CVE-2020-3125

Q: What is the severity of CVE-2020-3125?

CVE-2020-3125 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows an unauthenticated remote attacker to impersonate a Kerberos Key Distribution Center (KDC) and bypass authentication on Cisco ASA devices configured for Kerberos authentication. Attackers can spoof KDC responses to gain unauthorized VPN or local device access without valid credentials. Organizations using Cisco ASA with Kerberos authentication for VPN or device access are affected.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows an unauthenticated remote attacker to impersonate a Kerberos Key Distribution Center (KDC) and bypass authentication on Cisco ASA devices configured for Kerberos authentication. Attackers can spoof KDC responses to gain unauthorized VPN or local device access without valid credentials. Organizations using Cisco ASA with Kerberos authentication for VPN or device access are affected.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software

Versions: Versions prior to 9.6.4.42, 9.8.4.20, 9.9.2.60, 9.10.1.24, 9.12.3.12, 9.13.1.10, and 9.14.1.10

Operating Systems: Cisco ASA OS

Default Config Vulnerable: ✅ No

Notes: Only affects devices configured to use Kerberos authentication for VPN or local device access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise through unauthorized VPN access, lateral movement to internal systems, and potential data exfiltration.

🟠

Likely Case

Unauthorized VPN access leading to internal network reconnaissance and credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation, multi-factor authentication, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to ASA device and knowledge of Kerberos authentication flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.6.4.42, 9.8.4.20, 9.9.2.60, 9.10.1.24, 9.12.3.12, 9.13.1.10, 9.14.1.10 or later

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS

Restart Required: Yes

Instructions:

1. Download appropriate ASA software version from Cisco.com. 2. Upload to ASA device. 3. Configure boot system to use new image. 4. Reload device. 5. Verify new version is running.

🔧 Temporary Workarounds

Disable Kerberos Authentication

all

Temporarily disable Kerberos authentication and use alternative authentication methods

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

🧯 If You Can't Patch

Implement network segmentation to isolate ASA devices
Enable multi-factor authentication for VPN access

🔍 How to Verify

Check if Vulnerable:

Check ASA version with 'show version' and verify if Kerberos authentication is configured

Check Version:

show version | include Version

Verify Fix Applied:

Verify ASA version is patched with 'show version' and test Kerberos authentication functionality

📡 Detection & Monitoring

Log Indicators:

Failed Kerberos authentication attempts followed by successful VPN connections
Unusual source IP addresses establishing VPN connections

Network Indicators:

Suspicious traffic to ASA Kerberos ports (88/tcp, 88/udp) from unexpected sources

SIEM Query:

source="asa" (event_id=113019 OR event_id=722051) AND (action="authenticated" OR action="established")

📊 Metadata

CVE ID: CVE-2020-3125

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: May 6, 2020

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Asa 5505 Firmware by Cisco

Asa 5510 Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5520 Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5540 Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5550 Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5585 X Firmware by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Kerberos Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities