CVE-2020-3452 flaw in Cisco ASA/FTD exploited within hours after the disclosure

Cisco fixed CVE-2020-3452 high-severity path traversal flaw in its firewalls that can be exploited by remote attackers to obtain sensitive files from the targeted system.

Cisco addressed a high-severity path traversal vulnerability in its firewalls, tracked as CVE-2020-3452, that can be exploited by remote attackers to obtain potentially sensitive files from the targeted system.

Cisco pointed out that that attack only allows accessing files on the web services file system (i.e. WebVPN configuration, bookmarks, web cookies), not ASA or FTD system files or files on the underlying operating system.

The vulnerability impacts the web services interface of Cisco’s Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.

The vulnerability can be exploited by an unauthenticated remote attacker by sending an HTTP request with directory traversal character sequences to the targeted device.

The attack is effective only against devices that uses the AnyConnect or WebVPN feature with a certain configuration.

“A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.” reads the advisory published by Cisco.

“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.”

The issue is caused by the failure to properly verify inputs.

The CVE-2020-3452 flaw was independently reported to Cisco by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela from RedForce.

At the time of the disclosure of the flaw, Cisco revealed it was not aware of any attacks exploiting it. Unfortunately, the first attempts to exploit the vulnerability were observed within hours after the disclosure.

The availability online of PoC exploits for the vulnerability is increasing the risk of attacks on a large scale.

The researcher Aboul-Ela published a PoC exploit on Twitter, while Cognosec researchers published an NMAP script to exploit the flaw.

Cisco has updated its advisory working of the active exploitation of the vulnerability in the wild.

Researchers from Rapid7 scanned the Internet for ASA/FTD devices, it reported the presence of 85,000 units, 398 of which are spread across 17% of the Fortune 500.

“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the “uptime” technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched (only 27 of the 398 detected in Fortune 500 companies appear to have been patched/rebooted):” states Rapid7.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-3452)

[adrotate banner=”5″]

[adrotate banner=”13″]