12 high-severity bugs in ASA and Firepower

Few days ago, Cisco Psirt published twelve Cisco ASA and FTD vulnerabilities with “high” score. Eight of them can cause denial of service, while three can bypass authentication. Below the details of the bypass authentication vulnerabilities (CVE-2020-3125 – CVE-2020-3187 – CVE-2020-3259).

Researchers at Silverfort discovered (CVE-2020-3125) that an attacker who could hijack network traffic between the client and the Key Distribution Center (KDC) could spoof the KDC’s responses to the client and eventually bypass the authentication mechanism altogether. The vulnerability is only exploitable if the device is configured to use Kerberos for authentication.

The other two bugs (CVE-2020-3187CVE-2020-3259) was discovered by Positive Technologies experts Mikhail Klyuchnikov and Nikita Abramov.

The CVE-2020-3187 was given a score of 9.1, which corresponds to the critical level of severity, it can be exploited even by a low-skilled hacker. By exploiting the vulnerability in WebVPN, an unauthorized external attacker can perform DoS attacks on Cisco ASA devices by simply deleting files from the system. Such actions may disable VPN connection in Cisco ASA. In addition, the flaw allows attackers to read files related to VPN web interface.

The CVE-2020-3259 allows attackers to read sections of the device dynamic memory and obtain current session IDs of users connected to Cisco VPN. Using Cisco VPN client, attackers can enter the stolen session ID and penetrate the company’s internal network. Moreover, Cisco ASA memory may store other confidential information that can be used in future attacks, such as user names, email addresses, and certificates. This vulnerability can also be exploited remotely and does not require authorization.

For all these vulnerabilities there are no workarounds that address this vulnerability; the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Cisco fixed these vulnerabilities in all versions of ASA/FTD devices. I highly recommend enterprises upgrade to protect against these bugs.

References: