Rule of the Week: Unauthenticated File Read in Cisco ASA & Cisco Firepower

Again, we go off the usual publication schedule due to the emergence of an exploit for the critical vulnerability CVE-2020-3452 in Cisco ASA & Cisco Firepower, as well as the emergence of rules for detecting exploitation of this vulnerability.

CVE-2020-3452 was discovered late last year, but it wasn’t disclosed until last week Cisco released an update to fix this vulnerability. The Security Advisory was published yesterday, and a few hours later the researcher released the first PoC exploit. The number of critical vulnerabilities discovered in July is disheartening: only IT security specialists managed to catch their breath after installing updates and/or detection content for CVE-2020-1350 (SIGRed), and a new threat is already on the doorstep. Usually, a few days or even hours pass between the publication of a proof-of-concept exploit and the beginning of exploitation by attackers, so the new Threat Hunting rule developed by Roman Ranskyi to detect this vulnerability will help uncover threats to your organization until the necessary updates are installed:

CVE-2020-3452 vulnerability in the web services interface of Cisco ASA and Cisco Firepower allows unauthenticated remote attackers to conduct directory traversal attacks and read sensitive files on a targeted system. They could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. In case of success, attackers will be able to view arbitrary files within the web services file system on the targeted device.

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Elastic Endpoint

NTA: Corelight


Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.