Reports indicate that a vulnerability exists in the Cisco WebVPN bookmark feature; this feature is part of the Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA).
The Cisco ASA gives administrators the option of offering a Clientless SSL VPN session for access to corporate resources. One of several features available to administrators is the ability to customize the WebVPN portal page by adding bookmarks to the landing page; the list of links that are provided as bookmarks point users to resources that are intended to be accessed via the clientless connection. This feature is often used when URL entry has been disabled to prevent confusion among users about where to enter a URL to access a specific resource.
The bookmark feature is not a security feature, and by default, all portal traffic is allowed to access all backend servers. As such, users with sufficient knowledge could manually manipulate the URLs that are used by the VPN client to access arbitrary resources within the network. To prevent such access, additional configuration is required.
Administrators are advised to apply web access control lists (ACLs) to group-policies and Dynamic Access Policies (DAP) to control specific traffic flows from the portal. Additional information about how to create Web ACLs can be found in the Cisco Security Appliance Configuration and Deployment guides.
Information about using Cisco Adaptive Security Device Manager (ASDM) to configure Web ACLs is available at the following link: Web ACLs
This issue was reported by David Eduardo Acosta Rodríguez from Internet Security Auditors. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.
A modification of the default behavior has been proposed that would deny access to all resources but those included within the WebVPN Portal bookmarks by default. Further details of this enhancement request are available in Cisco bug ID CSCtd73211.
Administrators who support this change should contact their Cisco Sales or Support channel to express their support for the enhancement.