Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 13:49:48 JST Kevin Beaumont

   🚨 patch your Cisco AnyConnect boxes 🚨

   For a 2020 vulnerability. Really.

   Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and find finally we know how - CVE-2020-3259

   It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.

   Sadly it looks like many orgs never patched.

   https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 14:05:21 JST Kevin Beaumont

     in reply to

     Since the exploit isn’t public, I think vuln management vendors probably need to find a way to fingerprint devices (over HTTPS) to see if they’ve been patched recently.

     Great work by TrueSec again.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 16-Feb-2024 07:10:16 JST Kevin Beaumont

     in reply to

     • Simon

     Update. CISA have added CVE-2020-3259 to KEV and linked it to ransomware groups. HT @simontsui

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Apr-2024 06:00:04 JST Kevin Beaumont

     in reply to

     I have obtained the exploit for Cisco AnyConnect vulnerability CVE-2020-3259 that Akira ransomware group are exploiting.

     Would an nmap module for unauthenticated checking be useful?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Apr-2024 03:14:28 JST Kevin Beaumont

     in reply to

     In light of recent events, probably best to make this ASA vuln public in public interest: https://github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh

     If you get <argument> back with toke inside, not vuln. If you get a memory dump back, you vuln.

     The path exists even with webvpn disabled, it's the host checker.

     Credits to person who found it, don't know if they want to be named.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Apr-2024 05:48:47 JST Kevin Beaumont

     in reply to

     Been playing with this more, the memory dump contains session keys you can replay to bypass MFA, and client supplied certificates.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Apr-2024 02:46:59 JST Kevin Beaumont

     in reply to

     If anybody looks at that exploit and says 'hey that curl command doesn't work', I know, you have to fix it.

     The +CSCOE+/sdesktop/webstart.xml attack surface is a bit nuts. It takes any parameters you specify and echos them back. Also, that whole area is exposed even if you disable webvpn (which is supposed to be end of life feature) - the code is still just sat there.

   • Embed this notice
     System Adminihater (systemadminihater@cyberplace.social)'s status on Friday, 26-Apr-2024 03:53:53 JST System Adminihater

     in reply to

     @GossiTheDog They may as well have a sitemap.xml in their software.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Apr-2024 21:59:55 JST Kevin Beaumont

     in reply to

     • Naproxen

     Thread ninja edit - thanked @Naproxen for doing the hard work on the ASA vuln. I updated exploit last night, will upload later.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 30-Apr-2024 06:56:55 JST Kevin Beaumont

     in reply to

     Several months ago, I started banging drums saying orgs needed to get a grip on Cisco AnyConnect ASA patching.

     Here’s a snapshot re why - Coalition cyber insurance claims data.

     If you use Cisco AnyConnect or webvpn, you need to be fully up to date with patches and have MFA enabled on all users at all times.

     You should find your full version ASA numbers from your network team - eg 9.12.1.2 - and Google Cisco Software Checker, and bookmark it.

     Orgs worldwide have not been patching.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 07-Mar-2025 23:38:15 JST Kevin Beaumont

     in reply to

     There's still several thousand Cisco ASA VPN boxes not patched for CVE-2020-3259, so which leak their memory (and so plain text creds and IPsec tunnel keys).
     Data: https://dump.leakix.net/cases/gtd/asa.vuln.json

   • Embed this notice
     cR0w :cascadia: (cr0w@infosec.exchange)'s status on Friday, 07-Mar-2025 23:49:40 JST cR0w :cascadia:

     in reply to

     @GossiTheDog I'm sure they're just honeypots and not actually vulnerable corp access points...

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Saturday, 08-Mar-2025 02:49:37 JST da_667

     in reply to

     @GossiTheDog Not quite sure how I missed your POC the first time around, but I just added coverage in the ET ruleset for both Snort and Suricata. Rules will be out this evening in our daily rule release. Cheers and thank you.

     Suricata:

     alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco ASA/FTD Memory Leak Attempt (CVE-2020-3259)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>800; content:"|2b|CSCOE|2b|/sdesktop/webstart.xml|3f|"; fast_pattern; content:"|25|p"; endswith; reference:url,github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh; reference:cve,2020-3259; classtype:attempted-admin; sid:1; rev:1;)

     Snort:

     alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco ASA/FTD Memory Leak Attempt (CVE-2020-3259)"; flow:established,to_server; content:"GET"; http_method; urilen:>800; content:"|2b|CSCOE|2b|/sdesktop/webstart.xml|3f|"; fast_pattern:0,20; content:"|25|p"; distance:0; reference:url,github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh; reference:cve,2020-3259; classtype:attempted-admin; sid:1; rev:1;)