External risk intelligence

Cisco ASA/FTD: Unauthorized Access to Web Services Files.

CVE advisoryKnown Exploit

CVE-2020-3452

A vulnerability in Cisco ASA and FTD software allows an unauthenticated attacker to read sensitive files via directory traversal. This impacts organizations by potentially exposing internal data. The realistic business risk involves unauthorized access to system files when WebVPN or AnyConnect is enabled.

5Halo Surface Signal

Path Traversal

Cisco Adaptive Security Appliance Software

9.6 to before 9.6.4.429.8 to before 9.8.4.209.9 to before 9.9.2.749.10 to before 9.10.1.429.12 to before 9.12.3.129.13 to before 9.13.1.109.14 to before 9.14.1.106.2.3 to before 6.2.3...

External exposure likelihood

Halo Surface Signal score for CVE-2020-3452

This vulnerability affects Cisco ASA and FTD devices when WebVPN or AnyConnect features are enabled. These features are designed to be public-facing remote access gateways, meaning the web services interface is typically exposed to the internet to facilitate remote connectivity for users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw allows an unauthenticated, remote attacker to access sensitive files on a targeted system. The issue stems from inadequate validation of URLs in HTTP requests. Successful exploitation enables an attacker to view arbitrary files within the web services file system.

  • Vulnerable web services interface
  • Improper URL input validation
  • Sensitive file disclosure

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to read sensitive files from a targeted system. The attacker exploits a flaw in how the web services interface handles URLs. By sending a specially crafted HTTP request, an attacker can trick the system into revealing files within its web services file system. This is possible when the device is configured for WebVPN or AnyConnect features.

  • Network exposure required.
  • Attacker sends crafted request.
  • Attacker reads arbitrary files.

Live Threat

Current exploitation, exposure, and threat context

A remote attacker with a low skill level could exploit a vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This exploit allows the attacker to read sensitive files on the targeted system by sending a crafted HTTP request. Successful exploitation could lead to unauthorized viewing of arbitrary files within the web services file system, posing a significant business risk.

  • Likely attacker skill level: Low
  • Required access or conditions: No authentication required
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should address this vulnerability by first identifying all Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices that are configured with WebVPN or AnyConnect. These systems, if exposed externally and running affected software, could allow an unauthenticated attacker to read sensitive files from the web services file system. The vulnerability stems from improper input validation of URLs in HTTP requests.

  • Identify exposed Cisco ASA/FTD systems.
  • Reduce exposure or isolate risk.
  • Apply vendor fixes and verify.
  • Monitor for related activity.

Frequently asked questions

What are Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software used for?

Cisco ASA and FTD software are used in networking devices to provide security functions like firewalls and VPN services. They help protect networks and allow secure remote access for users.

What weakness class does CVE-2020-3452 relate to?

CVE-2020-3452 is related to a weakness class known as CWE-20, which involves improper input validation, and CWE-22, concerning directory traversal.

How can an attacker exploit the CVE-2020-3452 vulnerability?

An attacker can exploit this by sending a specially crafted HTTP request containing directory traversal sequences. This bypasses security checks, allowing the attacker to read sensitive files on the system.

Who needs to care about CVE-2020-3452, considering its exposure?

Organizations running Cisco ASA or FTD devices with WebVPN or AnyConnect enabled should be concerned. These features often expose the web services interface to the internet, making the vulnerability very likely to be targeted.

What is the first step for running this technology to respond to CVE-2020-3452?

The first step is to identify all Cisco ASA and FTD devices configured with WebVPN or AnyConnect. Then, assess if these systems are exposed externally and apply any available vendor fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified