PT-2020-03: Information disclosure in Сisco ASA and Cisco FTD

HIGH
(7.5) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

Vulnerable product:

Cisco ASA, Cisco FTD

Severity:

Severity level: High
Impact: Information disclosure in Сisco ASA and Cisco FTD
Access Vector: Remote

CVSS v3 Base Score: 7.5 HIGH
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

CVE: CVE-2020-3259

Vulnerability description:

Successful exploitation of this vulnerability allows an unauthorized, remote attacker to read arbitrary heap memory of the device and obtain a valid session ID of a user connected to Cisco VPN. The attacker can use the obtained session ID to access the organization’s intranet. Cisco ASA memory may also contain other sensitive information, like usernames, email addresses, and certificates, which can be used to further compromise the system.

Advisory status:

21.02.2020 - Vendor gets vulnerability details
06.05.2020 - Vendor releases fixed version and details

Credits:

The vulnerability was discovered by Mikhail Klyuchnikov and Nikita Abramov, Positive Technologies

Identifier:
CVE-2020-3259
Vendor:
Cisco
Vulnerable product:
Cisco ASA, Cisco FTD

Get in touch

Fill in the form and our specialists
will contact you shortly