Positive Technologies experts Mikhail Klyuchnikov and Nikita Abramov discovered and helped eliminate two critical vulnerabilities in the Cisco ASA (Adaptive Security Appliance) firewall. Their operation could lead to the fact that company employees could not connect to the VPN, and an intruder would penetrate the corporate network.
Cisco engineers have already released updates for these problems, it is recommended that they be installed as soon as possible.
First vulnerability with identifier CVE-2020-3187 scored 9.1 points on the vulnerability assessment scale, that is, she was assigned a critical level of danger. Its operation does not require high qualifications from the attacker. Using a vulnerability in WebVPN, an unauthorized external attacker could carry out DoS attacks on Cisco ASA devices by simply deleting files from the system. These actions allow you to disable the VPN in the Cisco ASA. In addition, the error gives the attacker the ability to read some files related to the VPN web interface.
“VPN blocking threatens to disrupt many business processes. For example, the connectivity of branches in a distributed corporate network may be broken, e-mail, ERP, and other key systems may stop working. Another problem is the possible inaccessibility of internal resources for employees working remotely. Now this is extremely dangerous, since many companies are switching or have already switched to remote work due to the outbreak of coronavirus, ”said Mikhail Klyuchnikov, an expert at Positive Technologies, who identified the vulnerability.
Second Vulnerability in Cisco ASA (CVE-2020-3259), discovered by Mikhail Klyuchnikov and Nikita Abramov, scored 7.5 points on the CVSS scale. Its operation allows you to read some parts of the device’s dynamic memory and get the current session ID of a user connected to Cisco VPN.
Using a client for Cisco VPN, an attacker can specify a stolen session identifier and enter the organization’s internal network. In addition, other confidential information that can help with future attacks, such as usernames, email addresses, certificates, can be stored in the Cisco ASA memory. This vulnerability can also be used remotely and does not require authorization.
Positive Technologies experts note that to eliminate the vulnerability, you must upgrade Cisco ASA to the latest version. Also, companies can use application-level firewalls to block a possible attack.
Positive Technologies emphasizes that insufficient attention to addressing these vulnerabilities, coupled with the general increase in the number of remote desktops vulnerable to the BlueKeep problem (CVE-2019-0708), significantly increases the chances of attackers to conduct successful attacks aimed at accessing confidential information, to business-critical networks and systems (including technological networks, ATM management networks, processing, 1C servers).
Researchers note that since the beginning of January 2020, the number of Internet-accessible and vulnerable Cisco ASAs where you can turn off a VPN in one minute or intercept a user ID to access the company's internal network has increased by 30%, from 170,000 to more than 220,000. Almost half of these devices are located in the United States (47%). This is followed by the United Kingdom (6%), Germany and Canada (4%), Japan and Russia (2% each).