First published: Wed May 06 2020(Updated: )
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
Credit: ykramarz@cisco.com ykramarz@cisco.com ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Firepower Threat Defense | >=6.2.3<6.2.3.16 | |
Cisco Firepower Threat Defense | >=6.3.0<6.3.0.6 | |
Cisco Firepower Threat Defense | >=6.4.0<6.4.0.9 | |
Cisco Firepower Threat Defense | >=6.5.0<6.5.0.5 | |
Cisco Adaptive Security Appliance Software | >=9.8<9.8.4.20 | |
Cisco Adaptive Security Appliance Software | >=9.9<9.9.2.67 | |
Cisco Adaptive Security Appliance Software | >=9.10<9.10.1.40 | |
Cisco Adaptive Security Appliance Software | >=9.12<9.12.3.9 | |
Cisco Adaptive Security Appliance Software | >=9.13<9.13.1.10 | |
Cisco AnyConnect SSL VPN | =CVE-2020-3259 | |
Cisco Adaptive Security Appliance (ASA) Software | ||
Cisco Firepower Threat Defense (FTD) Software | ||
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) | ||
>=6.2.3<6.2.3.16 | ||
>=6.3.0<6.3.0.6 | ||
>=6.4.0<6.4.0.9 | ||
>=6.5.0<6.5.0.5 | ||
>=9.8<9.8.4.20 | ||
>=9.9<9.9.2.67 | ||
>=9.10<9.10.1.40 | ||
>=9.12<9.12.3.9 | ||
>=9.13<9.13.1.10 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-3259 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
CVE-2020-3259 has a severity rating of 7.5 (high).
CVE-2020-3259 affects Cisco Firepower Threat Defense versions 6.2.3 to 6.2.3.16, 6.3.0 to 6.3.0.6, 6.4.0 to 6.4.0.9, and 6.5.0 to 6.5.0.5.
CVE-2020-3259 affects Cisco Adaptive Security Appliance Software versions 9.8 to 9.8.4.20, 9.9 to 9.9.2.67, 9.10 to 9.10.1.40, 9.12 to 9.12.3.9, and 9.13 to 9.13.1.10.
To fix CVE-2020-3259, it is recommended to apply the necessary security updates provided by Cisco.