Cisco ASA/FTD (CVE-2020-3580) PoC published and now being exploited



Description

Researchers at Positive Technologies have published proof of concept code for CVE-2020-3580.

On June 24th @ptswarm tweeted the poc and Tenable have reported that threat actors are actively exploiting the vulnerability on affected devices.


Vulnerability

Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.


Identification

The proof of concept code identifies a POST request and the vulnerable parameter 'SAMLResponse'.


POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 44  

SAMLResponse="><svg/onload=alert('PTSwarm')>

Detection

By turning this into a traffic file and matching rule, we are able to detect attempts to influence the vulnerable parameter with cross-site scripting attempts.


Coverage

Idappcom has created signature 8021478 along with a traffic file.


References

CVE-2020-3580

@ptswarm Tweet


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional