Cisco has released updates to address a dozen high-severity flaws in its Adaptive Security Appliance (ASA) software and its Firepower Threat Defense (FTD) software.
If left unpatched, these vulnerabilities could allow an attacker to cause a memory leak, disclose information, view and delete sensitive information, bypass authentication or create a denial of service (DoS) condition on an affected device.
The most severe of these flaws is a path-traversal vulnerability in Cisco’s ASA and FTD software tracked as CVE-2020-3187. This vulnerability in WebVPN, which can be exploited even by a low-skilled hacker, could allow an unauthorized external attacker to perform DoS attacks on Cisco ASA devices by simply deleting files from the system and this could possibly lead to VPN connections in Cisco ASA being disabled.
In a blog post, web application penetration tester at Positive Technologies, Mikhail Klyuchnikov explained how VPN blocking could disrupt an organization’s business processes, saying:
“VPN blocking may disrupt numerous business processes. For example, this can affect connection between branch offices in a distributed network, disrupt email, ERP, and other critical systems. Another problem is that internal resources may become unavailable to remote workers. This is especially dangerous now that many employees are working remotely due to the coronavirus outbreak.”
Cisco ASA and FTD software flaws
Cisco also fixed seven additional high-severity flaws in its ASA and FTD software including one dealing with the Kerberos authentication feature of ASA.
Kerberos is a common authentication protocol for on-premise authentication which is used in many ASA interfaces. If exploited, the flaw tracked as CVE-2020-3125 could enabled an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) as a result of insufficient identity verification of the KDC.
Cisco also released patches for four flaws in its FTD software including a flaw tracked as CVE-2020-3189 in the VPN System Logging functionality of the software. According to the company’s advisory, this flaw is due to “the system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted”. An attacker could exploit this flaw by repeatedly creating or deleting a VPN tunnel connection which leaks a small amount of system memory for each logging event.
In total, Cisco issued 34 patches to address 12 high severity and 22 medium severity flaws. It is highly recommended that users patch their software immediately to avoid falling victim to any potential attacks.