Skip to main content

Cisco ASA/FTD Vulnerability (CVE-2020-3259)

Advisory

Advisory
26 APR 2024

 

Background

A buffer tracking issue exists in Cisco firewalls when the software parses invalid URLs that are requested from the web services interface. By sending a crafted GET request to the web services interface, an unauthenticated, remote attacker could retrieve memory contents from an affected device.

An attacker can exploit the vulnerability to extract sensitive data from the memory of the affected devices.

Sensitive data may include usernames and passwords, which can be seen in clear text, allowing unauthorized remote access to the device in the context of the user whose credentials are obtained.

This vulnerability is tracked as CVE-2020-3259 with a CVSS score of 7.5 (high).

 

Affected Products

  • Cisco Adaptive Security Appliance (ASA):
    • Cisco ASA 9.x prior to release 9.51
    • Cisco ASA 9.6 prior to release 9.6.4.41
    • Cisco ASA 9.7 prior to release 9.71
    • Cisco ASA 9.8 prior to release 9.8.4.20
    • Cisco ASA 9.9 prior to release 9.9.2.67
    • Cisco ASA 9.10 prior to release 9.10.1.40
    • Cisco ASA 9.12 prior to release 9.12.3.9
    • Cisco ASA 9.13 prior to release 9.13.1.10
  • Cisco Firepower Threat Defense (FTD):
    • Cisco FTD 6,x prior to release 6.2.31
    • Cisco FTD 6.2.3 prior to release 6.2.3.16
    • Cisco FTD 6.3.0 prior to release 6.3.0.6
    • Cisco FTD 6.4.0 prior to release 6.4.0.9
    • Cisco FTD 6.5.0 prior to release 6.5.0.5

NOTE: This vulnerability affects only specific AnyConnect and WebVPN configurations.

 

Recommendations

Cisco has released free software updates that address this vulnerability, and customers are advised to upgrade to the latest version of the impacted Cisco ASA or FTD product. However, customers may only install and expect support for software versions and feature sets for which they have purchased a license.

Fixed versions:

  • Cisco Adaptive Security Appliance (ASA):
    • Cisco ASA release 9.51
    • Cisco ASA release 9.6.4.41
    • Cisco ASA release 9.71
    • Cisco ASA release 9.8.4.20
    • Cisco ASA release 9.9.2.67
    • Cisco ASA release 9.10.1.40
    • Cisco ASA release 9.12.3.9
    • Cisco ASA release 9.13.1.10
  • Cisco Firepower Threat Defense (FTD):
    • Cisco FTD release 6.2.31
    • Cisco FTD release 6.2.3.16
    • Cisco FTD release 6.3.0.6
    • Cisco FTD release 6.4.0.9
    • Cisco FTD release 6.5.0.5

To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:
  • For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
  • For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

Temporary Mitigation & Workarounds:
  • Implement MFA on all accounts and services where it is possible, especially for Client VPN connections.
  • Enforce a password change, especially if there are accounts in the environment that have not changed password after the version upgrade.
  • Change secrets and pre-shared keys in device configurations if they have not been changed after the version upgrade.
  • Patch to a non-vulnerable version if not already done.
  • Ensure logging is enabled.

 

References