topic [ASA5510] Cisco AnyConnect - Cookie not HTTP-Only in Network Security

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

SLTN Servicedesk — Tue, 12 Mar 2019 01:14:36 GMT

Hi all,

Recently we had an external security scan and one of the things that was pointed out is the following:

4.5 Cookie not HTTP-Only
Targets: **.**.**.**
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
javascript, actionscript, etc.) which could leave the site vulnerable to Cross-Site
Scripting vulnerabilities.
» Define all cookies as HTTP-only

Now I've done some searching but couldn't find a similar case to this question.

The firwall that is used:

Cisco ASA 5510

software version 8.2(3)

ASDM: 6.3(4)

Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)

Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?

Regards

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

Jennifer Halim — Sun, 17 Mar 2013 21:30:29 GMT

Here is the bugID for the above HTTP-Only cookie issue: CSCth55933

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth55933

Pls kindly check on the explaination on further description:

While this is not a false positive, any vulnerability would be in the cross-site scripting attack and not in the lack of cookie protection through the use of the HttpOnly flag. This bug documents the investigation into cookie protection on the ASA.

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

David26320 — Tue, 30 Jul 2013 07:51:54 GMT

I have read the content of the link, but it points to using the "Next Generation software" is the version 9 series next generation?

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

Waqar Rana — Mon, 12 Aug 2013 23:10:38 GMT

We are running ver 8.2(5)41 on 5520 and internal security scan pointed same vulnerability. Is there a fix for this bug?

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

schynam — Fri, 20 Sep 2013 15:10:19 GMT

This link is not good anymore. Is there any fix to the PCI DSS failure?

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

haskelman — Thu, 05 Dec 2013 23:32:39 GMT

Cisco, any updates on this?

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

schynam — Fri, 06 Dec 2013 00:13:42 GMT

The resolution tried at my organization was to either upgrade the IOS or downgrade to AnyConnect 3.0. Downgrading AnyConnect was the easier route.

I am configuring AnyConnect

gchevalley — Tue, 20 Jan 2015 14:37:44 GMT

I am configuring AnyConnect for the first time on an ASA 5510 running 9.0(4) and encountering the same issue. Has anyone found a solution to the HTTP only flag on the cookie?

The bug track is:

andrew.stravitz1 — Thu, 25 Feb 2016 21:37:05 GMT

The bug track is:

https://tools.cisco.com/bugsearch/bug/CSCuc23836

To fix for this potential vulnerability Cisco will need to update their ASA VPN software to support the HTTP Only flag (when rendering html with cookie's) . so far Cisco has not put a fix in and doesn't appear to have any plans to modify the IOS to support the HttpOnly flag.

Browsers have supported this flag for over a decade, yet, Cisco does not support it.

https://www.owasp.org/index.php/HttpOnly