Researchers at Positive Technologies have published proof of concept code for CVE-2020-3580.
On June 24th @ptswarm tweeted the poc and Tenable have reported that threat actors are actively exploiting the vulnerability on affected devices.
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.
The proof of concept code identifies a POST request and the vulnerable parameter 'SAMLResponse'.
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 Host: ciscoASA.local Content-Type: application/x-www-form-urlencoded Content-Length: 44 SAMLResponse="><svg/onload=alert('PTSwarm')>
By turning this into a traffic file and matching rule, we are able to detect attempts to influence the vulnerable parameter with cross-site scripting attempts.
Idappcom has created signature 8021478 along with a traffic file.
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional