November 24, 2020

CVE-2020-3452: Cisco ASA/FTD Arbitrary File Reading Vulnerability Alert

1 min read

On July 22, Cisco officially released a Path Traversal vulnerability risk notice on the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that leads to arbitrary file reading. The vulnerability number is CVE-2020-3452, and the vulnerability level is moderate.

A vulnerability exists in the web service interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that allows an unauthenticated remote attacker to send a crafted HTTP request to the affected device. By successfully exploiting the vulnerability, the attacker can perform directory traversal attacks and read sensitive files on the target system. “The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.”

The PoC for this vulnerability is available.

Affected version

  • Cisco ASA:<= 9.6
  • Cisco ASA:9.7, 9.8, 9.9, 9.10, 9.12, 9.13, 9.14
  • Cisco FTD:6.2.2 , 6.2.3 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0
The vulnerable configuration is as follows

Cisco ASA:

Cisco ASA Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access (with client services)
crypto ikev2 enable <interface_name> client-services port <port #>
AnyConnect SSL VPN
webvpn
 enable <interface_name>
Clientless SSL VPN
webvpn
 enable <interface_name>

Cisco FTD:

Cisco FTD Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access (with client services)1,2
crypto ikev2 enable <interface_name> client-services port <port #>
AnyConnect SSL VPN1,2
webvpn
 enable <interface_name>

 

Unaffected version

Cisco ASA Software Release First Fixed Release for This Vulnerability
Earlier than 9.61 Migrate to a fixed release.
9.6 9.6.4.42
9.71 Migrate to a fixed release.
9.8 9.8.4.20
9.9 9.9.2.74
9.10 9.10.1.42
9.12 9.12.3.12
9.13 9.13.1.10
9.14 9.14.1.10
Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than 6.2.2 Not vulnerable.
6.2.2 Migrate to a fixed release.
6.2.3 6.2.3.16
6.3.0 Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
or
6.3.0.5 + Hot Fix1 (August 2020)
or
6.3.0.6 (Fall 2020)
6.4.0 6.4.0.9 + Hot Fix1
or
6.4.0.10 (August 2020)
6.5.0 Migrate to 6.6.0.1
or
6.5.0.4 + Hot Fix1 (August 2020)
or
6.5.0.5 (Fall 2020)
6.6.0 6.6.0.1

Solution

In this regard, we recommend that users install the latest patches for Cisco ASA/TFD in time to avoid hacker attacks.