CVE-2020-3367
📋 TL;DR
This vulnerability allows an authenticated local attacker on Cisco Secure Web Appliance (formerly Web Security Appliance) to execute arbitrary commands with root privileges through command injection in the log subscription subsystem. Attackers can exploit insufficient input validation in both web interface and CLI to elevate privileges. Only authenticated local users on affected devices are at risk.
💻 Affected Systems
- Cisco Secure Web Appliance (formerly Cisco Web Security Appliance)
📦 What is this software?
Asyncos by Cisco
Asyncos by Cisco
Asyncos by Cisco
Asyncos by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full root access to the appliance, allowing complete system compromise, data exfiltration, persistence, and lateral movement to connected networks.
Likely Case
Privileged insider or compromised account holder elevates to root to maintain persistence, disable security controls, or access sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Requires authenticated access but exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0.1-109 and later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj
Restart Required: Yes
Instructions:
1. Download latest AsyncOS software from Cisco. 2. Backup configuration. 3. Apply update via web interface or CLI. 4. Reboot appliance as required.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user accounts to only necessary personnel and implement strong authentication controls.
Monitor Log Subscription Activity
allEnable detailed logging for log subscription operations and monitor for suspicious commands.
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate to the appliance locally.
- Enable comprehensive logging and monitoring for command execution and privilege escalation attempts.
🔍 How to Verify
Check if Vulnerable:
Check AsyncOS version via web interface (System Administration > System Software) or CLI command 'showversion'.Check Version:
showversionVerify Fix Applied:
Verify version is 14.0.1-109 or later using same methods.📡 Detection & Monitoring
Log Indicators:
- Unusual log subscription configuration changes
- Command execution in log context
- Privilege escalation attempts
Network Indicators:
- Unexpected outbound connections from appliance
- Anomalous administrative traffic
SIEM Query:
source="cisco_wsa" AND (event_type="log_subscription" OR command="*script*" OR user="root")