Attacker Value

Very High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2020-3259

Disclosure Date: May 06, 2020 •

CVE-2020-3259 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by inokii and 1 more...
View Source Details

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

Add Assessment

busterb (317)

May 08, 2020 5:57pm UTC (4 years ago)•Edited 8 months ago

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Unauthenticated

Technical Analysis

This at first glance sounds a lot like Heartbleed in severity. If an attacker can leak reused buffers from the heap from an SSL firewall, there is bound to be keying material in those leaked buffers, providing very similar outcomes to heartbleed over time. The question will be what specific content can be leaked, how many times it can be run (you’ll need to do this a lot to probably happen on ‘interesting’ buffers, but who knows?), and how quickly you can get new buffers. This covers a wide range of versions, including at least 4 unsupported versions, which means it will likely be discoverable in the wild for some time.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

cisco

Products

adaptive security appliance software,
firepower threat defense

Exploited in the Wild

Reported by:

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/02/15/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: February 16, 2024 3:17pm UTC (9 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/02/15/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:32am UTC (2 weeks ago)

References

Canonical

CVE-2020-3259 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3259)

Advisory

20200506 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB)

Akira Ransomware using CVE-2020-3259 as initial access vector (https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259)

Rapid7

Very High

CVE-2020-3259

Very High

High

None

None

Network

CVE-2020-3259

Description