Show vulnerabilities with patch / with exploit

Path traversal in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software



Published: 2020-07-24
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-3452
CWE ID CWE-22
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Cisco Adaptive Security Appliance (ASA) Software
Hardware solutions / Security hardware applicances

Cisco Firepower Threat Defense (FTD)
Hardware solutions / Security hardware applicances

Vendor Cisco Systems, Inc

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Path traversal

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3452

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the web services interface. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Cisco Adaptive Security Appliance (ASA) Software: -, 9.6, 9.7, 9.8, 9.9, 9.10, 9.12, 9.13, 9.14

Cisco Firepower Threat Defense (FTD): 6.2.2, 6.2.3, 6.3.0, 6.4.0, 6.5.0, 6.6.0

CPE External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.