CISA adds Cisco ASA vulnerability to KEV Catalog

The CISA has added Cisco’s ASA vulnerability to the Known Exploited Vulnerabilities catalog on 15 February 2024. The CISA due date for resolution of this vulnerability is 7 March 2024. We look at the details of this old vulnerability.

Salient points

  • Cisco’s ASA flaw is an old security vulnerability that is tracked under CVE-2020-3259.
  • Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products are impacted by CVE-2020-3259.
  • CVE-2020-3259 has a CVSS score of 7.5 and carries HIGH severity levels.
  • New exploitation attempts for the vulnerability have been detected. Akira ransomware group seems to have used this flaw to target ransomware attacks. In all, 8 compromises on account of the Cisco ASA flaw have been detected by Truesec.
  • The old vulnerability had already been patched by Cisco. It remains unclear if the current exploitation attempts have bypassed the security fix or if these new attacks target unpatched Cisco devices.
  • Cisco is yet to post an update on the issue after CISA added CVE-2020-3259 to the Known Exploited Vulnerabilities catalog.
  • Unconfirmed reports suggest that Lockbit is also searching for Cisco AnyConnect devices that remain unpatched to CVE-2020-3259.
  • Independent security consultants, Truesec, have uncovered 8 attempts that have targeted the Cisco flaw. Akira ransomware group has used the Cisco Anyconnect SSL VPN to impact the targets with ransomware. In these cases, the Cisco AnyConnect SSL VPN became an entry point for the Akira group to initiate the ransomware attacks.

About Cisco ASA Vulnerability CVE-2020-3259

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information.

The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. (Note: This vulnerability affects only specific AnyConnect and WebVPN configurations.)

Cisco had released an advisory on CVE-2020-3259 in May 2020. You can read more details of the advisory on this page.

What versions of Cisco ASA are affected?

The security vulnerability of CVE-2020-3259 affects the following versions of Cisco ASA:

  • Cisco ASA Software Release 9.13
  • Cisco ASA Software Release 9.12
  • Cisco ASA Software Release 9.10
  • Cisco ASA Software Release 9.9
  • Cisco ASA Software Release 9.8
  • Cisco ASA Software Release 9.7
  • Cisco ASA Software Release 9.6
  • Cisco ASA Software Release 9.5
  • Cisco ASA Software Release older than 9.5

Cisco ASA 9.14 branch is not affected by CVE-2020-3259.

Remediation of CVE-2020-3259 for Cisco ASA

Upgrade the software on Cisco ASA appliances to the versions shared below:

  • Cisco ASA software release 9.13 needs to be upgraded to 9.13.1.10
  • Cisco ASA software release 9.12 needs to be upgraded to 9.12.3.9
  • Cisco ASA software release 9.10 needs to be upgraded to 9.10.1.40
  • Cisco ASA software release 9.9 needs to be upgraded to 9.9.2.67
  • Cisco ASA software release 9.8 needs to be upgraded to 9.8.4.20
  • Cisco ASA software release 9.7 needs to be upgraded to a fixed version
  • Cisco ASA software release 9.6 needs to be upgraded to 9.6.4.41 version
  • Cisco ASA software release 9.5 needs to be upgraded to a fixed version
  • Cisco ASA software releases older than 9.5 need to be upgraded to a fixed version

More Security Stories

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.