Attackers are exploiting Cisco ASA/FTD flaw in search for sensitive data
An unauthenticated file read vulnerability (CVE-2020-3452) affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being exploited by attackers in the wild.
For the moment, it seems that it is being used just to read LUA source files, but it can be used to view files that may contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs.
There’s a proof of concept doing the rounds for directory path traversal (yes, it’s 1998 again) in Cisco AnyConnect SSL VPN.
It’s already being mass spammed across internet.
As far as I can see people can only read LUA source files so far, so not terribly problematic as is. https://t.co/kSIFQdz1go
— Kevin Beaumont (@GossiTheDog) July 24, 2020
About the vulnerability (CVE-2020-3452)
CVE-2020-3452 affects the web services interface of Cisco ASA and Cisco FTD software and can be exploited by remote unauthenticated attackers to read sensitive files within the web services file system on the targeted device (but not to obtain access to ASA or FTD system files or underlying operating system files).
“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” Cisco explained.
“A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user.”
Devices are vulnerable only if they are running a vulnerable release of the software AND are configured with either WebVPN or AnyConnect features.
The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce. Cisco patched it last week by releasing security updates and hotfixes. Shortly after, Aboul-Ela published a PoC for it:
Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
For example to read "/+CSCOE+/portal_inc.lua" file.
https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
Happy Hacking! pic.twitter.com/aBA3R7akkC
— Ahmed Aboul-Ela (@aboul3la) July 22, 2020
Cisco confirmed that wxploitation attempts started the day after. Rapid7 scanned the internet-accessible ASA/FTD devices and found 85,000.
“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the ‘uptime’ technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched,” noted Bob Rudis, Chief Data Scientist at Rapid7.