Cisco Patches High Severity Vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Cisco this week released security updates to address more than 30 vulnerabilities in various products, including 12 high severity flaws impacting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD).
The most important of these issues is tracked as CVE-2020-3187 (CVSS score of 9.1) and could be exploited to conduct directory traversal attacks and then read or delete sensitive files on a vulnerable system.
The issue, Cisco explains, resides in the lack of proper input validation of the HTTP URL, thus allowing an attacker to send a crafted HTTP request that includes directory traversal character sequences. Files that are deleted abusing this flaw are restored when the device is reloaded after exploitation.
“The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files,” Cisco explains.
Cisco has released software updates that fix the vulnerability: ASA Software Releases 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52; and FTD Software Release 184.108.40.206 and 220.127.116.11 (future releases 18.104.22.168 and 22.214.171.124 also include the patches).
The company also addressed denial of service bugs in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler (CVE-2020-3283), VPN System Logging functionality (CVE-2020-3189), and generic routing encapsulation (GRE) tunnel decapsulation feature (CVE-2020-3179) of FTD, and in the DNS over IPv6 packet processing (CVE-2020-3191), Media Gateway Control Protocol (MGCP) inspection feature (CVE-2020-3254), SSL/TLS handler (CVE-2020-3196), and Open Shortest Path First (OSPF) implementation (CVE-2020-3298) of ASA and FTD.
Other high risk flaws patched this week include an authentication bypass residing in the Kerberos authentication feature of ASA (CVE-2020-3125), information disclosure in the web services interface of ASA and FTD (CVE-2020-3259), and a memory leak in the Open Shortest Path First (OSPF) implementation in ASA and FTD (CVE-2020-3195).
Cisco has released software updates that fix these vulnerabilities, but complete patches are not available for all of the impacted products. The company says it is not aware of the existence of public exploits for these issues, or of attackers targeting them in the wild.
In addition to these flaws, Cisco published advisories of 23 medium severity vulnerabilities in FTD On-Box software, Umbrella, Integrated Management Controller (IMC) Supervisor, UCS Director, UCS Director Express for Big Data, FTD, Content Security Management Appliance (SMA), Hosted Collaboration Mediation Fulfillment (HCM-F), ASA, Firepower Management Center (FMC), and Firepower User Agent.
These flaws include XML parsing, carriage return line feed (CRLF) injection, disabling of user accounts, SSL/TLS URL category bypass, bypass of configured file policies, open redirect, signature checks bypass, XML external expansion, shell access, denial of service, information disclosure, access list bypass, cross-site scripting (XSS), static credential, arbitrary file overwrite, and arbitrary log file write issues.