Cisco ASA VPN/FTD - Arbitrary File Read (CVE-2020-3452)

Name: Cisco ASA VPN/FTD - Arbitrary File Read (CVE-2020-3452)
Published: 2021-10-13T00:00:00.000Z

Severity
CVE: CVE-2020-3452
CVSSv3 Score: 7.5
Exploitable with Sniper: Yes
Vulnerability description: Cisco ASA VPN/FTD is affected by an Arbitrary File Read vulnerability, located on the /+CSCOT+/translation-table endpoint. The root cause of this vulnerability consists in insufficient validation of the HTTP input request which allows directory traversal attacks.
Exploit capabilities: Sniper can read arbitrary files from the target system and extract them as evidence.
Risk description: The risk exists that a remote unauthenticated attacker could exploit this vulnerability to view sensitive information on files located in the web services file system.
Recommendation: Update the Cisco ASA server to a version higher than 9.14.1 or the FTD server to a version higher than 6.6.0.1.
References: https://nvd.nist.gov/vuln/detail/CVE-2020-3452
Detectable with: Network Scanner
Vuln date: Jul 2020
Published at: Oct 2021
Updated at: Oct 2021
Software Type: VPN gateway
Vendor: Cisco
Product: ASA
Codename: Not available