HiveProtect.ai » English » blog » Cisco ASA Threats

Technical Analysis: Cisco ASA Gateway Threats and WebVPN Attack Vectors

Cisco ASA Threats

Executive Summary

The presence of logs mentioning paths such as /+CSCOL+/ or /+CSCOE+/ followed by files such as a1.jar or transfer.js indicates activity specifically targeting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) gateways.

These indicators are not random errors but point to two distinct vectors:

  • Exploitation of known WebVPN vulnerabilities (such as CVE-2020-3452) that seek to read sensitive files via directory traversals.
  • Code execution or cache poisoning attempts to inject malicious payloads (JS scripts or Java applets) to compromise remote user sessions.

The article below details the mechanics of these attacks, their technical significance, and the defense strategies required.

The Anatomy of a VPN Gateway Attack

Perimeter security equipment, especially VPN concentrators like Cisco ASAs, are prime targets. They are publicly exposed out of necessity and handle critical authenticated sessions. Understanding logs requires understanding the virtual architecture of these boxes.

Decoding « virtual » paths

On a Cisco ASA device configured with Clientless SSL VPN ( WebVPN ) or AnyConnect capabilities, the system exposes virtual directories that do not physically exist on a typical hard drive, but are mapped by the firmware:

  • /+CSCOE+/ (Cisco Secure Encrypted): This path is used to serve the static resources of the authentication portal (logos, logon.html login scripts, win.js detection scripts). This is the « public » area before full authentication.
  • /+CSCOL+/ (Cisco Secure Legacy/Launch): Often associated with legacy components or Java applet launches for clientless VPN tunnels.

When you see these prefixes in your logs, the attacker doesn’t guess a URL; it knows that you are using Cisco equipment and attempts to interact with the portal’s internal mechanisms.

Vector 1: Java artifact (a1.jar) and clientless inheritance

The /+CSCOL+/a1.jar request is symptomatic of attacks targeting Java Web Start technologies or outdated Java applets used by older versions of WebVPN.

The mechanism

Historically, to establish a VPN tunnel without installing a thick client (AnyConnect), the WebVPN portal loaded a Java applet (often referred to as cs.jar or similar) into the user’s browser.

  • Recognition and Fuzzing: The attacker seeks to download this .jar file to reverse engineer and figure out the exact ASA firmware version.
  • Malicious Payload (a1.jar): In an offensive scenario, a1.jar is not a legitimate Cisco file. This is often the default name of a « dropper » generated by Java exploit kits. The attacker attempts to force the victim’s browser or Java plugin (if they visit a compromised page relayed by the VPN) to execute this code.
  • The objective: Execute arbitrary code (RCE) on the client through the VPN tunnel, or on the server if a Java deserialization vulnerability is present on the gateway side.

Diagnosis: If this file is requested from your server, it is often an automated scanner that tests whether your gateway allows the download or execution of unsigned or vulnerable Java code.

Vector 2: transfer.js and browser-powered desync attacks

The presence of /+CSCOE+/transfer.js is more subtle and potentially more dangerous because it affects modern attacks such as HTTP Request Smuggling and Cache Poisoning.

The context: vulnerability win.js

Security researchers (including PortSwigger) have shown that Cisco WebVPN portals can be manipulated via static JavaScript files like /+CSCOE+/win.js.

The attack scenario transfer.js

The call to a file named transfer.js under this directory suggests an attempt to exploit WebVPN’s URL rewrite logic:

  • Socket poisoning: The attacker sends a malformed HTTP request (Request Smuggling) to the gateway.
  • Desynchronization: The gateway « mixes » the attacker’s request with that of the next victim.
  • Malicious redirect: When the legitimate victim connects to the VPN, their browser asks for a script (e.g. win.js or an injected custom script called transfer.js). Because of the desynchronization, the gateway does not return the legitimate Cisco script, but a redirect to a server controlled by the attacker.
  • XSS runtime: The victim’s browser runs the malicious script in the security context of the VPN domain (vpn.votre-entreprise.com). The attacker can then steal the session cookies (webvpn cookie) and penetrate the network.

Related Vulnerabilities (CVEs)

These logs are often the traces of scanners seeking to exploit specific flaws:

CVE-2020-3452 (read-only path traversal)

This is the queen fault associated with these paths. It allows an unauthenticated attacker to read files on the WebVPN file system using sequences like +CSCOT+ or +CSCOE+.

  • Example query: GET /+CSCOE+/+/.. /+/.. /+/.. /+CSCOE+/portal_inc.lua
  • Risk: Configuration leak, theft of session cookies from other logged-in users.

CVE-2018-0296 (DoS and information disclosure)

Allows you to crash the ASA or list logged-in users by manipulating the /+CSCOE+/ paths.

Strategic and operational impact

If these attacks are successful, the consequences go beyond simple website defacement:

  • Perimeter Compromise: The ASA is the gateway to the network. A session steal allows the attacker to bypass MFA (since the session cookie is already validated) and gain access to internal resources.
  • Theft of Intellectual Property: Via CVE-2020-3452, configuration files containing information about the internal architecture can be exfiltrated.
  • Client-Side (Watering Hole) Attacks: By modifying the JS served by the VPN, the attacker infects the workstations of all employees who connect to teleworking.

Remediation and Defense Guide

To guard against these threats, an in-depth approach is needed.

1. Hardening of the ASA configuration

  • Immediate Update: Apply the latest Cisco patches. The CVE-2020-3452 and CVE-2018-0296 flaws have been patched for a long time.
  • Disabling Clientless VPN: If you are only using the AnyConnect thick client, completely disable the « Clientless SSL VPN » portal which is the main attack surface of these vectors. Command: no webvpn (Or disable it per group profile).

2. Filtering and WAF

  • Blocking Suspicious Artifacts: Configure your Web Application Firewall ( WAF ) or IPS to strictly block any request containing .jar if you don’t have an explicit Java business need on the portal.
  • Sanitization rules: Block directory traversal sequences (.., %2nd%2e, +/) in URLs targeting /+CSCOE+ and /+CSCOL+.

3. Surveillance (threat hunting)

  • Log Analysis: Look for the HTTP 200 OK codes associated with these strange requests.
  • 404 Not Found : A good sign, the striker scans into the void.
  • 200 OK on a1.jar or transfer.js: Critical alert, investigate the content served immediately.
  • Correlation: Check if an IP that scanned these files then initiated a successful VPN connection (logon successful).

Conclusion

Requests to /+CSCOL+/a1.jar and /+CSCOE+/transfer.js are signatures of a hostile reconnaissance seeking to turn your security gateway into a point of vulnerability. Whether they are automated scanners (« script kiddies ») or precursors to a sophisticated request smuggling attack, they require constant vigilance and a rigorous policy of updating perimeter equipment.