Description
Researchers at Positive Technologies have published proof of concept code for CVE-2020-3580.
On June 24th @ptswarm tweeted the poc and Tenable have reported that threat actors are actively exploiting the vulnerability on affected devices.
Vulnerability
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.
Identification
The proof of concept code identifies a POST request and the vulnerable parameter 'SAMLResponse'.
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
SAMLResponse="><svg/onload=alert('PTSwarm')>Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to influence the vulnerable parameter with cross-site scripting attempts.
Coverage
Idappcom has created signature 8021478 along with a traffic file.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional