CVE-2020-3259

Cisco ASA and FTD Information Disclosure Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

Una vulnerabilidad en la interfaz de servicios web del Cisco Adaptive Security Appliance (ASA) Software y el Cisco Firepower Threat Defense (FTD) Software, podría permitir a un atacante remoto no autenticado recuperar contenido de la memoria sobre un dispositivo afectado, lo que podría conducir a la divulgación de información confidencial . La vulnerabilidad es debido a un problema de rastreo del búfer cuando el software analiza las URL no válidas que son solicitadas desde la interfaz de servicios web. Un atacante podría explotar esta vulnerabilidad mediante el envío de una petición GET diseñada hacia la interfaz de servicios web. Una explotación con éxito podría permitir a un atacante recuperar el contenido de la memoria, lo que podría conllevar a la divulgación de información confidencial. Nota: Esta vulnerabilidad solo afecta a configuraciones específicas de AnyConnect y WebVPN. Para más información, consulte la sección Vulnerable Products.

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-12-12 CVE Reserved
2020-05-06 CVE Published
2024-02-15 Exploited in Wild
2024-03-07 KEV Due Date
2024-06-15 EPSS Updated
2024-10-24 CVE Updated
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB	2024-02-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Firepower Threat Defense Search vendor "Cisco" for product "Firepower Threat Defense"				>= 6.2.3 < 6.2.3.16 Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.2.3 < 6.2.3.16"		-		Affected
Cisco Search vendor "Cisco"		Firepower Threat Defense Search vendor "Cisco" for product "Firepower Threat Defense"				>= 6.3.0 < 6.3.0.6 Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.3.0 < 6.3.0.6"		-		Affected
Cisco Search vendor "Cisco"		Firepower Threat Defense Search vendor "Cisco" for product "Firepower Threat Defense"				>= 6.4.0 < 6.4.0.9 Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.4.0 < 6.4.0.9"		-		Affected
Cisco Search vendor "Cisco"		Firepower Threat Defense Search vendor "Cisco" for product "Firepower Threat Defense"				>= 6.5.0 < 6.5.0.5 Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.5.0 < 6.5.0.5"		-		Affected
Cisco Search vendor "Cisco"		Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software"				>= 9.8 < 9.8.4.20 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.8 < 9.8.4.20"		-		Affected
Cisco Search vendor "Cisco"		Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software"				>= 9.9 < 9.9.2.67 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.9 < 9.9.2.67"		-		Affected
Cisco Search vendor "Cisco"		Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software"				>= 9.10 < 9.10.1.40 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.10 < 9.10.1.40"		-		Affected
Cisco Search vendor "Cisco"		Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software"				>= 9.12 < 9.12.3.9 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.12 < 9.12.3.9"		-		Affected
Cisco Search vendor "Cisco"		Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software"				>= 9.13 < 9.13.1.10 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.13 < 9.13.1.10"		-		Affected