The flaw exists in Cisco s network security Firepower Threat Defense (FTD) software and its Adaptive Security Appliance (ASA) software.
The vulnerability—(CVE-2020-3452), which is as a result of improper input validation of URLs in HTTP requests processes by affected devices—in Cisco, networks can lead to exposure of sensitive data.
Cisco said, “it’s not aware of any malicious exploits for the vulnerability – however, it is aware of proof-of-concept (POC) exploit code released Wednesday by security researcher Ahmed Aboul-Ela.”
This vulnerability gives access to hackers to conduct directory traversal attacks. Directory traversal attacks are HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server’s root directory.
“The flaw exists in the web services interface of Cisco’s Firepower Threat Defense (FTD) software. This is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.”
Cisco has explained that the recent vulnerability affects only users making use of the old Cisco ASA Software or Cisco FTD Software with a vulnerable WebVPN configuration or AnyConnect.
What this flaw spells for Cisco is that a threat actor can only access files bedded within the web services—enabled for specific WebVPN and AnyConnect features—which contains information like WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.
According to Cisco’s advisory, “the web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. However, this vulnerability can’t be used to obtain access to ASA or FTD system files or the underlying operating system (OS) files.”
Also, an attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.”
Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
For example to read "/+CSCOE+/portal_inc.lua" file.
Happy Hacking! pic.twitter.com/aBA3R7akkC
— Ahmed Aboul-Ela (@aboul3la) July 22, 2020
“This vulnerability… is highly dangerous,” said Mikhail Klyuchnikov of Positive Technologies, who is credited with independently reporting the flaw (along with Ahmed Aboul-Ela of RedForce), in a statement. The cause is a failure to verify inputs sufficiently. An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS); which stores data in RAM.”
An earlier vulnerability occurred in May when Cisco got rid of 12-high-severity-vulnerabilities across its ASA and FTD network security products.
In the light of the flaw, Klyuchnikov has urged Cisco users to update their Cisco ASA.