https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

Hi @U.S. Dept Of Defense, I found a host <https://██████> which is running on the web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after the exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system. **Proof of Concept:** Now we know that in CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. This allow the attacker to view or delete arbitrary files on the targeted system In this we can delete the files. For example the logo file present on the server at <https://████████/+CSCOU+/csco_logo.gif> can be deleted by the following steps. This can be done by sending a curl request as : curl -H "Cookie: token=../+CSCOU+/csco_logo.gif" <https://███/+CSCOE+/session_password.html> 1. To delete this just hit the following command on your terminals. `curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://█████████/+CSCOE+/session_password.html` If that did not work because sometimes logo.gif/png has permission issues so try this <https://█████/+CSCOE+/blank.html> 2. You can also delete the file "`/+CSCOE+/blank.html`" (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted. Now i haven't deleted the logo file because i didn't wanted to cause any damage so i used another method which can help us confirming that target is vulnerable to this without causing damage and for that just check if `/+CSCOE+/session_password.html` endpoint exists, and it gives "200 OK" status, then it should be vulnerable because this affected endpoint has been removed from the patched versions. I sent a curl request to check and it gave 200 ok as shown below: `/+CSCOE+/session_password.html -> 200 = Vulnerable` `/+CSCOE+/session_password.html -> 404 = Patched` **Mitigation/Remediation Actions:** Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link: <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43> **Reference:** <https://twitter.com/aboul3la/status/1286809567989575685> <https://medium.com/@parasarora06/hunting-for-cve-2020-3187-2020-3452-9f0dcc66f4d8> <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43> <http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html> ## Impact High - This vulnerability allows the attacker to delete files within the web services file system.