topic Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN in Network Security

Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

pchelisant — Mon, 11 Jan 2021 12:42:58 GMT

Gentlemen need you help.

We can successfully connect with anyconnect to asa.

However when we implement SAML Authentication (DUO 2 Factor authentication) We cannot connect with the error

Potential CSRF attack dtected.

We can see this is a cross site scripting issue, and The ASA is providing CSRF protection and causing this error.
The error we see is being generated by the ASA.

Can you help me how to disable that protection or at least pisibility to whitelist interested hosts?

here a short info

Cisco Adaptive Security Appliance Software Version 9.15(1)1
SSP Operating System Version 2.9(1.131)
Device Manager Version 7.15(1)

Compiled on Fri 20-Nov-20 18:59 GMT by builders
System image file is "disk0:/asa9-15-1-1-smp-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
ASA: 4104 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode
The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.
The Running Activation Key feature: 10000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

webvpn config

webvpn

port 4443

enable outside

dtls port 4443

http-headers

hsts-server

enable

max-age 31536000

include-sub-domains

no preload

hsts-client

enable

x-content-type-options

x-xss-protection

content-security-policy default-src 'self' https://api-b0affc49.duosecurity.com 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'

no anyconnect-essentials

Thanks!

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

balaji.bandi — Mon, 11 Jan 2021 12:57:59 GMT

Look at the below suggetions :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj34599

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

https://duo.com/docs/ciscoasa-sso

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

pchelisant — Mon, 11 Jan 2021 17:37:05 GMT

Sorry first link doesnt work for me.

Tried to whitelist useragent however no success.

Other 2 links a well known to me, and as per config you can see i use the latest software version

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

balaji.bandi — Mon, 11 Jan 2021 20:33:57 GMT

first, link was a bug - older version since you running the same kind of issue so suggested to have look.

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

loizosko — Wed, 03 Mar 2021 04:42:15 GMT

anybody figured out the issue?

getting the same error with okta. running latest 6.7 ftd

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

IvanAlvarenga25979 — Tue, 27 Jul 2021 18:18:04 GMT

what was the resolution for this case?

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

loizosko — Tue, 27 Jul 2021 18:35:18 GMT

there was a timer in the firewall idp settings that did not match the timer in the sso provider settings.

after making it the same it worked

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

atocki — Thu, 26 Aug 2021 19:15:18 GMT

Hello @loizosko, I'm facing the same issue with the FTD 6.7, what timer do you talking about please?

Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

JohnKimble — Thu, 06 Jul 2023 08:08:13 GMT

Hi
I know this is an old post, but for anyone who still have this issue, here is what I did. After confirming all my URLs were correct, I resolved the issue by removing the default value of 300ms in Request Timeout, under Single Sign-On server profile. Removing the 300ms, sets Timeout to "Use the timeout set by the Provider". Everything works great now. You can read more about it under "SAML Timeout section" here https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/asdm716/vpn/asdm-716-vpn-config/webvpn-configure-users.html