Headline
CVE-2020-3578: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Portal Access Rule Bypass Vulnerability
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device.
At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration and had a portal access rule configured.
For information about which Cisco software releases were vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine Whether a Portal Access Rule Is Configured
To verify whether a portal access rule is configured, use the show running-config webvpn | include portal-access-rule command. If that command returns output, the device is vulnerable. Empty output indicates that the device is not vulnerable.
Determine Whether a Vulnerable AnyConnect or WebVPN Configuration Is Present
Cisco ASA Software
In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable.
Cisco ASA Software Feature
Vulnerable Configuration
AnyConnect IKEv2 Remote Access (with client services)
crypto ikev2 enable client-services port
AnyConnect SSL VPN
webvpn
enable
Clientless SSL VPN
webvpn
webvpn
enable
Cisco FTD Software
In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable.
Cisco FTD Software Feature
Vulnerable Configuration
AnyConnect IKEv2 Remote Access (with client services)1,2
crypto ikev2 enable client-services port
AnyConnect SSL VPN1,2
webvpn
enable
1. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
2. Remote Access VPN features are first supported in Cisco FTD Software Release 6.2.2.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software.