9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Hi team , while testing i found a host ip https://█████████ which belong to DoD (██████████.mil) running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system.
Vulnerable IP : https://█████████
i did a whois search on it and it confirmed it belongs to DoD as you seen below
████
go to https://████
█████
you will be redirected to SSL VPN service and you will see a web services interface of Cisco ASA/FTD. In above pic you can see the page we are looking at a web service which is vulnerable to CVE 2020-3187 and you can also see the certificate which indicates that this belongs to █████.mil.
Now we know that in CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. This allow the attacker to view or delete arbitrary files on the targeted system
In this we can delete the files. For example the logo file present on the server at https://████/+CSCOU+/csco_logo.gif can be deleted by the following steps
This can be done by sending a curl request as : curl -H “Cookie: token=…/+CSCOU+/csco_logo.gif” https://target/+CSCOE+/session_password.html
curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://█████/+CSCOE+/session_password.html
If that did not work because sometimes logo.gif/png has permission issues so try this “https://██████/+CSCOE+/blank.html”
After, this the files ( logo and blank html page ) will be deleted from the server, for better demonstration check out this video :
Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.
Now i haven’t deleted the logo file because i didn’t wanted to cause any damage so i used another method which can help us confirming that target is vulnerable to this without causing damage and for that just check if “/+CSCOE+/session_password.html” endpoint exists, and it gives “200 OK” status, then it should be vulnerable because this affected endpoint has been removed from the patched versions.
I sent a curl request to check and it gave 200 ok as shown below:
█████
In a nutshell:
/+CSCOE+/session_password.html -> 200 = Vulnerable
/+CSCOE+/session_password.html -> 404 = Patched
because in patched versions this /+CSCOE+/session_password.html file is removed and you will not see it so if it is showing 200 ok then it is vulnerable as you have seen in above pic where it shows a 200 ok while curl request to
curl -kI https://█████/+CSCOE+/session_password.html
Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
https://twitter.com/aboul3la/status/1286809567989575685
https://medium.com/@parasarora06/hunting-for-cve-2020-3187-2020-3452-9f0dcc66f4d8
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
High - This vulnerability allows the attacker to delete files within the web services file system.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%