Cisco Adaptive Security Appliance Web Interface Denial-of-Service and Path Traversal Vulnerability

A vulnerability exists in the web interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to cause the device to reload unexpectedly, leading to a denial-of-service (DoS) condition. On certain software releases, the device may not reload, but the attacker could exploit directory traversal techniques to access sensitive system information without authentication. The vulnerability arises from improper input validation of HTTP URLs, allowing exploitation via crafted HTTP requests. This issue affects both IPv4 and IPv6 HTTP traffic.

Impact

Exploitation of this vulnerability can cause an affected device to reload unexpectedly, resulting in a denial-of-service condition. Additionally, on certain software releases, the vulnerability allows for unauthenticated access to sensitive system information via directory traversal techniques.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to the affected device's web interface. If the device is running a vulnerable version of Cisco ASA or FTD Software and is configured with a potentially vulnerable feature, the device may respond by reloading and causing a DoS condition. Alternatively, if the device does not reload, the same request can be used to access sensitive system information without authentication by exploiting directory traversal vulnerabilities.

Remediation

Cisco has released software updates that address this vulnerability. Users are advised to upgrade to a fixed release. For Cisco ASA, the first fixed releases vary by version, and the update is available through the Cisco Software Center. For Cisco FTD, users should upgrade to version 6.1.0 HotFix or later, or to version 6.2.2.3, depending on their current version.