Vulnerability in Cisco Firewalls Exploited Shortly After Disclosure

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. The first attempts to exploit the flaw were observed shortly after disclosure.

The vulnerability, identified as CVE-2020-3452, impacts the web services interface of Cisco’s Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software, which run on the company’s firewalls.

According to the networking giant, an attacker can exploit the vulnerability without authentication by sending an HTTP request with directory traversal character sequences to the targeted device. However, the company pointed out that the attack only works if the device uses the AnyConnect or WebVPN feature with a certain configuration.

Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.

“The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs,” Cisco explained.

The vulnerability was reported to Cisco by Mikhail Klyuchnikov of Positive Technologies and independently by Abdulrahman Nour and Ahmed Aboul-Ela of RedForce.

“The cause [of the vulnerability] is a failure to sufficiently verify inputs,” Klyuchnikov explained. “An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM. Thus an attacker could read certain WebVPN files containing such information as the WebVPN configuration of Cisco ASA users, bookmarks, cookies, web content, and HTTP URLaddresses.”

Cisco initially said it was not aware of any attacks exploiting CVE-2020-3452, but within hours the company updated its advisory to inform customers that a PoC exploit had been made available.

Aboul-Ela published a PoC exploit on Twitter and others published an NMAP script for it. Cisco’s advisory was again updated roughly 24 hours after disclosure to say that the company had become aware of “active exploitation of the vulnerability.” No details appear to have been made available on these attacks.

Rapid7 reported seeing 85,000 ASA/FTD devices on the internet, including 398 spread across 17% of the Fortune 500 companies. Only roughly 10% of the exposed devices have been rebooted since the release of the patch, which indicates that they have likely been patched.

Related: Cisco Patches High Severity Vulnerabilities in Security Products

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Related: Cisco Patches Vulnerabilities in Small Business Routers, Switches