It has been revealed that hackers are exploiting a ‘high-severity vulnerability’ found in Cisco’s network security software products, often used by US Fortune 500 companies.
Cisco is warning that a high-severity flaw in its network security software is being actively exploited. This is allowing remote unauthenticated attackers to access sensitive data.
Patches for the vulnerability (CVE-2020-3452), which ranks 7.5 out of 10 on the CVSS scale, were released last Wednesday. But, attackers have since been targeting vulnerable versions of the software, where the patches are yet to be applied.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code & active exploitation of the vulnerability that is described in this advisory,” according to Cisco’s statement.
The flaw exists in the web services interface of Firepower Threat Defence (FTD) software, which is part of Cisco’s suite of network security & traffic management products; & its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.
Potential threat surface is huge: Researchers with Rapid7 discovered 85,000 internet-accessible ASA/FTD devices. 398 are spread across 17% of the Fortune 500, researchers explained.
Correct Input Validation
This flaw originates from a lack of correct input validation of URLs in HTTP requests processed by affected devices. It lets attackers conduct directory traversal attacks, which is an HTTP attack allowing bad players to access restricted directories & execute commands outside of the web server’s root directory.
Shortly after patches were released, proof-of-concept (POC) exploit code was released Wednesday for the flaw, by security researcher Ahmed Aboul-Ela.
A possible attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content & HTTP URLs.
Cisco revealed the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration:
“The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,” says its advisory. However, “this vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.”
Researchers with Rapid7 explained that since the new patch was issued, only around 10% of Cisco ASA/FTD devices detected as internet-facing have been rebooted, which is a “likely indicator they’ve been patched.”
Only 27 of the 398 detected in Fortune 500 companies seem to have been re-booted.
Researchers suggest immediate patching of vulnerable ASA/FTD installations “to prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.”
ASA & FTD
“Cisco has provided fixes for all supported versions of ASA & FTD components,” commented researchers. “Cisco ASA Software releases 9.5 & earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance & organisations will have to upgrade to a later, supported version to fix this vulnerability.”