SecPod Labs: Cisco Read-Only Path Traversal Vulnerability (CVE-2020-3452)

Cisco has released a Security Advisory for the actively exploited worldwide CVE-2020-3452. Cisco Read-Only Path Traversal Vulnerability in the web services interface of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to perform directory traversal attacks & read sensitive files on the system.

Rapid 7 Researchers found over 85,000 ASA/FTD internet-accessible devices which are a huge threat and should be looked with concern, based upon the “uptime” technique. In this technique, hping is used to determine device uptime from timestamps and to detect devices that are rebooted for patch since the exploit release. Systems with an up-time higher than the release time of the patch are technically considered to be vulnerable. Researchers also added that only about 10% of the ASA/FTD devices are rebooted (patched) since the release of the updates. There are still a large number of devices out there that could be exploited in the near future if devices are not updated ASAP.


Vulnerability Details:

The vulnerability exists in affected devices due to a lack of proper input validation in HTTP requests in the web services interface of ASA/FTD. This vulnerability can be exploited by sending a crafted HTTP request containing directory traversal character sequences to an affected device. On Successful exploitation of the vulnerability, an attacker is limited to read arbitrary files only within the web services file system, which may also contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs. According to Cisco, this vulnerability can not be used to access web services ( ASA or FTD) system files or the underlying operating systems (OS) files.

On affected devices, the web services file system is enabled when it is configured with either a WebVPN or AnyConnect features.

A typical crafted HTTP request exploiting this vulnerability to fetch contents of file “portal_inc.lua”  in Cisco ASA & Cisco Firepower affected devices is given below:

https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../

Exploiting CVE-2020-3452Command used:

curl -k “https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../”


Publicly available PoC:

The proof-of-concept codes are publicly available for the vulnerability.


Impact:

This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and read sensitive files on a targeted system.


Affected Versions:

The vulnerability affects Cisco devices running a vulnerable release of Cisco ASA/FTD software with a vulnerable configuration of AnyConnect or WebVPN.

Vulnerable ASA Software Features:

  • AnyConnect IKEv2 Remote Access (with client services)
    Vulnerable Configuration: crypto ikev2 enable <interface_name> client-services port <port #>
  • AnyConnect SSL VPN
    Vulnerable Configuration: webvpn
    enable <interface_name>
  • Clientless SSL VPN
    Vulnerable Configuration: webvpn
    enable <interface_name>

Vulnerable FTD Software Features:

  • AnyConnect IKEv2 Remote Access (with client services)
    Vulnerable Configuration:
    crypto ikev2 enable <interface_name> client-services port <port #>
  • AnyConnect SSL VPN
    Vulnerable Configuration: webvpn
    enable <interface_name>

The products only listed in the Vulnerable Products section of the advisory are known to be affected by this vulnerability. Cisco also confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software.


Solution:

Cisco has published a security advisory addressing CVE-2020-3452.
We strongly recommend installing security updates without any delay.

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Summary
Author
Publisher Name
SecPod Technologies
Publisher Logo
  1. Do we have any IOCs for this vulnerability? If it is being exploited, where is the evidence? There is no information online as to what to look out for? What type of threat actor is actively using this?

    • Cisco has confirmed that this vulnerability is being actively exploited in the advisory. In this article, we have included technical details about this vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *