Security News > 2020 > May > Cisco Patches High Severity Vulnerabilities in Security Products

Cisco this week released security updates to address more than 30 vulnerabilities in various products, including 12 high severity flaws impacting Adaptive Security Appliance and Firepower Threat Defense.

The most important of these issues is tracked as CVE-2020-3187 and could be exploited to conduct directory traversal attacks and then read or delete sensitive files on a vulnerable system.

"The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system files," Cisco explains.

Cisco has released software updates that fix the vulnerability: ASA Software Releases 9.6.4.40, 9.8.4.15, 9.9.2.66, 9.10.1.37, 9.12.3.2, and 9.13.1.7; and FTD Software Release 6.4.0.8 and 6.5.0.4.

These flaws include XML parsing, carriage return line feed injection, disabling of user accounts, SSL/TLS URL category bypass, bypass of configured file policies, open redirect, signature checks bypass, XML external expansion, shell access, denial of service, information disclosure, access list bypass, cross-site scripting, static credential, arbitrary file overwrite, and arbitrary log file write issues.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/BSVtA9FMqvY/cisco-patches-high-severity-vulnerabilities-security-products