A vulnerability in the SSL VPN code could allow an unauthenticated, remote attacker to access the SSL VPN portal web page.
The vulnerability is due to improper handling of authentication cookies when the Cisco ASA SSL VPN feature is enabled. An attacker could exploit this vulnerability by manually modifying the HTTP POST body with a forged cookie value or entering a crafted URL. An exploit could allow the attacker to gain unauthenticated access to the SSL VPN Portal page. Depending on the SSL VPN configuration, the attacker may also start a VPN tunnel by using Cisco AnyConnect.
In all cases, the attacker may gain unauthorized access to internal network resources.
Cisco has confirmed the vulnerability in a security advisory and released software updates.
To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.
The SSL VPN feature must be enabled on a targeted device to exploit this vulnerability. Successful exploitation could allow the attacker to start a VPN tunnel via the AnyConnect client or by using SSL VPN cookies during the creation of an SSL VPN session. Both scenarios could allow unauthorized access to network resources that could be used to conduct further attacks.