Cisco has patched a serious vulnerability in all versions of its Adaptive Security Appliance software that could allow a remote attacker to bypass the authentication mechanism by spoofing the Kerberos Key Distribution Center and gain control of the affected appliance.
The bug (CVE-2020-3125) lies in the way that the ASA software handles the authentication process among the client, server, and KDC. Researchers at Silverfort discovered that an attacker who could hijack network traffic between the client and the KDC could spoof the KDC’s responses to the client and eventually bypass the authentication mechanism altogether. The vulnerability is only exploitable if the device is configured to use Kerberos for authentication, and Cisco has published fixed versions of the ASA software for all of the affected releases.
“Cisco uses the Kerberos authentication protocol in many ASA interfaces – for example, VPN, opening firewall sessions, and administrative access, either through the web management console or through SSH. Therefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks,” Silverfort said in its advisory.
“Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to Cisco ASA with any password, even a wrong one.”
Kerberos is a decades-old authentication system that was developed as one of the early methods of single sign-on and it is still used widely today in a variety of products. The system relies on a three-way authentication scheme involving the client, the server, and the KDC. If the Kerberos scheme is implemented incorrectly, an attacker with a privileged network position can perform a KDC spoofing attack, create his own KDC, and grant himself access to the target service.
The problem of an attacker potentially impersonating the KDC has been discussed for a long time and KDC spoofing attacks against specific implementations are by no means new. In 2000, Dug Song, cofounder of Duo Security, published an advisory detailing the attack against then-current versions of Kerberos.
“The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When users log in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication,” Silverfort said in its advisory.
The ASA software is the operating system for Cisco’s line of ASA network security devices, which includes several firewalls. The Kerboros vulnerability affects all of the supported versions of the ASA software. Cisco said in its security advisory that there are no known workarounds for the vulnerability, so customers running affected ASA versions should update to the fixed release.
“A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access,” the Cisco advisory says.
“The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.”