ID

VAR-202010-1015


CVE

CVE-2020-3436


TITLE

Cisco Adaptive Security Appliance  and  Cisco Firepower Threat Defense  Vulnerability in software regarding unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2020-012565

DESCRIPTION

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to upload arbitrary-sized files to specific folders on an affected device, which could lead to an unexpected device reload. The vulnerability exists because the affected software does not efficiently handle the writing of large files to specific folders on the local file system. An attacker could exploit this vulnerability by uploading files to those specific folders. A successful exploit could allow the attacker to write a file that triggers a watchdog timeout, which would cause the device to unexpectedly reload, causing a denial of service (DoS) condition. Cisco Adaptive Security Appliances Software is a firewall and network security platform. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3436 // JVNDB: JVNDB-2020-012565 // VULHUB: VHN-181561 // VULMON: CVE-2020-3436

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.10.1.44

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.9.2.80

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.4.0.10

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.14.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.8.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.4.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.3.0.6

Trust: 1.0

vendor:ciscomodel:adaptive security appliancescope:ltversion:9.6.4.45

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.14.1.15

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:lteversion:6.2.2

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.8.4.25

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.9.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.5.0.5

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.13.1.12

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:eqversion:6.6.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.12.4.2

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.10.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.3.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.12.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco adaptive security appliance ソフトウェアscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco firepower threat defense ソフトウェアscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-012565 // NVD: CVE-2020-3436

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3436
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3436
value: HIGH

Trust: 1.0

NVD: CVE-2020-3436
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202010-1147
value: HIGH

Trust: 0.6

VULHUB: VHN-181561
value: HIGH

Trust: 0.1

VULMON: CVE-2020-3436
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3436
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-181561
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2020-3436
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.0
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2020-3436
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.0
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-181561 // VULMON: CVE-2020-3436 // JVNDB: JVNDB-2020-012565 // CNNVD: CNNVD-202010-1147 // NVD: CVE-2020-3436 // NVD: CVE-2020-3436

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.1

problemtype:Unlimited upload of dangerous types of files (CWE-434) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-181561 // JVNDB: JVNDB-2020-012565 // NVD: CVE-2020-3436

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1147

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202010-1147

PATCH

title:cisco-sa-asaftd-fileup-dos-zvC7wtysurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-fileup-dos-zvC7wtys

Trust: 0.8

sources: JVNDB: JVNDB-2020-012565

EXTERNAL IDS

db:NVDid:CVE-2020-3436

Trust: 2.6

db:JVNDBid:JVNDB-2020-012565

Trust: 0.8

db:CNNVDid:CNNVD-202010-1147

Trust: 0.7

db:AUSCERTid:ESB-2020.3642.3

Trust: 0.6

db:AUSCERTid:ESB-2020.3642

Trust: 0.6

db:NSFOCUSid:50235

Trust: 0.6

db:CNVDid:CNVD-2021-44682

Trust: 0.1

db:VULHUBid:VHN-181561

Trust: 0.1

db:VULMONid:CVE-2020-3436

Trust: 0.1

sources: VULHUB: VHN-181561 // VULMON: CVE-2020-3436 // JVNDB: JVNDB-2020-012565 // CNNVD: CNNVD-202010-1147 // NVD: CVE-2020-3436

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-fileup-dos-zvc7wtys

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-3436

Trust: 1.4

url:http://www.nsfocus.net/vulndb/50235

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642.3

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-asa-software-denial-of-service-via-file-upload-33667

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/434.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-181561 // VULMON: CVE-2020-3436 // JVNDB: JVNDB-2020-012565 // CNNVD: CNNVD-202010-1147 // NVD: CVE-2020-3436

SOURCES

db:VULHUBid:VHN-181561
db:VULMONid:CVE-2020-3436
db:JVNDBid:JVNDB-2020-012565
db:CNNVDid:CNNVD-202010-1147
db:NVDid:CVE-2020-3436

LAST UPDATE DATE

2024-11-23T21:35:10.088000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181561date:2020-10-26T00:00:00
db:VULMONid:CVE-2020-3436date:2020-10-26T00:00:00
db:JVNDBid:JVNDB-2020-012565date:2021-05-13T03:07:00
db:CNNVDid:CNNVD-202010-1147date:2021-06-30T00:00:00
db:NVDid:CVE-2020-3436date:2024-11-21T05:31:03.880

SOURCES RELEASE DATE

db:VULHUBid:VHN-181561date:2020-10-21T00:00:00
db:VULMONid:CVE-2020-3436date:2020-10-21T00:00:00
db:JVNDBid:JVNDB-2020-012565date:2021-05-13T00:00:00
db:CNNVDid:CNNVD-202010-1147date:2020-10-21T00:00:00
db:NVDid:CVE-2020-3436date:2020-10-21T19:15:16.077