Cisco security devices targeted with CVE-2020-3580 PoC exploit
Attackers and bug hunters are leveraging an exploit for CVE-2020-3580 to compromise vulnerable security devices running Cisco ASA or FTD software.
Active attacks apparently started after Positive Technologies researchers shared proof-of-concept (PoC) exploit code last Thursday via Twitter.
🎁PoC for XSS in Cisco ASA (CVE-2020-3580)
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 44SAMLResponse="><svg/onload=alert('PTSwarm')> pic.twitter.com/c53MKSK9bg
— PT SWARM (@ptswarm) June 24, 2021
About CVE-2020-3580
CVE-2020-3580 was patched by Cisco in October 2020, alonside three additional pre-authentication cross-site scripting (XSS) flaws: CVE-2020-3581, CVE-2020-3582, and CVE-2020-3583.
In April 2021, Cisco released new software updates because the fix for CVE-2020-3581 was incomplete.
The source of all four vulnerabilities was insufficient validation of user-supplied input by the web services interface of an affected device, and could be exploited by attackers who manage to trick or persuade a user of the interface to click a crafted link.
The vulnerabilities are deemed to be of medium severity even though they are remotely exploitable without authentication. The reasons for this moderate severity rating are several: exploitation requires user interaction, and could ultimately “only” lead to executed arbitrary script code in the context of the interface or provide the attackers with access to sensitive, browser-based information.
Active attacks using the CVE-2020-3580 PoC exploit
Nine months have passed since CVE-2020-3580 was fixed, and Positive Technologies researchers were apparently confident that enough organizations have implemented the security updates and that releasing the PoC exploit code would not be widely damaging.
But, according to Tenable, attackers have started actively exploiting CVE-2020-3580 in the wild. Also, according to Positive Technologies researcher Mikhail Klyuchnikov, they are not the only ones:
The hunt for low hanging CVE-2020-3580 by @ptswarm has begun.
A lot of submissions/duplicates are waiting for @Bugcrowd and @Hacker0x01 #bugbounty— n1 (@__mn1__) June 24, 2021
Organizations that have been slow to implement the offered security updates are urged to do so now. Cisco’s updated security advisory can serve as a guide.