Denial of service in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software



Published: 2020-10-27
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-3436
CWE-ID CWE-434
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Adaptive Security Appliance (ASA)
Hardware solutions / Security hardware applicances

Cisco Firepower Threat Defense (FTD)
Hardware solutions / Security hardware applicances

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Arbitrary file upload

EUVDB-ID: #VU47942

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3436

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the affected software does not efficiently handle the writing of large files to specific folders on the local file system. A remote attacker can upload a malicious file and cause a denial of service (DoS) condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Adaptive Security Appliance (ASA): 9.6 - 9.14

Cisco Firepower Threat Defense (FTD): 6.2.2 - 6.6.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-fileup-dos-zvC7wtys


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###