A bug in Cisco ASA and FTD products allowed directory traversal attacks on targeted systems

A bug in Cisco ASA and FTD products allowed directory traversal attacks on targeted systems

Recently, a vulnerability was found in Cisco’s web services interface of the Cisco Adaptive Security Appliance (ASA) Firewall and Cisco Firepower Threat Defense (FTD) products that could allow attackers to conduct directory traversal attacks and also obtain system access to delete or read sensitive files.

Security researcher Mikhail Klyuchnikov from Positive Technologies discovered this high severity security flaw in Cisco ASA and FTD software [CVE-2020-3187] and reported to Cisco. The report and fix were publicly disclosed by Cisco on May 6, 2020.

Findings said the vulnerability rated 9.1 CVSS score and affected Cisco’s ASA Software before v9.14 and Cisco FTD software before v6.6.0.

“This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration,” reads the advisory published by Cisco.

The vulnerability could be exploited by an attacker by sending a crafted HTTP request containing directory traversal character sequences.

See also: Microsoft fixes critical Teams account takeover vulnerability

Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software.

The advisory published by Cisco on May 6, 2020 also addresses 12 different vulnerabilities in their ASA, FMC, and FTD products as a bundled publication.

CVE IDCVSS ScoreAffected ProductsVulnerability Type
CVE-2020-31879.1ASA, FTDPath Traversal
CVE-2020-31898.6FTDDenial of Service
CVE-2020-31798.6FTDDenial of Service
CVE-2020-32838.6FTDDenial of Service
CVE-2020-31968.6ASA, FTDDenial of Service
CVE-2020-31958.6ASA, FTDMemory Leak
CVE-2020-32548.6ASA, FTDDenial of Service
CVE-2020-32988.6ASA, FTDDenial of Service
CVE-2020-31918.6ASA, FTDDenial of Service
CVE-2020-31258.1ASAAuthentication Bypass
CVE-2020-32597.5ASA/FTDInformation Disclosure
CVE-2020-32557.5FTDDenial of Service

“Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license,” the advisory concluded.

Further Cisco recommended its Cisco ASA, FTD, and FMC users to migrate to a supported release that includes the fix of this vulnerability. Find out more details here.

Share with your friends:

Leave a Reply

Your email address will not be published.