Attacker Value
Low
3

CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability

Disclosure Date: July 22, 2020

Exploitability

(2 users assessed) Very High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

Add Assessment

3
Ratings
Technical Analysis

This just dropped from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

Noted by https://twitter.com/ptswarm/status/1285974719821500423

Looks like there is a PoC already, HT to @ccondon-r7 for spotting: https://twitter.com/aboul3la/status/1286012324722155525

Limited scope in the advisory seems to indicate nothing hugely important would be revealed by this vuln, but it is probably very dependent on the configuration and nature of any company’s particular deployment. And there tends to be a notion that once a path traversal vuln is found, folks often find new ways to expand their scope.

1
Ratings
Technical Analysis

SANS ISC has said they’re seeing “small numbers of exploit attempts.” The exploit they’ve detected is identifying vulnerable systems “by reading benign LUA source code files.”

https://isc.sans.edu/diary/26426

General Information

Vendors

  • Cisco

Products

  • Cisco Adaptive Security Appliance (ASA) Software
Technical Analysis

On July 22, 2020, Cisco published details on an unauthenticated path traversal vulnerability in the web services interface of their Adaptive Services Appliance (ASA) and Firepower Threat Defense products. Successful exploitation means a remote, unauthenticated attacker can read sensitive files on a target system. CVE-2020-3452 carries a CVSSv3 base score of 7.5. See Cisco’s advisory for full details.

A public proof-of-concept (PoC) for CVE-2020-3452 was released on July 22 by Ahmed Aboul-Ela, the researcher who discovered the vulnerability. There are community reports of opportunistic scanning for the vulnerability, though we do not yet have confirmation of successful widespread exploitation. Rapid7’s Project Sonar has detected more than 85,000 instances of Cisco ASA on the public internet; exposure data in this case is meant to offer a better understanding of known installations and does not imply vulnerability. See Rapid7’s blog for further exposure details.

Affected products include:

  • Cisco products running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration. See the Vulnerable Products section of Cisco’s advisory for a table of vulnerable features and configurations: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86#vp
  • Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.

Rapid7 analysis: CVE-2020-3452 is limited in scope and impact in that it merely allows an attacker to view files on the web services file system. The vulnerability neither gives an attacker code execution on a vulnerable target system nor offers access to ASA, FTD, or underlying operating system files. That said, the vulnerability is trivial to exploit and may yield information that aids in planning multi-step attacks. Enumerating users, for instance, is often a precursor to a brute force or password spraying attack. If an attacker is able to exploit a vulnerability like this one to build a user list, that attacker can then verify which users have VPN access and target those users specifically.

This latest vulnerability in Cisco’s ASA/Firepower products may also presage another wave of vulnerability research and exploit development attention aimed at CVE-2020-3187.

Guidance: Cisco has provided fixes for all supported versions of ASA and FTD components. Cisco ASA and Firepower customers should patch their installations as soon as is practical.