A proof-of-concept exploit for a vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been released by the Offensive Team at Positive Technologies.
The vulnerability is a cross-site scripting flaw tracked as CVE-2020-3580. The vulnerability is one of four flaws that have been patched by Cisco that are due to Cisco ASA and FTD software not sufficiently validating user-supplied inputs. The other three vulnerabilities are tracked as CVE-2020-3581, CVE-2020-3582, and CVE-2020-3583.
Since the PoC exploit was released, researchers at Tenable have identified threat actors actively scanning for the vulnerability and report that there have been cases where the vulnerability has been exploited.
The PoC exploit can be used in an attack in which a Cisco ASA user is tricked into visiting a specially crafted webpage, via a phishing email for example. If the link in the email is clicked, the webpage to which the user is directed will execute JavaScript in the user’s browser that exploits the flaw. This gives the attacker the ability to execute arbitrary script code in the context of the interface as well as access sensitive browser information.
Cisco announced the vulnerabilities in October 2020 and released a patch to correct the flaws; however, the patch did not fully correct the CVE-2020-3580 vulnerability. Cisco released a second patch in April 2021 that completely fixed the issue; however, despite having two months to apply the permanent fix, many Cisco ASA users have not yet applied the update and are vulnerable to attack.
Now that the PoC exploit is in the public domain and is being actively exploited, ASA users that have yet to apply the April 2021 patch are vulnerable to attack and should immediately apply the April 2021 patch to prevent the flaw from being exploited.