Security company finds hackers already exploiting the CVE-2020-3452 Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Vulnerability
A high-severity vulnerability discovered in Cisco’s network security software, Adaptive Security Appliance, and Firepower Threat Defense could leak sensitive data such as WebVPN configurations and web cookies to potential hackers.
The flaw which has been issued a unique identifier, CVE-2020-3452, exists in the web services interface of Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.
“An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” according to a Wednesday advisory from Cisco. “A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.”
Though Cisco has patched the vulnerability, security research firm Rapid7 says “only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch.” Rapid7 says that this indicates only 27 of the 398 Fortune 500 companies using the vulnerable Cisco product have been patched.
The flaw reported to Cisco by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela from RedForce.
Ok, as many people requested, here is the POC of CVE-2020-3187 – unauthenticated arbitrary file deletion in Cisco ASA/FTD.
Example to delete logo file "/+CSCOU+/csco_logo.gif".
curl -H "Cookie: token=../+CSCOU+/csco_logo.gif" https://target/+CSCOE+/session_password.html pic.twitter.com/BFbDAI9mX2
— Ahmed Aboul-Ela (@aboul3la) July 24, 2020
Immediately after Cisco advisory, Cognosec researchers published an NMAP script to exploit the flaw.
— Cognosec (@Cognosec) July 23, 2020
It seems that hackers started attacking the vulnerable Cisco ASA/FTDs right after the PoC was published. The CVE-2020-3452 seems to be a very lucrative flaw for cybercriminals. Rapid7 honeypot, Project Heisenberg observed an IPv4 46[.]30.189.6 address looking for Cisco ASAs internet-wide across 560 ports even before the vulnerability was disclosed.
Cisco ASA/FTDs have been plagued with vulnerabilities. Earlier in May, Cisco stomped out 12 high-severity vulnerabilities which could have resulted in Denial of Service(DoS) attacks and leaking sensitive data.