CVE-2020-3452: Cisco ASA/FTD Arbitrary File Reading Vulnerability Alert
On July 22, Cisco officially released a Path Traversal vulnerability risk notice on the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that leads to arbitrary file reading. The vulnerability number is CVE-2020-3452, and the vulnerability level is moderate. 
A vulnerability exists in the web service interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that allows an unauthenticated remote attacker to send a crafted HTTP request to the affected device. By successfully exploiting the vulnerability, the attacker can perform directory traversal attacks and read sensitive files on the target system. “The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.”
The PoC for this vulnerability is available.
Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
For example to read "/+CSCOE+/portal_inc.lua" file.
https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
Happy Hacking! pic.twitter.com/aBA3R7akkC
— Ahmed Aboul-Ela (@aboul3la) July 22, 2020
Affected version
- Cisco ASA:<= 9.6
- Cisco ASA:9.7, 9.8, 9.9, 9.10, 9.12, 9.13, 9.14
- Cisco FTD:6.2.2 , 6.2.3 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0
Cisco ASA:
| Cisco ASA Feature | Vulnerable Configuration |
|---|---|
| AnyConnect IKEv2 Remote Access (with client services) |
crypto ikev2 enable <interface_name> client-services port <port #> |
| AnyConnect SSL VPN |
webvpn enable <interface_name> |
| Clientless SSL VPN |
webvpn enable <interface_name> |
Cisco FTD:
| Cisco FTD Feature | Vulnerable Configuration |
|---|---|
| AnyConnect IKEv2 Remote Access (with client services)1,2 |
crypto ikev2 enable <interface_name> client-services port <port #> |
| AnyConnect SSL VPN1,2 |
webvpn enable <interface_name>
|
Unaffected version
| Cisco ASA Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Earlier than 9.61 | Migrate to a fixed release. |
| 9.6 | 9.6.4.42 |
| 9.71 | Migrate to a fixed release. |
| 9.8 | 9.8.4.20 |
| 9.9 | 9.9.2.74 |
| 9.10 | 9.10.1.42 |
| 9.12 | 9.12.3.12 |
| 9.13 | 9.13.1.10 |
| 9.14 | 9.14.1.10 |
| Cisco FTD Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Earlier than 6.2.2 | Not vulnerable. |
| 6.2.2 | Migrate to a fixed release. |
| 6.2.3 | 6.2.3.16 |
| 6.3.0 | Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1 or 6.3.0.5 + Hot Fix1 (August 2020) or 6.3.0.6 (Fall 2020) |
| 6.4.0 | 6.4.0.9 + Hot Fix1 or 6.4.0.10 (August 2020) |
| 6.5.0 | Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix1 (August 2020) or 6.5.0.5 (Fall 2020) |
| 6.6.0 | 6.6.0.1 |
