Description

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party, aka Session Fixation. The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company's Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. This vulnerability affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvg65072, CSCvh87448.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  6.5 MEDIUM

Vector:  CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score:  4.3 MEDIUM

Vector:  (AV:N/AC:M/Au:N/C:P/I:N/A:N)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://www.securityfocus.com/bid/103939	Third Party Advisory  VDB Entry
http://www.securitytracker.com/id/1040711	Third Party Advisory  VDB Entry
http://www.securitytracker.com/id/1040712	Third Party Advisory  VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-384	Session Fixation	NIST   Cisco Systems, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

6 change records found show changes

CVE Modified by Cisco Systems, Inc. 5/14/2024 12:50:36 AM

Action	Type	Old Value	New Value

CPE Deprecation Remap by NIST 8/15/2023 11:21:44 AM

Action	Type	Old Value	New Value
Changed	CPE Configuration	OR *cpe:2.3:a:cisco:adaptive_security_appliance_software:9.8(1.245):*:*:*:*:*:*:*	OR *cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8(1.245):*:*:*:*:*:*:*

CVE Modified by Cisco Systems, Inc. 10/09/2019 7:31:32 PM

Action	Type	Old Value	New Value
Added	CWE		Cisco Systems, Inc. CWE-384

Initial Analysis by NIST 5/24/2018 12:35:23 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:cisco:adaptive_security_appliance_software:9.8\(1.245\):*:*:*:*:*:*:*
Added	CPE Configuration		OR *cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.6\(200\):*:*:*:*:*:*:*
Added	CVSS V2		(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Added	CVSS V2 Metadata		Victim must voluntarily interact with attack mechanism
Added	CVSS V3		AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Added	CWE		CWE-384
Changed	Reference Type	http://www.securityfocus.com/bid/103939 No Types Assigned	http://www.securityfocus.com/bid/103939 Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.securitytracker.com/id/1040711 No Types Assigned	http://www.securitytracker.com/id/1040711 Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.securitytracker.com/id/1040712 No Types Assigned	http://www.securitytracker.com/id/1040712 Third Party Advisory, VDB Entry
Changed	Reference Type	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect No Types Assigned	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect Vendor Advisory

CVE Modified by Cisco Systems, Inc. 4/24/2018 9:29:03 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.securityfocus.com/bid/103939 [No Types Assigned]

CVE Modified by Cisco Systems, Inc. 4/20/2018 9:29:00 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.securitytracker.com/id/1040711 [No Types Assigned]
Added	Reference		http://www.securitytracker.com/id/1040712 [No Types Assigned]