A high severity flaw in Cisco’s network security products is now being actively exploited. The vulnerability is present in the Cisco products used by many large enterprises and Fortune 500 firms and allows a remote attacker to gain access to sensitive data.
The vulnerability is tracked as CVE-2020-3452 and was assigned a CVSS v3 base score of 7.5 out of 10. The flaw is present in the web services interface of Cisco’s Firepower Threat Defense (FTD) software used by its traffic management and network security solutions, as well as its Adaptive Security Appliance software, the latter serving as the operating system for its ASA network security solutions.
The flaw is due to improper input validation of URLs in HTTP requests processed by devices running FTD or ASA software. The flaw makes devices vulnerable to directory traversal attacks. In such an attack, an attacker could gain access to restricted directories and obtain sensitive data and execute commands outside the web server’s root directory.
Cisco released a patch to correct the flaw on July 22, 2020 and advised all customers to apply the patch as soon as possible; however, many companies have been slow to update the software to secure versions. There are no known workarounds to prevent exploitation of the vulnerability.
A PoC exploit was released on July 22, 2020 and the first attempts at exploitation occurred the following day. Rapid7 conducted a scan to identify internet-accessible ASA/FTD devices and discovered 85,000 that could potentially be attacked, 398 of which were spread across 17% of the Fortune 500.
Rapid7 recently reported that around 10% of devices had been rebooted following the release of the patch, which most likely indicates the patch has been applied, but just 27 of the 398 Fortune 500 devices had been rebooted, suggesting most remain unpatched and open to exploitation.
Patches have been released for all supported versions of the affected software. Immediate patching is necessary to prevent the theft of sensitive data.