https://threatpost.com/cisco-asa-bug-exploited-poc/167274/ Newsletter Subscribe to our Threatpost Today newsletter Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * [ ] * * [ ] * * * + [ ] I agree to my personal data being stored and used to receive the newsletter * * + [ ] I agree to accept information and occasional commercial offers from Threatpost partners * Comments [ ] This field is for validation purposes and should be left unchanged. [Subscribe] This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost * Cloud Security * Malware * Vulnerabilities * InfoSec Insiders * Podcasts * * * * * * * [ ] Search * My Book Live Users Wake Up to Wiped Devices, Active RCE Attacks Previous article * FIN7 'Pen Tester' Headed to Jail Amid $1B in Payment-Card Losses Next article Cisco ASA Bug Now Actively Exploited as PoC Drops cisco IOS XE Flaw [Tara-he] Author: Tara Seals June 25, 2021 12:08 pm minute read Write a comment Share this article: * * In-the-wild XSS attacks have commenced against the security appliance (CVE-2020-3580), as researchers publish exploit code on Twitter. Researchers have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA). The move comes as reports surface of in-the-wild exploitation of the bug. Researchers at Positive Technologies published the PoC for the bug (CVE-2020-3580) on Thursday. One of the researchers there, Mikhail Klyuchnikov, noted that there were a heap of researchers now chasing after an exploit for the bug, which he termed "low-hanging" fruit. PoC for XSS in Cisco ASA (CVE-2020-3580) POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 Host: ciscoASA.local Content-Type: application/x-www-form-urlencoded Content-Length: 44 SAMLResponse="> pic.twitter.com/ c53MKSK9bg -- PT SWARM (@ptswarm) June 24, 2021 The hunt for low hanging CVE-2020-3580 by @ptswarm has begun. A lot of submissions/duplicates are waiting for @Bugcrowd and @Hacker0x01 #bugbounty -- n1 (@__mn1__) June 24, 2021 Meanwhile, Tenable researchers published an alert about the PoC, noting that it has started to see cyberattacks using the vulnerability on targets in the wild. "Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild," according to its Thursday alert. "With this new information, Tenable recommends that organizations prioritize patching CVE-2020-3580." And indeed, the PT PoC tweet was met with plenty of "Ooh thanks" and "thank you so much" responses, presumably from would-be hackers. Thanks, do we have to be authenticated? -- Qasim (@00x88x) June 24, 2021 Meanwhile, researchers at WebSec noted that the bug could be exploited for more than XSS: You could have gotten 2 CVE numbers for this, as this is not just XSS but also CSRF. -- WebSec (@websecnl) June 25, 2021 "Researchers often develop PoCs before reporting a vulnerability to a developer and publishing them allows other researchers to both check their work and potentially dig further and discover other issues," Claire Tills, senior research engineer at Tenable, told Threatpost. "PoCs can also be used by defenders to develop detections for vulnerabilities. Unfortunately, giving that valuable information to defenders means it can also end up in the hands of attackers." Given that a patch has been available for this vulnerability for several months, organizations are able to protect themselves which isn't the case with 0-day disclosures, she pointed out. "However, unpatched vulnerabilities continue to haunt many organizations," Tillis added. "The public availability of a PoC is another stark reminder that effective patching is a vital step for organizations to protect themselves." Real-World Attacks for Cisco ASA The Cisco ASA is a cybersecurity perimeter-defense appliance that combines firewall, antivirus, intrusion prevention and virtual private network (VPN) capabilities, all meant to stop threats from making it onto corporate networks. A compromise of the device is akin to unlocking the front door of the castle for storming cyberattackers. XSS attacks occur when malicious scripts are injected into otherwise benign and trusted websites; any visitors to the compromised websites are thus subject to drive-by attacks. Successful exploitation in this case means that unauthenticated, remote attackers could "execute arbitrary code within the [ASA] interface and access sensitive, browser-based information," Tenable added. [subscribe2] Once in, they could modify the device's configuration, according to Leo Pate, an application security consultant at nVisium. However, the target would need to be logged into the ASA for the attackers to see any joy. "While this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code," he added. As Tenable researchers said: "An attacker would need to convince 'a user of the interface' to click on a specially crafted link." This can be accomplished via a spear-phishing email campaign targeting probable ASA users using malicious links, or via watering-hole attacks. "The attack vector to get this in the hands of the right people is complex requiring a firewall administrator to be duped into clicking a cleverly crafted link," Andrew Barratt, managing principal for solutions and investigations at Coalfire, told Threatpost. "Firewall administrators will need to ensure they're not accessing links to the ASA interface that appear to originate from outside." Tenable declined to provide more information on the real-world attacks when asked by Threatpost. Thanks to the sheer size of its footprint (including inside Fortune 500 companies), the Cisco ASA is no stranger to attention from cyberattackers. Last year for example, public PoC for another bug in the device (CVE-2020-3452) started making the rounds, leading to a spate of exploitation efforts. Patch Now: Cisco ASA XSS Security Hole The flaw tracked as CVE-2020-3580 was patched on October 21 as part of a group of XSS issues in Cisco's ASA as well as the Firepower Threat Defense (FTD) software, which is a unified firewall image that includes ASA management. "All four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs," according to the advisory, which noted that the bug in question rates 6.1 out of 10 on the CVSSv3 vulnerability-severity scale. The number of vulnerable devices could be significant: Researchers with Rapid7 last year found there to be 85,000 internet-accessible ASA devices. Of course, a good percentage of those could be patched against this particular vulnerability. "Exploits for appliances that may sit on the vanishing perimeter generally garner interest [from hackers], but fortunately in this case there are at least two things working against rampant exploitation," Tim Wade, technical director for the CTO team at Vectra, told Threatpost. "First, a patch has been available since October. Second, an element of social engineering is required. This should provide some level of confidence for organizations with reasonable patch cycles and a security awareness program." Updating to the latest versions of the affected devices' software is of course recommended; however, there's more that can be done to mitigate the vulnerability, nVisium's Pate noted. "Organizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn't needed, then it should be disabled," he told Threatpost. Join Threatpost for "Tips and Tactics for Better Threat Hunting" -- a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto's Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free! Write a comment Share this article: * Vulnerabilities * Web Security Suggested articles [mercedes-crash-540x270] Mercedes-Benz Customer Data Flies Out the Window For over three years, a vendor was recklessly driving the cloud-stored data of luxury-car-owning customers and wannabe buyers. June 25, 2021 [PS32-e1624654587886-540x270] PS3 Players Ban: Latest Victims of Surging Attacks on Gaming Industry Every Sony PlayStation 3 ID out there was compromised, provoking bans of legit players on the network. June 25, 2021 [data-destruction-540x270] My Book Live Users Wake Up to Wiped Devices, Active RCE Attacks "I am totally screwed," one user wailed after finding years of data nuked. Western Digital advised yanking the NAS storage devices offline ASAP: There's an exploit. June 25, 2021 Discussion Leave A Comment Cancel Reply [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]Save my name, email, and website in this browser for the next time I comment. [ ]Notify me when new comments are added. [Send Comment] [Submit Comment] This site uses Akismet to reduce spam. Learn how your comment data is processed. InfoSec Insider * credential stuffing cyberattack Insider Versus Outsider: Navigating Top Data Loss Threats June 18, 2021 2 * [network-] Takeaways from the Colonial Pipeline Ransomware Attack June 16, 2021 3 * [Healthca] Then and Now: Securing Privileged Access Within Healthcare Orgs June 3, 2021 1 * [Ransomwa] On the Taxonomy and Evolution of Ransomware May 31, 2021 1 * [layer-ca] Building Multilayered Security for Modern Threats May 28, 2021 Newsletter Subscribe to Threatpost Today Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter One new twist on the old #banking #trojan is a tweaked downloader, moved from the initial x86 version to the latest... https://t.co/ vKX4R5vNXv 1 hour ago Follow @threatpost Subscribe to our newsletter, Threatpost Today! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News * Home * About Us * Contact Us * Advertise With Us * RSS Feeds * Copyright (c) 2021 Threatpost * Privacy Policy * Terms and Conditions * Advertise * * * * * * * Topics * Black Hat * Breaking News * Cloud Security * Critical Infrastructure * Cryptography * Facebook * Government * Hacks * IoT * Malware * Mobile Security * Podcasts * Privacy * RSAC * Security Analyst Summit * Videos * Vulnerabilities * Web Security Threatpost * * * * * * * Topics * Cloud Security * Malware * Vulnerabilities * Privacy Show all * Black Hat * Critical Infrastructure * Cryptography * Facebook * Featured * Government * Hacks * IoT * Mobile Security * Podcasts * RSAC * Security Analyst Summit * Slideshow * Videos * Web Security Authors * Tara Seals * Tom Spring * Lisa Vaas Threatpost * Home * About Us * Contact Us * Advertise With Us * RSS Feeds [ ] Search * * * * * * * InfoSec Insider Infosec Insider Post Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored Sponsored Content Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.