BugZero | Cisco BugID CSCvu48285 - ASA configured with TACACS REST API: /cli api fail...

OPERATIONAL DEFECT DATABASE

...

BugZero | Cisco BugID CSCvu48285 - ASA configured with TACACS REST API: /cli api fail...

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Last updated on July 31st, 2023

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

While trying to send commands to the ASA using the api/cli component, you receive a Command authorization failed message on the response body, even though the x-Auth-Token is working fine with other components and methods. {response=[Command authorization failed , Command authorization failed ]}

Conditions

Using REST API 1.3(2) version on ASA running 9.8(4)10 code, when using the /cli component, X-Auth-Token does not provide an user even though we can see the privilege as 15 after parsing while running REST API debugs.

Workaround

Use Basic Authentication along with the X-Auth-Token so requests are validated correctly.

Further Problem Description

Debug outputs: HTTP: REST-API - This is a REST API request. HTTP: REST-API - processing URL '/api/tokenservices' of REST api request from host 10.100.150.45 HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0) HTTP: processing handoff to legacy admin server [/api/cli] HTTP: admin session verified = [0] HTTP MSG: POST /api/cli HTTP/1.1 Host: 10.100.150.50 Accept: */* User-Agent: REST API Agent Content-Type: application/json X-Auth-Token: xxxxxxxxxxxxxxxxxxxxxx Content-Length: 60 {"commands": ["show startup-config", "show running-config"]} HTTP: REST-API - This is a REST API request. HTTP: REST-API - processing URL '/api/cli' of REST api request from host 10.100.150.45 HTTP: REST-API - forwarding REST API request to REST Agent HTTP: REST-API - content-length: 60 HTTP: REST-API - Bytes to be read (HTTP request method):4 HTTP: REST-API - Bytes to be read (URI until CRLF line)): 227 HTTP: REST-API - Bytes to be read (partial/all message-body): 60 HTTP: REST-API - Length of the entire message-body: 60; content-length: 60 HTTP: REST-API - Length of the entire request: 291 HTTP: REST-API - sending rest request to REST API Agent [ra client event]: rest_agent_connect: Opening TCP socket to REST API Agent succeeded. [ra client event]: rest_agent_connect: Connecting to TCP socket succeeded. [ra client event]: rest_agent_buf_push_and_receive: socks_proxy_csocket_send succeeded. [ra client event]: rest_agent_buf_push_and_receive: temporarily no message received. [ra agent event]: 2020-05-11 18:51:14,832 DEBUG [startup] Enter Filter.beforeHandle() for uri:http://10.100.150.50/api/cli [ra agent event]: 2020-05-11 18:51:14,833 DEBUG [startup] The request URI, canonicalized URI, URLDecoded URI respectively are:http://10.100.150.50/api/cli, http://10.100.150.50/api/cli, http://10.100.150.50/api/cli [ra cli event]: (236 bytes) GET /admin/exec/show+checksum HTTP/1.1 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP MSG: GET /admin/exec/show+checksum HTTP/1.1 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP: processing GET URL '/admin/exec/show+checksum' from host REST API Agent HTTP: user already authenticated, bypass authentication [ra agent event]: 2020-05-11 18:51:14,833 DEBUG [startup] Exit Filter.beforeHandle() with CONTINUE status for uri:http://10.100.150.50/api/cli [ra agent event]: 2020-05-11 18:51:14,834 DEBUG [base] Enter b POST [ra agent event]: 2020-05-11 18:51:14,834 DEBUG [base] Total memory: 27,635,712, max memory: 279,773,184, free memory: 6,161,344 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] The X-asa-privilege header value got from aware server is:cisco/15 Exited from HTTP Cli Exec [ra cli event]: Sending (154 bytes) to REST agent. [ra cli event]: (154 bytes) HTTP/1.1 200 OK Date: Mon, 11 May 2020 18:51:15 UTC Connection: close Content-Type: text/plain Cryptochecksum: b46cb0c1 13f92fd3 40b8e7a2 e10b53ff [ra cli event]: Payload sent completely. [ra cli event]: Cleaned the REST API CLI Daemon Thread [ra agent error]: 2020-05-11 18:51:14,835 ERROR [base] The X-asa-privilege :: username has / <--------------------------------------------- [ra cli event]: Username not found. Reason: X-Auth-Token<--------------------------------------------- [ra cli event]: Username: - Privilege: 15<--------------------------------------------- [ra cli event]: (480 bytes) POST /admin/config HTTP/1.1 Content-Type: text/xml X-asa-privilege: /15 <--------------------------------------------- Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 188 show startup-config show running-config HTTP MSG: POST /admin/config HTTP/1.1 Content-Type: text/xml X-asa-privilege: /15 Cache-Control: no-cache Pragma: no-cache User-Agent: REST API Agent Java/1.8.0_201 Host: 127.0.0.1:8112 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 188 show startup-config show running-config HTTP: processing POST URL '/admin/config' from host REST API Agent HTTP: user already authenticated, bypass authentication [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [base] Current privilege level: 15 [ra agent event]: 2020-05-11 18:51:14,835 DEBUG [k] Command (http://127.0.0.1:8112/admin/exec/show+checksum) started [ra agent event]: 2020-05-11 18:51:14,841 DEBUG [k] GET http://127.0.0.1:8112/admin/exec/show+checksum Time=6 msec [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [startup] Checksum is: b46cb0c1 13f92fd3 40b8e7a2 e10b53ff [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [base] parseObjectFromRawPayload() input is:{"commands": ["show startup-config", "show running-config"]} [ra agent event]: 2020-05-11 18:51:14,842 DEBUG [base] The X-asa-privilege header value got from aware server is:cisco/15 [ra agent error]: 2020-05-11 18:51:14,843 ERROR [base] The X-asa-privilege :: username has / [ra cli event]: Sending (430 bytes) to REST agent. [ra cli event]: (430 bytes) HTTP/1.1 200 OK Date: Mon, 11 May 2020 18:51:15 UTC Connection: close Content-Type: text/xml Command authorization failed Command authorization failed [ra cli event]: Payload sent completely. [ra cli event]: Cleaned the REST API CLI Daemon Thread [ra client event]: send_response_to_rest_client: Received response message of length 455 from REST Agent. [ra client event]: rest_agent_buf_push_and_receive: Received the entire HTTP response of length 455 - closing the connection with REST API Agent. [ra agent event]: 2020-05-11 18:51:14,843 DEBUG [base] The user privilege fetched from X-asa-privilege header is:15 [ra agent event]: 2020-05-11 18:51:14,843 DEBUG [startup] !!!!!!!!!!!!!!!!!!!Sending following passed in commands to the device: show startup-config show running-config [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] INFO: Cannot read preferences file /nonexistent/.asdm/data/preferences.conf. [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] Command (http://127.0.0.1:8112/admin/config) started [ra agent event]: 2020-05-11 18:51:14,844 DEBUG [k] POST URL = http://127.0.0.1:8112/admin/config XML: show startup-config show running-config [ra agent event]: 2020-05-11 18:51:14,854 DEBUG [k] GET http://127.0.0.1:8112/admin/config Time=10 msec [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] Response: Command authorization failed Command authorization failed Response time is 11 milliseconds. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] (BatchCLI) ASA returned an error. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [k] (BatchCLI) ASA returned an error. [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [startup] ASA Response : com.cisco.pdm.pdmdata.g[ cli = show startup-config errType = 1 errMsg = Command authorization failed ] [ra agent event]: 2020-05-11 18:51:14,855 DEBUG [startup] Committing passed in commands to Device. DONE. Time taken (ms) 13 [ra agent event]: 2020-05-11 18:51:14,856 DEBUG [base] Inside RestletObject RawJson Serialization : {response=[Command authorization failed , Command authorization failed ]}

Change history

2023-07-31 Added: 9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.2, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.6, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.3, 9.8.4.7, 9.8.4.8

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.2, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.6, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.3, 9.8.4.7, 9.8.4.8

Fixed versions: 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.58, 9.12.4.7, 9.12.4.8, 9.14.1.30, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.6, 9.14.4.7, 9.15.1, 9.15.1.1, 9.15.1.10, 9.15.1.15, 9.15.1.16, 9.15.1.17, 9.15.1.21, 9.15.1.7, 9.16.1, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.13, 9.16.2.14, 9.16.2.3, 9.16.2.7, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.23, 9.16.3.3, 9.16.4, 9.16.4.14, 9.16.4.18, 9.16.4.19, 9.16.4.27, 9.16.4.9, 9.17.1, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2, 9.18.2.5, 9.18.2.7, 9.18.2.8, 9.18.3, 9.18.3.39, 9.18.3.46, 9.19.1, 9.19.1.12, 9.19.1.5, 9.19.1.9, 9.8.4.26, 9.8.4.29, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48

Relevant Products

Click on a version to see all relevant bugs

Top Cisco Defects

9.7Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.7Defect ID: CSCvg76186
Cisco Smart Install Remote Code Execution and Denial of Service Vulnerability
9.7Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.7Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed
9.7Defect ID: CSCwo91250
Cisco Secure Firewall Management Center Software Radius Remote Code Execution Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Cisco - Defect ID: CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

Last updated on July 31st, 2023

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
6.1 Medium