Cisco has disclosed a dozen high-severity flaws affecting its Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.
The updates address eight denial-of-service issues affecting its security software, an information disclosure vulnerability, a memory-leak flaw, a path-traversal vulnerability, and an authentication bypass.
The bug with the highest CVSS score of 9.1 in this ASA and FTD disclosure bundle is a path-traversal vulnerability in ASA and FTD software, which is tracked as CVE-2020-3187 and was reported by Mikhail Klyuchnikov of security company Positive Technologies.
An attacker can exploit the issue by sending a crafted HTTP request containing directory traversal character sequences, allowing the attacker to view or delete files on the system.
However, Cisco notes that when the device is reloaded after exploitation, any files that were deleted are restored. Also, the attacker can only view and delete files with the web services file system, which is enabled when the device is configured with WebVPN or AnyConnect features
The authentication bypass, tracked as CVE-2020-3125, is because Cisco’s ASA doesn’t properly verify the identity of the Kerberos authentication protocol key distribution center (KDC) when it successfully receives an authentication response.
“An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication,” Cisco warns.
The issue affects ASA with Kerberos authentication configured for VPN or local device access.
Cisco notes that after installing the fixed upgrade, admins still need to make configuration changes to address the vulnerability. ASA devices can still be exploited unless the command-line interface commands ‘alidate-kdc’ and ‘aaa kerberos import-keytab’ are configured.
Yoav Iellin, Yaron Kassner, Dor Segal, and Rotem Zach of Israeli security firm, Silverfort, reported the bug to Cisco.
The memory-leak issue, tracked as CVE-2020-3195, is because ASA and FTD incorrectly process some Open Shortest Path First (OSPF) packets, which an attacker can exploit with specially crafted OSPF packets to an affected device. The attacker could then continuously use up a device’s memory until it reloads, triggering a denial of service.
The vulnerability affects ASA or FTD configured to support OSPF routing with the capability to process Link-Local Signaling (LLS) blocks. LLS block processing is enabled by default, Cisco notes.
ASA and FTD software configured with the DNS over IPv6 protocol are also vulnerable to a denial-of-service vulnerability that’s tracked as CVE-2020-3191.
A remote attacker without credentials can exploit this bug by sending a crafted DNS query over IPv6, which traverses the affected device, according to Cisco. This could allow the attacker to trigger a device reload, causing a DoS.
Besides the dozen ASA and FTD high-severity bugs, Cisco disclosed 22 medium-severity flaws affecting ASA, FTD and Cisco other products.
