ASA / FTD Anyconnect CVE – Web Services Read-Only Path Traversal Vulnerability

[icecream-guy]

Cisco Proactive Notification – Web Services Read-Only Path Traversal Vulnerability [CVE-2020-3452]

Dear Valued Customer,

Thank you for choosing Cisco firewalls (ASA and/or FTD) to protect your networks.
Over the past months, companies have adapted to the pandemic and remote work deployments have reached record levels. Due to those changes, remote deployments have increasingly become an attack vector.

For this reason, Cisco PSIRT has decided to publish a security advisory supplemental to the regular spring and fall advisories:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

The security advisory details a vulnerability allowing attackers to access potentially sensitive files on a target ASA or FTD device if either WebVPN or AnyConnect are configured. While the vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files, access to certain web service files may be possible.

Cisco has become aware of the availability of public exploit code and active exploitation of the vulnerability that is described in this advisory. Based on diagnostic data that was uploaded to one or more of your previous Cisco TAC cases; we have identified that you may be using the WebVPN or AnyConnect features in your network on a version of code that is susceptible to this vulnerability. Therefore, we encourage you to review your potentially affected products and upgrade to a fixed release as soon as possible. You can download the fixed software releases by going to https://software.cisco.com/download/home. Please refer to either of the following videos if you need assistance with navigating the software download site:

ASA Software Download - https://www.youtube.com/watch?v=CPx_4rZjmsQ
FTD Software Download - https://www.youtube.com/watch?v=ElOV4UfAh3Q

The tables provided below are for your reference, please consult the PSIRT advisory for the most up-to-date information about fixed builds and mitigation strategies. If you require further assistance, please open a case with Cisco TAC and mention "CVE-2020-3452" or the corresponding Cisco Bug ID "CSCvt03598".

Code Select Expand


Cisco ASA Software Release First Fixed Release for This Vulnerability
Earlier than 9.6 Migrate to a fixed release.
9.6 9.6.4.42
9.7 Migrate to a fixed release.
9.8 9.8.4.20
9.9 9.9.2.74
9.10 9.10.1.42
9.12 9.12.3.12
9.13 9.13.1.10
9.14 9.14.1.10

Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than 6.2.2 Not vulnerable.
6.2.2 Migrate to a fixed release.
6.2.3 6.2.3.16
6.3.0 Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
     or
6.3.0.5 + Hot Fix (August 2020)
     or
6.3.0.6 (Fall 2020)
6.4.0 6.4.0.9 + Hot Fix
     or
6.4.0.10 (August 2020)
6.5.0 Migrate to 6.6.0.1
     or
6.5.0.4 + Hot Fix (August 2020)
     or
6.5.0.5 (Fall 2020)
6.6.0 6.6.0.1


Thank you,
CX Security Notification Team

[Dieselboy]

Thank you for posting this.

Seems to me that Cisco are playing this one down. It would be severe if an attacker can get access to files on the ASA or FTD appliance. I mean the certs and private keys are store there. As well as VPN xml profiles that get installed on the Anyconnect clients. The config is there, too... if the attacker can change the config and force a reboot then they can get access to the ASA itself.