BugZero | Cisco BugID CSCvu48285 - ASA configured with TACACS REST API: /cli api fail...

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Last updated on 7/31/2023

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

While trying to send commands to the ASA using the api/cli component, you receive a Command authorization failed message on the response body, even though the x-Auth-Token is working fine with other components and methods. {response=[Command authorization failed , Command authorization failed ]}

Conditions

Using REST API 1.3(2) version on ASA running 9.8(4)10 code, when using the /cli component, X-Auth-Token does not provide an user even though we can see the privilege as 15 after parsing while running REST API debugs.

Workaround

Use Basic Authentication along with the X-Auth-Token so requests are validated correctly.

Further Problem Description

Debug outputs: HTTP: REST-API - This is a REST API request. HTTP: REST-API - processing URL '/api/tokenservices' of REST api request from host 10.100.150.45 HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: processing handoff to legacy admin server [/api/cli] HTTP: admin session verified = [0] HTTP MSG: POST /api/cli HTTP/1.1 Host: 10.100.150.50 Accept: */* User-Agent: REST API Agent Content-Type: application/json X-Auth-Token: xxxxxxxxxxxxxxxxxxxxxx Content-Length: 60 {"commands": ["show startup-config", "show running-config"]} HTTP: REST-API - This is a REST API request. HTTP: REST-API - processing URL '/api/cli' of REST api request from host 10.100.150.45 HTTP: REST-API - forwarding REST API request to REST Agent HTTP: REST-API - content-length: 60 HTTP: REST-API - Bytes to be read (HTTP request method):4 HTTP: REST-API - Bytes to be read (URI until CRLF line)): 227 HTTP: REST-API - Bytes to be read (partial/all message-body): 60 HTTP: REST-API - Length of the entire message-body: 60; content-length: 60 HTTP: REST-API - Length of the entire request: 291 HTTP: REST-API - sending rest request to REST API Agent [ra client event]: rest_agent_connect: Opening TCP socket to REST API Agent succeeded. [ra client event]: rest_agent_connect: Connecting to TCP socket succeeded. [ra client event]: rest_agent_buf_push_and_receive: socks_proxy_csocket_send succeeded. [ra client event]: rest_agent_buf_push_and_receive: temporarily no message received. [ra agent event]: 2020-05-11 18:51:14,832 DEBUG [startup] Enter Filter.beforeHandle() for uri:http://10.100.150.50/api/cli [ra agent event]: 2020-05-11 18:51:14,833 DEBUG [startup] The request URI, canonicalized URI, URLDecoded URI respectively are:http://10.100.150.50/api/cli, http://10.100.150.50/api/cli, http://10.100.150.50/api/cli [ra cli event]: (236 bytes) GET /admin/exec/show+checksum HTTP/1.1 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP MSG: GET /admin/exec/show+checksum HTTP/1.1 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP: processing GET URL '/admin/exec/show+checksum' from host REST API Agent HTTP: user already authenticated, bypass authentication [ra agent event]: 2020-05-11 18:51:14,833 DEBUG [startup] Exit Filter.beforeHandle() with CONTINUE status for uri:http://10.100.150.50/api/cli [ra agent event]: 2020-05-11 18:51:14,834 DEBUG [base] Enter b POST [ra agent event]: 2020-05-11 18:51:14,834 DEBUG [base] Total memory: 27,635,712, max memory: 279,773,184, free memory: 6,161,344 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] The X-asa-privilege header value got from aware server is:cisco/15 Exited from HTTP Cli Exec [ra cli event]: Sending (154 bytes) to REST agent. [ra cli event]: (154 bytes) HTTP/1.1 200 OK Date: Mon, 11 May 2020 18:51:15 UTC Connection: close Content-Type: text/plain Cryptochecksum: b46cb0c1 13f92fd3 40b8e7a2 e10b53ff [ra cli event]: Payload sent completely. [ra cli event]: Cleaned the REST API CLI Daemon Thread [ra agent error]: 2020-05-11 18:51:14,835 ERROR [base] The X-asa-privilege :: username has / <--------------------------------------------- [ra cli event]: Username not found. Reason: X-Auth-Token<--------------------------------------------- [ra cli event]: Username: - Privilege: 15<--------------------------------------------- [ra cli event]: (480 bytes) POST /admin/config HTTP/1.1 Content-Type: text/xml X-asa-privilege: /15 <--------------------------------------------- Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 188 show startup-config show running-config HTTP MSG: POST /admin/config HTTP/1.1 Content-Type: text/xml X-asa-privilege: /15 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 188 show startup-config show running-config HTTP: processing POST URL '/admin/config' from host REST API Agent HTTP: user already authenticated, bypass authentication [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] Current privilege level: 15 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [k] Command (http://127.0.0.1:8112/admin/exec/show+checksum) started [ra agent event]: 2020-05-11 18:51:14,841 DEBUG [k] GET http://127.0.0.1:8112/admin/exec/show+checksum Time=6 msec [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [startup] Checksum is: b46cb0c1 13f92fd3 40b8e7a2 e10b53ff [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [base] parseObjectFromRawPayload() input is:{"commands": ["show startup-config", "show running-config"]} [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [base] The X-asa-privilege header value got from aware server is:cisco/15 [ra agent error]: 2020-05-11 18:51:14,843 ERROR [base] The X-asa-privilege :: username has / [ra cli event]: Sending (430 bytes) to REST agent. [ra cli event]: (430 bytes) HTTP/1.1 200 OK Date: Mon, 11 May 2020 18:51:15 UTC Connection: close Content-Type: text/xml Command authorization failed Command authorization failed [ra cli event]: Payload sent completely. [ra cli event]: Cleaned the REST API CLI Daemon Thread [ra client event]: send_response_to_rest_client: Received response message of length 455 from REST Agent. [ra client event]: rest_agent_buf_push_and_receive: Received the entire HTTP response of length 455 - closing the connection with REST API Agent. [ra agent event]: 2020-05-11 18:51:14,843 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15 [ra agent event]: 2020-05-11 18:51:14,843 DEBUG [startup] !!!!!!!!!!!!!!!!!!!Sending following passed in commands to the device: show startup-config show running-config [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] INFO: Cannot read preferences file /nonexistent/.asdm/data/preferences.conf. [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] Command (http://127.0.0.1:8112/admin/config) started [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] POST URL = http://127.0.0.1:8112/admin/config XML: show startup-config show running-config [ra agent event]: 2020-05-11 18:51:14,854 DEBUG [k] GET http://127.0.0.1:8112/admin/config Time=10 msec [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] Response: Command authorization failed Command authorization failed Response time is 11 milliseconds. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] (BatchCLI) ASA returned an error. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] (BatchCLI) ASA returned an error. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [startup] ASA Response : com.cisco.pdm.pdmdata.g[ cli = show startup-config errType = 1 errMsg = Command authorization failed ] [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [startup] Committing passed in commands to Device. DONE. Time taken (ms) 13 [ra agent event]: 2020-05-11 18:51:14,856 DEBUG [base] Inside RestletObject RawJson Serialization : {response=[Command authorization failed , Command authorization failed ]}

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Last updated on 7/31/2023

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?