CVE-2020-3452

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description A flaw exists in the web services interface of Cisco ASA and FTD Software due to insufficient validation of input. This allows an unauthenticated, remote attacker to perform directory traversal attacks and read sensitive files on a targeted system. The issue stems from improper input validation of URLs within HTTP requests. An attacker can exploit this by sending a crafted HTTP request containing directory traversal sequences. Successful exploitation allows viewing arbitrary files within the web services file system, which is enabled when WebVPN or AnyConnect features are configured. This issue cannot be used to access ASA or FTD system files or the underlying operating system files. Reports indicate widespread exploitation of this issue, with attackers targeting Cisco IOS decoys and honeypots. Several tools and scripts have been developed to scan for and exploit this vulnerability. The vulnerability has been actively exploited and is considered highly dangerous.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.