Cisco ASA Adaptive Security Appliance Clientless SSL VPN CIFS and FTP Credential Theft Vulnerability

Cisco ASA Adaptive Security Appliance Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that have been configured to accept Clientless SSL VPN connections contain a vulnerability that could allow an unauthenticated, remote attacker to steal user account credentials. Versions 7.x are not affected.

The vulnerability is due to insufficient warnings and restrictions when the software is using Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. If an unauthenticated, remote attacker can convince a user to visit a malicious CIFS or FTP site while the user is logged in to the secure portal, the attacker could use this vulnerability as part of a phishing or spoofing attack to obtain user site credentials.

Cisco has confirmed this vulnerability and released updated software.

The vulnerability is due to a failure to properly protect the CIFS and FTP sharing features that the Clientless SSL VPN uses. The attacker must convince the user to follow a malicious URL while the user is logged in to the SSL VPN. The attacker may use social engineering techniques to make the user more likely to follow the link. If an exploit is successful, the attacker could capture user credentials to remote servers and possibly use these credentials in future attacks.

Exploit code that demonstrates the credential theft vulnerability is publicly available.