HomePentest-Tools.com Logo

Cisco ASA VPN/FTD - Arbitrary File Read (CVE-2020-3452)

Severity
CVSSv3 Score
7.5
Exploitable with Sniper
Yes
Vulnerability description

Cisco ASA VPN/FTD is affected by an Arbitrary File Read vulnerability, located on the /+CSCOT+/translation-table endpoint. The root cause of this vulnerability consists in insufficient validation of the HTTP input request which allows directory traversal attacks.

Exploit capabilities

Sniper can read arbitrary files from the target system and extract them as evidence.

Risk description

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to view sensitive information on files located in the web services file system.

Recommendation

Update the Cisco ASA server to a version higher than 9.14.1 or the FTD server to a version higher than 6.6.0.1.

Detectable with
Network Scanner
Vuln date
Jul 2020
Published at
Updated at
Software Type
VPN gateway
Vendor
Cisco
Product
ASA
Codename
Not available