On July 22, 2020, Cisco published details on an unauthenticated path traversal vulnerability in the web services interface of their Adaptive Services Appliance (ASA) and Firepower Threat Defense products. Successful exploitation means a remote, unauthenticated attacker can read sensitive files on a target system. CVE-2020-3452 carries a CVSSv3 base score of 7.5. See Cisco’s advisory for full details.
A public proof-of-concept (PoC) for CVE-2020-3452 was released on July 22 by Ahmed Aboul-Ela, the researcher who discovered the vulnerability. There are community reports of opportunistic scanning for the vulnerability, though we do not yet have confirmation of successful widespread exploitation. Rapid7’s Project Sonar has detected more than 85,000 instances of Cisco ASA on the public internet; exposure data in this case is meant to offer a better understanding of known installations and does not imply vulnerability. See Rapid7’s blog for further exposure details.
Affected products include:
- Cisco products running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration. See the Vulnerable Products section of Cisco’s advisory for a table of vulnerable features and configurations: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86#vp
- Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.
Rapid7 analysis: CVE-2020-3452 is limited in scope and impact in that it merely allows an attacker to view files on the web services file system. The vulnerability neither gives an attacker code execution on a vulnerable target system nor offers access to ASA, FTD, or underlying operating system files. That said, the vulnerability is trivial to exploit and may yield information that aids in planning multi-step attacks. Enumerating users, for instance, is often a precursor to a brute force or password spraying attack. If an attacker is able to exploit a vulnerability like this one to build a user list, that attacker can then verify which users have VPN access and target those users specifically.
This latest vulnerability in Cisco’s ASA/Firepower products may also presage another wave of vulnerability research and exploit development attention aimed at CVE-2020-3187.
Guidance: Cisco has provided fixes for all supported versions of ASA and FTD components. Cisco ASA and Firepower customers should patch their installations as soon as is practical.
