Cisco has stomped out 12 high-severity vulnerabilities across several network security products. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks – from denial of service (DoS) to sniffing out sensitive data.
Specifically affected is Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.
“All of the vulnerabilities have a Security Impact Rating of High,” said Cisco in a Wednesday advisory. “Successful exploitation of the vulnerabilities could allow an attacker to cause a memory leak, disclose information, view and delete sensitive information, bypass authentication, or create a DoS condition on an affected device.”
The most severe flaw exists in the web service interfaces for ASA software and FTD software. This glitch (CVE-2020-3187) could allow an unauthenticated, remote attacker to conduct directory traversal attacks. A directory traversal attack is when insufficient security validation or sanitization of user-supplied input file names is exploited.
The flaw, which ranks 9.1 out of 10.0 on the CVSS scale, stems from a lack of proper input validation of the HTTP URL in the web interface. An attacker could exploit the flaw by sending a specially crafted HTTP request that contains directory traversal character sequences.
“An exploit could allow the attacker to view or delete arbitrary files on the targeted system,” explained Cisco. “When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored.”
Researchers with Positive Technologies, who reported the flaw, said that by exploiting the vulnerability in WebVPN, an unauthorized external attacker can also perform DoS attacks on Cisco ASA devices after deleting files from the system.
“VPN blocking may disrupt numerous business processes,” said Mikhail Klyuchnikov with Positive Technologies in an email. “For example, this can affect connections between branch offices in a distributed network, disrupt email, ERP, and other critical systems. Another problem is that internal resources may become unavailable to remote workers. This is especially dangerous now that many employees are working remotely due to the coronavirus outbreak.”
One caveat is that an attacker who exploits this flaw can only view and delete files within the web services file system (as opposed to ASA or FTD system files or underlying operating system (OS) files). This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features, according to Cisco.
Cisco ASA Software Flaws
Cisco fixed seven other high-severity flaws in its ASA and FTD software, including one in the Kerberos authentication feature of ASA. Kerberos is a common authentication protocol for on-premise authentication, used in many ASA interfaces.
That flaw (CVE-2020-3125) could enable an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) due to insufficient identity verification of the KDC. Attackers could then bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.
“Cisco uses the Kerberos authentication protocol in many ASA interfaces – for example, VPN, opening firewall sessions, and administrative access, either through the web management console or through SSH,” said Silverfort researchers who found the flaw. “Therefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks.”
Other flaws in ASA and FTD include denial of service flaws (CVE-2020-3298, CVE-2020-3191, CVE-2020-3254and CVE-2020-3196), a memory leak vulnerability (CVE-2020-3195) and information disclosure glitch (CVE-2020-3259).
Firepower Software Flaws
Cisco also patched four flaws that existed only in its FTD software, including a flaw (CVE-2020-3189) in the VPN System Logging functionality of the software. The vulnerability stems from system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted, according to the advisory.
A remote, unauthenticated attacker could exploit this flaw by repeatedly creating or deleting a VPN tunnel connection, which leaks a small amount of system memory for each logging event – eventually causing system memory depletion and leading to a systemwide DoS condition. The one caveat is that attackers have no control of whether VPN System Logging is configured or not on the device (but it is enabled by default).
Other FTD software flaws include DoS flaws (CVE-2020-3255) in the packet processing functionality and in the generic routing encapsulation (GRE) tunnel (CVE-2020-3179), and a DoS flaw (CVE-2020-3283) in the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) handler of FTD software when running on Cisco Firepower 1000 Series appliances.
Overall, Cisco issued 34 patches on Wednesday including 12 high severity flaws and 22 medium severity glitches. This most recent wave of patches come a few weeks after Cisco warned of a critical flaw in the web server of its IP phones, which if exploited could allow an unauthenticated, remote attacker to execute code with root privileges or launch a DoS attack.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.