9\.4[^0-9]" && check_asa_release(version:version, patched:"9.4(4.14)")) fixed_ver = "9.4(4.14)"; else if (version =~ "^9\.5[^0-9]") fixed_ver = "9.6(4.6)"; else if (version =~ "^9\.6[^0-9]" && check_asa_release(version:version, patched:"9.6(4.6)")) fixed_ver = "9.6(4.6)"; else if (version =~ "^9\.7[^0-9]" && check_asa_release(version:version, patched:"9.7(1.24)")) fixed_ver = "9.7(1.24)"; else if (version =~ "^9\.8[^0-9]" && check_asa_release(version:version, patched:"9.8(2.28)")) fixed_ver = "9.8(2.28)"; else if (version =~ "^9\.9[^0-9]" && check_asa_release(version:version, patched:"9.9(2.1)")) fixed_ver = "9.9(2.1)"; else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", version); security_report_cisco( port : 0, severity : SECURITY_WARNING, version : version, bug_id : cbi, fix : fixed_ver );
NASL family CISCO NASL id CISCO-SA-20180418-ASA1-FTD.NASL description According to its self-reported version the Cisco Firepower Threat Defense (FTD) software running on the remote device is affected by multiple vulnerabilities. Please see the included Cisco BIDs and Cisco Security Advisories for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 133044 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133044 title Cisco FTD Multiple Vulnerabilities (cisco-sa-20180418-asa1 / cisco-sa-20180418-asa2 / cisco-sa-20180418-asa3 / cisco-sa-20180418-asaanyconnect / cisco-sa-20180418-asa_inspect) code #TRUSTED 3e639d33eb12b2a6998ea518129607fad3de3c5de6d14a65229c9ffd9f0f21af937c7bdb8fbb8a739f878c05e63fd61f2ff24cc32003b37b17d580b295b30ed119d00636a08aff1f04fe9aa65ddf004e361766498f7d6d1c0b02b2f3de946e7529769c7af4bcf4b6217fe287cefd5d032d5ac29c2be12e956641030dda24ce964cf9c8a86ca3e0e05e5a39b38573b3daf4e1c19aa9a3c405bf463443dbab1fbe8dddcfca4f7a591b4b466fb3c71e0d5fe9895dafde4d47983950f17b0e2a95354957675d9bba53484deafe993c15ed7cb5fdcfee0c0bd1f151568d7c9c46a02aadb6c9541683eace90af39fea052facfaf37109c120f8e5903b87dc91f05bb3c45ff23f247101c50c18b719b0106bb2c0b30ea8524ed3a077175822a25d2f7ab3649b6b7585a3f27b3fcf2ea58ee1bd6ca9b7a2392e0c005c9d3c587c35ac6ab5c2c09ddc76ed5ed8d9556c5294dc51ad2ce61ba5aff775796defcfa6e59bfcaf0338e61afe46910a91c8fd9864b555e8e870aa536731595a5e0ae129164f36669250e3d2717a27d83062b5ec37b834e238263be4076820d6bd6fb9b6cc9e4dd4fac845b985d21819fabbae24a7cd3adbd6cbff0b39a66f0d31e6ec400c6e67103ef5eb507d267053d1ee00607c6fa96d1c7c096dd239778d90b3e6e41d3dd64b61e08b355b53cb69f92538fd3e8e55bc44955a5b5a54b3c24faa890a0ad8832 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(133044); script_version("1.2"); script_cvs_date("Date: 2020/01/17"); script_cve_id( "CVE-2018-0227", "CVE-2018-0228", "CVE-2018-0229", "CVE-2018-0231", "CVE-2018-0240" ); script_bugtraq_id(103934, 103939); script_xref(name:"CISCO-BUG-ID", value:"CSCvg40155"); script_xref(name:"CISCO-BUG-ID", value:"CSCvf63718"); script_xref(name:"CISCO-BUG-ID", value:"CSCve18902"); script_xref(name:"CISCO-BUG-ID", value:"CSCve34335"); script_xref(name:"CISCO-BUG-ID", value:"CSCve38446"); script_xref(name:"CISCO-BUG-ID", value:"CSCvg65072"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh87448"); script_xref(name:"CISCO-BUG-ID", value:"CSCve61540"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh23085"); script_xref(name:"CISCO-BUG-ID", value:"CSCvh95456"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa1"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa2"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa3"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asaanyconnect"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180418-asa_inspect"); script_name(english:"Cisco FTD Multiple Vulnerabilities (cisco-sa-20180418-asa1 / cisco-sa-20180418-asa2 / cisco-sa-20180418-asa3 / cisco-sa-20180418-asaanyconnect / cisco-sa-20180418-asa_inspect)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version the Cisco Firepower Threat Defense (FTD) software running on the remote device is affected by multiple vulnerabilities. Please see the included Cisco BIDs and Cisco Security Advisories for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3022fd51"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d86bee0f"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa3 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?72e6e924"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?496f5656"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa_inspect script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dcd24031"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg40155"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf63718"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve18902"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve34335"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve38446"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg65072"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh87448"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve61540"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh23085"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh95456"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco security advisory cisco-sa-20180418-asa1."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0227"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:firepower"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:firepower_threat_defense"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl", "cisco_asa_firepower_version.nasl", "cisco_enumerate_firepower.nbin"); script_require_keys("installed_sw/Cisco Firepower Threat Defense", "Settings/ParanoidReport"); exit(0); } include('vcf.inc'); include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = 'Cisco Firepower Threat Defense'; # Based on the advisory, it seems we're looking only for FTD and not FXOS app_info = vcf::get_app_info(app:app); product_info = make_array('model' , app_info['Model'], 'version' , app_info['version'], 'name', app); model = product_info['model']; if ( model !~ '^55[0-9][0-9]($|[^0-9])' && # 5500 & 5500-X model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500 model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600 model !~ '^93[0-9][0-9]($|[^0-9])' && # Firepower 9300 ASA model !~ '^21[0-9][0-9]($|[^0-9])' && # Firepower 2100 SSA model !~ '^411[0-9]($|[^0-9])' && # Firepower 4110 SA model !~ '^30[0-9][0-9]($|[^0-9])' && # ISA 3000 model != 'v' # FTD v ) audit(AUDIT_HOST_NOT, 'an affected Cisco FTD product'); vuln_ranges = [ {'min_ver' : '6.0', 'fix_ver' : '6.1.0.6'}, {'min_ver' : '6.2.0', 'fix_ver' : '6.2.0.5'}, {'min_ver' : '6.2.1', 'fix_ver' : '6.2.2.2'}, {'min_ver' : '6.2.3', 'fix_ver' : '6.2.3.1'} ]; workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); workaround_params = make_list(); cbi = 'CSCvg40155, CSCvf63718, CSCve18902, CSCve34335, CSCve38446, CSCvg65072, CSCvh87448, CSCve61540, CSCvh23085, and CSCvh95456'; reporting = make_array( 'port' , 0, 'severity' , SECURITY_WARNING, 'version' , product_info['version'], 'bug_id' , cbi ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges );
References
- http://www.securityfocus.com/bid/104018
- http://www.securityfocus.com/bid/104018
- http://www.securitytracker.com/id/1040723
- http://www.securitytracker.com/id/1040723
- https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01
- https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1