PT-2020-02: Reading or deleting arbitrary files in Cisco ASA and Cisco FTD
Cisco ASA, Cisco FTD
Severity:
Severity level: High
Impact: Reading or deleting arbitrary files in Cisco ASA and Cisco FTD
Access Vector: Remote
CVSS v3 Base Score: 9.1 HIGH
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2020-3187
Vulnerability description:
A vulnerability in WebVPN allows an unauthorized, remote attacker to conduct a denial of service attack against Cisco ASA devices by deleting files on the system. Successful exploitation of this vulnerability may allow attackers to disable Cisco ASA VPN and read some VPN web interface files.
Advisory status:
04.10.2019 - Vendor gets vulnerability details 06.05.2020 - Vendor releases fixed version and details
Credits:
The vulnerability was discovered by Mikhail Klyuchnikov, Positive Technologies