Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN CRLF Injection Vulnerability

Vulnerability

CVE-2020-3561 is a CRLF injection vulnerability in the Clientless SSL VPN (WebVPN) feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. The flaw resides in improper input sanitization, allowing an attacker to inject arbitrary HTTP headers into responses. Affected versions include Cisco ASA Software releases earlier than 9.6.1 with fixes in 9.6.4.35, 9.8.4.20, 9.9.2.80, 9.10.1.43, 9.12.3.9, 9.13.1.10, and 9.14.1.10; and Cisco FTD Software releases earlier than 6.3.0 with fixes in 6.3.0.6, 6.4.0.10, 6.5.0.5, and 6.6.1 [1].

Exploitation

An unauthenticated, remote attacker can exploit the vulnerability by persuading a user of the affected interface to click a specially crafted link. No special network position or authentication is required; the attack depends on social engineering to convince the user to interact with the malicious link [1].

Impact

Successful exploitation allows the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses from the affected system. This can be leveraged to redirect the user to arbitrary websites, potentially leading to further phishing or client-side attacks. The impact primarily involves integrity and availability, as the attacker controls the content of HTTP headers [1].

Mitigation

Cisco has released fixed software versions as listed in the advisory. For ASA Software: versions 9.6.4.35, 9.8.4.20, 9.9.2.80, 9.10.1.43, 9.12.3.9, 9.13.1.10, and 9.14.1.10. For FTD Software: versions 6.3.0.6 (future release), 6.4.0.10, 6.5.0.5 (future release), and 6.6.1. Customers running earlier releases reaching end of software maintenance (ASA 9.7 and earlier, FMC/FTD 6.0.1 and earlier, 6.2.0, 6.2.1) should migrate to supported, fixed releases. No workaround is described in the available references [1].