CVE-2020-3436 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2020-3436?

CVE-2020-3436 has a CVSS score of 8.6 (HIGH). This vulnerability allows unauthenticated remote attackers to upload arbitrarily large files to specific folders on Cisco ASA and Firepower Threat Defense devices, potentially causing a denial of service through device reboots. It affects Cisco ASA and FTD software with vulnerable web services interfaces. Organizations using these devices with internet-facing web services are at risk.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to upload arbitrarily large files to specific folders on Cisco ASA and Firepower Threat Defense devices, potentially causing a denial of service through device reboots. It affects Cisco ASA and FTD software with vulnerable web services interfaces. Organizations using these devices with internet-facing web services are at risk.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA)
Cisco Firepower Threat Defense (FTD)

Versions: Multiple versions prior to fixes released in 2020

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires web services interface to be enabled and accessible. Devices with web services disabled are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through repeated device reboots, disrupting network security and connectivity for extended periods.

🟠

Likely Case

Intermittent device reboots causing service disruption and potential security monitoring gaps during downtime.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing devices prime targets.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload mechanism makes exploitation straightforward. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - see Cisco advisory for specific version mappings

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-fileup-dos-zvC7wtys

Restart Required: Yes

Instructions:

1. Review Cisco advisory for fixed versions matching your hardware/software. 2. Download appropriate firmware from Cisco. 3. Backup configuration. 4. Apply update following Cisco upgrade procedures. 5. Verify successful update and functionality.

🔧 Temporary Workarounds

Disable Web Services Interface

all

Disable the vulnerable web services interface if not required for operations.

no http server enable
no http server enable <port>

Restrict Access with ACLs

all

Apply access control lists to limit web services access to trusted sources only.

access-list WEB-ACCESS extended permit tcp <trusted-networks> any eq <web-port>
access-group WEB-ACCESS in interface <interface-name>

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices from untrusted networks
Deploy intrusion prevention systems to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version against Cisco advisory. Verify if web services are enabled with 'show running-config | include http server'.

Check Version:

show version | include Version

Verify Fix Applied:

Verify updated version with 'show version' and confirm it matches fixed versions in Cisco advisory.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
Large file uploads to web services
Watchdog timeout messages

Network Indicators:

HTTP POST requests with large payloads to ASA/FTD web interfaces
Unusual traffic patterns preceding device reboots

SIEM Query:

source="asa_ftd_logs" AND ("reload" OR "watchdog" OR "file upload")

📊 Metadata

CVE ID: CVE-2020-3436

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-434

Published: October 21, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-3436, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Web Services Interface

Restrict Access with ACLs

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities