Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software can be configured for certificate authentication in remote access VPN deployments.
An external researcher has identified several misconfigured Cisco ASA and FTD Software remote access devices where the ASA/FTD device may admit VPN remote access to users who possess a valid certificate from a public certificate authority (CA) when the VPN endpoint is configured to have its server identity certificate issued from the same public CA.
Cisco would like to raise awareness for customers in regard to how Cisco ASA and FTD Software apply default settings to trustpoints for imported certificates, and how to ensure a trustpoint is configured for its desired function only.
Cisco does not consider this a vulnerability in Cisco ASA or FTD Software or the digital certificates authentication feature, but a configuration issue.
Future releases of Cisco ASA and FTD Software, including Cisco Adaptive Security Device Manager (ASDM), Cisco Security Manager, and Cisco Firepower Management Center (FMC), will raise warning alerts when importing certificates to alert customers of the default behavior and to provide guidance how to harden the configuration via Cisco bug IDs CSCvt50528, CSCvv11100, and CSCvv11051.
However, it is not a requirement to run code integrated with these Cisco bug IDs to take the appropriate hardening actions. Customers are advised to review this advisory and make any respective configuration changes.
Security Impact Rating: Informational
Source: Cisco Security Advisory