A bug in Cisco ASA and FTD products allowed directory traversal attacks on targeted systems
Recently, a vulnerability was found in Cisco’s web services interface of the Cisco Adaptive Security Appliance (ASA) Firewall and Cisco Firepower Threat Defense (FTD) products that could allow attackers to conduct directory traversal attacks and also obtain system access to delete or read sensitive files.
Security researcher Mikhail Klyuchnikov from Positive Technologies discovered this high severity security flaw in Cisco ASA and FTD software [CVE-2020-3187] and reported to Cisco. The report and fix were publicly disclosed by Cisco on May 6, 2020.
Findings said the vulnerability rated 9.1 CVSS score and affected Cisco’s ASA Software before v9.14 and Cisco FTD software before v6.6.0.
“This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration,” reads the advisory published by Cisco.
The vulnerability could be exploited by an attacker by sending a crafted HTTP request containing directory traversal character sequences.
See also: Microsoft fixes critical Teams account takeover vulnerability
Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software.
The advisory published by Cisco on May 6, 2020 also addresses 12 different vulnerabilities in their ASA, FMC, and FTD products as a bundled publication.
CVE ID | CVSS Score | Affected Products | Vulnerability Type |
CVE-2020-3187 | 9.1 | ASA, FTD | Path Traversal |
CVE-2020-3189 | 8.6 | FTD | Denial of Service |
CVE-2020-3179 | 8.6 | FTD | Denial of Service |
CVE-2020-3283 | 8.6 | FTD | Denial of Service |
CVE-2020-3196 | 8.6 | ASA, FTD | Denial of Service |
CVE-2020-3195 | 8.6 | ASA, FTD | Memory Leak |
CVE-2020-3254 | 8.6 | ASA, FTD | Denial of Service |
CVE-2020-3298 | 8.6 | ASA, FTD | Denial of Service |
CVE-2020-3191 | 8.6 | ASA, FTD | Denial of Service |
CVE-2020-3125 | 8.1 | ASA | Authentication Bypass |
CVE-2020-3259 | 7.5 | ASA/FTD | Information Disclosure |
CVE-2020-3255 | 7.5 | FTD | Denial of Service |
“Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license,” the advisory concluded.
Further Cisco recommended its Cisco ASA, FTD, and FMC users to migrate to a supported release that includes the fix of this vulnerability. Find out more details here.