Solved: Re: Cisco Anyconnect VPN security loophole

Jay47110 · ‎05-02-2019

Hi all,

I have an ASA5516 that is hosting several Anyconnect VPNs using a Radius Server for authentication.

The Split tunnel list is configured on the ASA. The "SPLIT TUNNEL LIST" injects static routes onto the clients PC for the resources specified.

However we have recently discovered that if the user is to manually enter a route on its PC to any destination with the VPN gateway as the next hop, Traffic to that destination will actually go via the VPN and if there is a route for the destination on the Firewall, it will route it all the way and back. Which is a huge security risk.

Am I missing something here? Is there an attribute that can allow me to add security ACL per user on the Radius Server? or one on the ASA? We use the same group-policy and tunnel-group for every user. However each user has access to different resources.

ASA config:

group-policy Anyconnect internal
group-policy Anyconnect attributes
wins-server none
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
address-pools value Anyconnect_Pool
webvpn
anyconnect profiles value DfltProfile type user
always-on-vpn profile-setting

tunnel-group Anyconnect webvpn-attributes
group-url https://1.1.1.1/Anyconnect enable

The users are configured and authenticated by the Radius Server

using the attributes:

CVPN3000-IPSec-Split-Tunnel-List ; Framed-IP-Netmask ; Service-Type ; Class ; NAS-Port-Type.

Kind regards

Rob Ingram · ‎05-03-2019

HI,

You could apply a VPN Filter to the VPN session, this will restrict the user to only the destination defined in the Filter ACL.

Examples here and here.

HTH

View solution in original post

Kasun Bandara · ‎05-02-2019

Hi,
with your explanation, first thing came to my mind is bit odd. this is actually about company security policy violation in my case. to add windows routes, users need to have admin privilege. but for users in company we are not allowed admin permissions. may be different scenario for you situation. open for suggestions. :)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Jay47110 · ‎05-03-2019

Hi Kusan,

This is not an office VPN service. It is provided to our clients to access some company internal resources. So we cannot dictate the security level on the clients machine.
If you know of a work around for this security loophole, do share.

Kind regards

Rob Ingram · ‎05-03-2019

HI,

You could apply a VPN Filter to the VPN session, this will restrict the user to only the destination defined in the Filter ACL.

Examples here and here.

HTH

Jay47110 · ‎05-03-2019

Hi RJI,

Thats exactly what I was looking for. Thanks for that. I've used the Radius Attribute "Filter-ID" to specify an ACL set up on the ASA and it works. Access is restricted to only the specified resource.

Kind regards

Marvin Rhoads · ‎05-05-2019

Also be advised that unless the allowed resource is hardened, the remote user can use it to navigate further into your network.

For instance, if you allow RDP to one workstation only (with VPN filter) nothing prevents that user from launching an RDP session from the allowed host into another host internal to your network. Same thing with ssh and other remote access protocols.