In-the-wild XSS attacks have commenced against the security appliance (CVE-2020-3580), as researchers publish exploit code on Twitter.
Researchers have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA). The move comes as reports surface of in-the-wild exploitation of the bug.
Researchers at Positive Technologies published the PoC for the bug (CVE-2020-3580) on Thursday. One of the researchers there, Mikhail Klyuchnikov, noted that there were a heap of researchers now chasing after an exploit for the bug, which he termed “low-hanging” fruit.
🎁PoC for XSS in Cisco ASA (CVE-2020-3580)
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
— PT SWARM (@ptswarm) June 24, 2021
— n1 (@__mn1__) June 24, 2021
Meanwhile, Tenable researchers published an alert about the PoC, noting that it has started to see cyberattacks using the vulnerability on targets in the wild.
“Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,” according to its Thursday alert. “With this new information, Tenable recommends that organizations prioritize patching CVE-2020-3580.”
And indeed, the PT PoC tweet was met with plenty of “Ooh thanks” and “thank you so much” responses, presumably from would-be hackers.
Thanks😀, do we have to be authenticated?
— Qasim (@00x88x) June 24, 2021
Meanwhile, researchers at WebSec noted that the bug could be exploited for more than XSS:
You could have gotten 2 CVE numbers for this, as this is not just XSS but also CSRF.
— WebSec (@websecnl) June 25, 2021
“Researchers often develop PoCs before reporting a vulnerability to a developer and publishing them allows other researchers to both check their work and potentially dig further and discover other issues,” Claire Tills, senior research engineer at Tenable, told Threatpost. “PoCs can also be used by defenders to develop detections for vulnerabilities. Unfortunately, giving that valuable information to defenders means it can also end up in the hands of attackers.”
Given that a patch has been available for this vulnerability for several months, organizations are able to protect themselves which isn’t the case with 0-day disclosures, she pointed out. “However, unpatched vulnerabilities continue to haunt many organizations,” Tillis added. “The public availability of a PoC is another stark reminder that effective patching is a vital step for organizations to protect themselves.”
Real-World Attacks for Cisco ASA
The Cisco ASA is a cybersecurity perimeter-defense appliance that combines firewall, antivirus, intrusion prevention and virtual private network (VPN) capabilities, all meant to stop threats from making it onto corporate networks. A compromise of the device is akin to unlocking the front door of the castle for storming cyberattackers.
XSS attacks occur when malicious scripts are injected into otherwise benign and trusted websites; any visitors to the compromised websites are thus subject to drive-by attacks.
Successful exploitation in this case means that unauthenticated, remote attackers could “execute arbitrary code within the [ASA] interface and access sensitive, browser-based information,” Tenable added.
However, the target would need to be logged into the ASA for the attackers to see any joy. “While this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code,” he added.
As Tenable researchers said: “An attacker would need to convince ‘a user of the interface’ to click on a specially crafted link.” This can be accomplished via a spear-phishing email campaign targeting probable ASA users using malicious links, or via watering-hole attacks.
“The attack vector to get this in the hands of the right people is complex requiring a firewall administrator to be duped into clicking a cleverly crafted link,” Andrew Barratt, managing principal for solutions and investigations at Coalfire, told Threatpost. “Firewall administrators will need to ensure they’re not accessing links to the ASA interface that appear to originate from outside.”
Tenable declined to provide more information on the real-world attacks when asked by Threatpost.
Thanks to the sheer size of its footprint (including inside Fortune 500 companies), the Cisco ASA is no stranger to attention from cyberattackers. Last year for example, public PoC for another bug in the device (CVE-2020-3452) started making the rounds, leading to a spate of exploitation efforts.
Patch Now: Cisco ASA XSS Security Hole
The flaw tracked as CVE-2020-3580 was patched on October 21 as part of a group of XSS issues in Cisco’s ASA as well as the Firepower Threat Defense (FTD) software, which is a unified firewall image that includes ASA management.
“All four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs,” according to the advisory, which noted that the bug in question rates 6.1 out of 10 on the CVSSv3 vulnerability-severity scale.
The number of vulnerable devices could be significant: Researchers with Rapid7 last year found there to be 85,000 internet-accessible ASA devices. Of course, a good percentage of those could be patched against this particular vulnerability.
“Exploits for appliances that may sit on the vanishing perimeter generally garner interest [from hackers], but fortunately in this case there are at least two things working against rampant exploitation,” Tim Wade, technical director for the CTO team at Vectra, told Threatpost. “First, a patch has been available since October. Second, an element of social engineering is required. This should provide some level of confidence for organizations with reasonable patch cycles and a security awareness program.”
Updating to the latest versions of the affected devices’ software is of course recommended; however, there’s more that can be done to mitigate the vulnerability, nVisium’s Pate noted.
“Organizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn’t needed, then it should be disabled,” he told Threatpost.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!