Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Vulnerability in Cisco Firewalls Exploited Shortly After Disclosure

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. The first attempts to exploit the flaw were observed shortly after disclosure.

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. The first attempts to exploit the flaw were observed shortly after disclosure.

The vulnerability, identified as CVE-2020-3452, impacts the web services interface of Cisco’s Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software, which run on the company’s firewalls.

According to the networking giant, an attacker can exploit the vulnerability without authentication by sending an HTTP request with directory traversal character sequences to the targeted device. However, the company pointed out that the attack only works if the device uses the AnyConnect or WebVPN feature with a certain configuration.

Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.

“The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs,” Cisco explained.

The vulnerability was reported to Cisco by Mikhail Klyuchnikov of Positive Technologies and independently by Abdulrahman Nour and Ahmed Aboul-Ela of RedForce.

“The cause [of the vulnerability] is a failure to sufficiently verify inputs,” Klyuchnikov explained. “An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM. Thus an attacker could read certain WebVPN files containing such information as the WebVPN configuration of Cisco ASA users, bookmarks, cookies, web content, and HTTP URLaddresses.”

Cisco initially said it was not aware of any attacks exploiting CVE-2020-3452, but within hours the company updated its advisory to inform customers that a PoC exploit had been made available.

Advertisement. Scroll to continue reading.

Aboul-Ela published a PoC exploit on Twitter and others published an NMAP script for it. Cisco’s advisory was again updated roughly 24 hours after disclosure to say that the company had become aware of “active exploitation of the vulnerability.” No details appear to have been made available on these attacks.

Rapid7 reported seeing 85,000 ASA/FTD devices on the internet, including 398 spread across 17% of the Fortune 500 companies. Only roughly 10% of the exposed devices have been rebooted since the release of the patch, which indicates that they have likely been patched.

Related: Cisco Patches High Severity Vulnerabilities in Security Products

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Related: Cisco Patches Vulnerabilities in Small Business Routers, Switches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.