CVE-2020-3187

Q: What is the severity of CVE-2020-3187?

CVE-2020-3187 has a CVSS score of 9.1 (CRITICAL). CVE-2020-3187 is a directory traversal vulnerability in Cisco ASA and FTD software that allows unauthenticated remote attackers to read and delete files within the web services file system. This affects devices configured with WebVPN or AnyConnect features. The vulnerability stems from improper input validation of HTTP URLs.

9.1 CRITICAL

📋 TL;DR

CVE-2020-3187 is a directory traversal vulnerability in Cisco ASA and FTD software that allows unauthenticated remote attackers to read and delete files within the web services file system. This affects devices configured with WebVPN or AnyConnect features. The vulnerability stems from improper input validation of HTTP URLs.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions up to fixed releases

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when WebVPN or AnyConnect features are enabled. Does not affect ASA/FTD system files or underlying OS files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical configuration or certificate files within the web services file system, disrupting VPN services and potentially causing service outages until device reload.

🟠

Likely Case

Attackers would view or delete web services files, potentially accessing sensitive configuration data or disrupting VPN connectivity for users.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to web services file system only, with files restored on device reload.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests with directory traversal sequences. Public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions - see Cisco advisory for specific version mappings

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Upgrade to fixed ASA/FTD software version. 3. Reload device after upgrade. 4. Verify fix by testing directory traversal attempts.

🔧 Temporary Workarounds

Disable WebVPN/AnyConnect

all

Temporarily disable vulnerable features if not required

no webvpn enable
no anyconnect enable

Restrict Access

all

Limit access to web services interface using ACLs

access-list WEB-ACCESS extended permit tcp trusted-networks any eq 443
access-group WEB-ACCESS in interface outside

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to web services interface
Monitor logs for directory traversal attempts and implement IDS/IPS rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if device has WebVPN or AnyConnect enabled and is running vulnerable ASA/FTD version

Check Version:

show version | include Version

Verify Fix Applied:

Verify upgraded to fixed version and test directory traversal attempts return proper errors

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing ../ sequences
File access or deletion events in web services logs
Unauthenticated access attempts to sensitive paths

Network Indicators:

HTTP requests with directory traversal patterns to ASA/FTD web interface
Unusual file access patterns from external sources

SIEM Query:

source="asa_logs" AND (http_uri="*../*" OR http_uri="*..\\*" OR action="file_delete")

📊 Metadata

CVE ID: CVE-2020-3187

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: May 6, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html Exploit,Third Party Advisory,VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 Vendor Advisory
http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html Exploit,Third Party Advisory,VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Asa 5505 Firmware by Cisco

Asa 5510 Firmware by Cisco

Asa 5512 X Firmware by Cisco

Asa 5515 X Firmware by Cisco

Asa 5520 Firmware by Cisco

Asa 5525 X Firmware by Cisco

Asa 5540 Firmware by Cisco

Asa 5545 X Firmware by Cisco

Asa 5550 Firmware by Cisco

Asa 5555 X Firmware by Cisco

Asa 5580 Firmware by Cisco

Asa 5585 X Firmware by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebVPN/AnyConnect

Restrict Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities