On July 22, Cisco released a patch for a high-severity read-only patch traversal vulnerability in its Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products. A successful compromise will allow unauthenticated, remote attackers to perform directory traversal attacks and read sensitive files on their chosen targets.
As noted in the AttackerKB information, the vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.
The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.As of July 22, 14:56 ET, a public proof-of-concept (PoC) was published by Ahmed Aboul-Ela demonstrating a successful exploitation via one path endpoint:
hxxps:///+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
This was followed up at 23:31 ET (by the same individual) with another path endpoint susceptible to this flaw:
hxxps:///+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
Mitigating the Cisco ASA / Firepower vulnerability (CVE-2020-3452)
Rapid7 encourages immediate patching of vulnerable ASA/FTD installations to prevent attackers from obtaining sensitive information from these devices ..
Support the originator by clicking the read the rest link below.
