Denial of service in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software

1) Arbitrary file upload

EUVDB-ID: #VU47942

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-3436

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the affected software does not efficiently handle the writing of large files to specific folders on the local file system. A remote attacker can upload a malicious file and cause a denial of service (DoS) condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Adaptive Security Appliance (ASA): - - 9.14

Cisco Firepower Threat Defense (FTD): - - 6.6.0

CPE2.3

• cpe:2.3:h:cisco_systems:asa:9.6:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:asa:9.7:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:asa:9.8:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:asa:9.9:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:asa:9.14:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:cisco_ftd:6.2.2:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:cisco_ftd:6.2.3:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:cisco_ftd:6.3.0:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:cisco_ftd:6.4.0:*:*:*:*:*:*:*
• cpe:2.3:h:cisco_systems:cisco_ftd:6.5.0:*:*:*:*:*:*:*

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-fileup-dos-zvC7wtys

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.