Cisco issued an updated advisory warning of active exploits in the wild against a Cisco security appliance XSS vulnerability CVE-2020-3580. Proof of concept (PoC) exploit code has also been released to the public.
Cisco originally released patches in October 2020 for multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerabilities are caused by insufficient validation of user-supplied input by the web services interface of an affected device.
As a result, a remote attacker could launch a cross-site scripting (XSS) attack against a user of the web services interface of an affected device.
Researchers at Positive Technologies published the PoC for the vulnerability (CVE-2020-3580) via a tweet on June 24:
🎁PoC for XSS in Cisco ASA (CVE-2020-3580)
— PT SWARM (@ptswarm) June 24, 2021
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
SAMLResponse="><svg/onload=alert('PTSwarm')> pic.twitter.com/c53MKSK9bg
Shortly afterwards, other researchers were also chasing bug bounties for this vulnerability and confirmed attackers were exploiting in the wild:
The hunt for low hanging CVE-2020-3580 by @ptswarm has begun.
— Mikhail Klyuchnikov (@m1ke_n1) June 24, 2021
A lot of submissions/duplicates are waiting for @Bugcrowd and @Hacker0x01 #bugbounty
Moreover, researchers from Tenable also posted more details on the issues in a blog post last Thursday.
Cisco confirmed that these vulnerabilities affected Cisco products running a unpatched version of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration.
Organizations should prioritize patching affected network devices as soon as possible.