Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. CVE-2020-3452: LFI vulnerability affecting Cisco ASA and FTD

Author: Government Digital Service (GDS)

CVE-2020-3452: LFI vulnerability affecting Cisco ASA and FTD

What this means

CVE-2020-3452 is a Local File Inclusion (LFI) vulnerability affecting:

  • Cisco Adaptive Security Appliance (ASA) Software
  • Cisco Firepower Threat Defense (FTD) Software

It allows an unauthenticated attacker to read sensitive files from the targeted device’s web services interface.

Why this is a problem

The vulnerability allows an attacker to send an HTTP request containing directory traversal character sequences to their targeted device. A successful exploit could allow the attacker to view information within the device’s web services file system.

It can allow an attacker to:

  • read internal system files and potentially obtain sensitive configuration details
  • gather intelligence for further attacks including firewall rules and settings

How to check if the problem is there

An administrator should check the ASA and FTD software versions.

How to fix this

To remediate against this vulnerability, an administrator should:

  • upgrade to the official Cisco patched version of ASA or FTD
  • disable unused web services – if services such as Adaptive Security Device Manager (ASDM), WebVPN or AnyConnect portal are not required, disable them

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now