CVE-2020-3259
Published: 06 May 2020
Summary
CVE-2020-3259 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to retrieve memory contents on an affected device. The issue stems from a buffer tracking problem that occurs when the software parses invalid URLs requested through the interface, and it is limited to specific AnyConnect and WebVPN configurations. Successful exploitation results in disclosure of confidential information, reflected in the CVSS 7.5 score emphasizing high confidentiality impact without integrity or availability effects.
An attacker can exploit the flaw by sending a crafted GET request to the web services interface, enabling retrieval of memory contents without authentication or user interaction. This remote attack vector requires low attack complexity and grants direct access to potentially sensitive data stored in memory on the device.
The Cisco Security Advisory recommends applying the fixes and mitigations detailed in the advisory for affected ASA and FTD versions, including configuration changes or software updates to address the vulnerable AnyConnect and WebVPN setups. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-24530
Vulnerability details
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the…
more
disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
- CWE(s)
- KEV Date Added
- 15 February 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by validating URL inputs before parsing, blocking the crafted GET requests that trigger the buffer tracking flaw.
Enforces authentication and authorization on the web services interface so unauthenticated remote requests cannot reach the vulnerable AnyConnect/WebVPN code paths.
Requires timely application of vendor patches that eliminate the memory-disclosure vulnerability in affected ASA/FTD versions.