Details of VAR-202010-1009

ID

VAR-202010-1009

CVE

CVE-2020-3304

TITLE

Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software input verification vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-012597

DESCRIPTION

A vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition. Note: This vulnerability applies to IP Version 4 (IPv4) and IP Version 6 (IPv6) HTTP traffic. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3304 // JVNDB: JVNDB-2020-012597 // VULHUB: VHN-181429 // VULMON: CVE-2020-3304

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.9.2.80	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.14.1.10	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.8.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.12.3.12	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	gte	version:	6.6.0	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	gte	version:	6.5.0	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.4.0.10	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.8.4.22	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.5.0.5	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.10.1.44	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.12.0	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.3.0.6	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.10.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.13.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance	scope:	lt	version:	9.6.4.45	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.6.1	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.14.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.9.0	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.13.1.12	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco adaptive security appliance ソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco firepower threat defense ソフトウェア	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-012597 // NVD: CVE-2020-3304

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3304
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3304
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3304
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202010-1143
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181429
value:	HIGH
Trust: 0.1
VULMON:	CVE-2020-3304
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-3304
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-181429
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3304
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3304
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-181429 // VULMON: CVE-2020-3304 // JVNDB: JVNDB-2020-012597 // CNNVD: CNNVD-202010-1143 // NVD: CVE-2020-3304 // NVD: CVE-2020-3304

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	CWE-400	Trust: 1.0
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181429 // JVNDB: JVNDB-2020-012597 // NVD: CVE-2020-3304

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1143

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202010-1143

PATCH

title:	cisco-sa-asaftd-webdos-fBzM5Ynw	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webdos-fBzM5Ynw	Trust: 0.8
title:	Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-webdos-fBzM5Ynw	Trust: 0.1
title:	CVE-2020-3304	url:	https://github.com/AlAIAL90/CVE-2020-3304	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-dos-flaws-network-security-software/160414/	Trust: 0.1

sources: VULMON: CVE-2020-3304 // JVNDB: JVNDB-2020-012597

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3304	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-012597	Trust: 0.8
db:	CNNVD	id:	CNNVD-202010-1143	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3642.3	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3642	Trust: 0.6
db:	NSFOCUS	id:	50234	Trust: 0.6
db:	CNVD	id:	CNVD-2021-44684	Trust: 0.1
db:	VULHUB	id:	VHN-181429	Trust: 0.1
db:	VULMON	id:	CVE-2020-3304	Trust: 0.1

sources: VULHUB: VHN-181429 // VULMON: CVE-2020-3304 // JVNDB: JVNDB-2020-012597 // CNNVD: CNNVD-202010-1143 // NVD: CVE-2020-3304

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-webdos-fbzm5ynw	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3304	Trust: 1.4
url:	https://vigilance.fr/vulnerability/cisco-asa-software-denial-of-service-via-http-requests-33674	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3642.3	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/50234	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3642/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://github.com/alaial90/cve-2020-3304	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-dos-flaws-network-security-software/160414/	Trust: 0.1

sources: VULHUB: VHN-181429 // VULMON: CVE-2020-3304 // JVNDB: JVNDB-2020-012597 // CNNVD: CNNVD-202010-1143 // NVD: CVE-2020-3304

SOURCES

db:	VULHUB	id:	VHN-181429
db:	VULMON	id:	CVE-2020-3304
db:	JVNDB	id:	JVNDB-2020-012597
db:	CNNVD	id:	CNNVD-202010-1143
db:	NVD	id:	CVE-2020-3304

LAST UPDATE DATE

2024-08-14T13:54:28.367000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181429	date:	2021-09-17T00:00:00
db:	VULMON	id:	CVE-2020-3304	date:	2021-09-17T00:00:00
db:	JVNDB	id:	JVNDB-2020-012597	date:	2021-05-14T08:19:00
db:	CNNVD	id:	CNNVD-202010-1143	date:	2021-06-30T00:00:00
db:	NVD	id:	CVE-2020-3304	date:	2023-08-16T16:17:07.960

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181429	date:	2020-10-21T00:00:00
db:	VULMON	id:	CVE-2020-3304	date:	2020-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-012597	date:	2021-05-14T00:00:00
db:	CNNVD	id:	CNNVD-202010-1143	date:	2020-10-21T00:00:00
db:	NVD	id:	CVE-2020-3304	date:	2020-10-21T19:15:15.623