Description
A critical vulnerability has been identified in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. This vulnerability may allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system due to improper input validation of URLs in HTTP requests processed by the affected devices.
Affected Product(s)
- Cisco Adaptive Security Appliance (ASA) Software, specifically versions 9.6.x, 9.7.x, 9.8.x, 9.9.x, 9.10.x, 9.12.x, 9.13.x, 9.14.x
- Cisco Firepower Threat Defense (FTD) Software, specifically versions 6.2.2, 6.2.3, 6.3.x, 6.4.x, 6.5.x, 6.6.x
Technical Details
This vulnerability stems from improper input validation of URLs in HTTP requests processed by the affected Cisco devices. As a result, an attacker can exploit this weakness by sending a crafted HTTP request containing directory traversal sequences to an affected device.
This attack targets the web services file system, enabled when the affected device is configured with either WebVPN or AnyConnect features. Successful exploitation allows the attacker to view arbitrary files within the web services file system on the targeted device but does not grant access to ASA or FTD system files or underlying operating system (OS) files.
The issue was first reported and addressed in Cisco’s security advisory cisco-sa-asaftd-ro-path-KJuQhB86. It reflects a systematic failure in how URL inputs are handled and processed by the web services interface. The directory traversal attack leverages character sequences such as “../” to navigate the directory structure and access unintended files.
This vulnerability is characterized as CVE-2020-3452 and is rated with a CVSSv3 score of 7.5 (HIGH severity). Various specific versions have been identified as vulnerable, spanning both ASA and FTD configurations and iterations. For instance, Cisco ASA Software versions 9.6.x and prior through 9.6.4.41, 9.7.x, 9.8.x through 9.8.4.19, 9.9.x through 9.9.2.73, 9.10.x through 9.10.1.41, 9.12.x through 9.12.3.11, 9.13.x through 9.13.1.9, and 9.14.x through 9.14.1.9 are subjected to mentioned vulnerability along with several iterations of Cisco FTD software versions.
The exploitation technique often involves tools and scripts to send specially crafted HTTP requests. One identified POC (Proof of Concept) includes using curl to initiate such requests: “` curl -s -k “https://[TARGET_IP/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=..%2f” “` This exploit demonstrates how an attacker can manipulate URL paths to access files residing in unauthorized directories.
Cybersecurity researchers and threat actors alike have developed various Python scripts and scanning tools to automate the detection and exploitation of CVE-2020-3452. The directory traversal flaw (Path Traversal) and improper input validation (Improper Input Validation) represent fundamental security weaknesses as outlined in CWE-20 and CWE-22.
This vulnerability demonstrates significant potential for misuse, particularly in environments where WebVPN or AnyConnect functionalities are extensively deployed, providing ample attack vectors for threat actors.
Weakness
This vulnerability is associated with two primary weaknesses: improper input validation (CWE-20) and improper limitation of a pathname to a restricted directory (Path Traversal, CWE-22). The failure to properly validate input allows malicious actors to inject directory traversal sequences in HTTP requests, thus bypassing security protocols designed to restrict directory access.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive information by reading arbitrary files within the web services file system on the targeted device. An attacker could impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. This would enable them to access sensitive data within the web services interface, posing significant risks to the organization’s data integrity and confidentiality.
Active Exploitation
There have been instances of active exploitation of this vulnerability. Adversary groups have leveraged the CVE-2020-3452 flaw to conduct reconnaissance and gather sensitive information from vulnerable Cisco ASA and FTD devices. Scripts and tools facilitating these attacks have been publicly disclosed, increasing the likelihood of exploitation.
Threat Actors: none specified in the available data.
Ransomware Association
While there’s no direct evidence linking this vulnerability to specific ransomware strains, the unauthorized file access facilitated by CVE-2020-3452 can potentially be employed as an initial access vector for broader ransomware campaigns, exploiting the compromised information to further propagate within the network.
Mitigation and Resolution
Cisco has released patches and updates to address this vulnerability. Customers are strongly advised to upgrade to a fixed version of ASA and FTD software. The list of fixed versions includes ASA Software 9.6.4.42, 9.8.4.20, 9.10.1.42, and later, as well as FTD Software 6.2.3.16, 6.3.0.6, and later. Always adhere to Cisco’s recommended updates and apply security patches promptly to mitigate risks related to CVE-2020-3452.
Recommendations
- We strongly recommend that all customers apply the latest patches as soon as possible.
- Upgrade to a non-vulnerable version of Cisco ASA or FTD software based on Cisco’s official advisory documents.
- Disable WebVPN or AnyConnect features if they are not critically required for business operations.
- Implement network monitoring tools to detect anomalous HTTP requests indicative of directory traversal attacks.
- Configure firewalls and intrusion prevention systems (IPS) to block traffic patterns matching exploitation attempts of CVE-2020-3452.
- Conduct regular audits and vulnerability assessments to identify and remediate similar flaws promptly.
References
- Cisco Security Advisory 1
- Cisco Security Advisory 2
- CVE MITRE Details
- GitHub CVE-2020-3452 Research
- National Vulnerability Database
- PacketStormSecurity Vulnerability Research 1
- PacketStormSecurity Vulnerability Research 2
- PacketStormSecurity Vulnerability Research 3
- PacketStormSecurity Vulnerability Research 4
- Twitter Update