Researchers at at Positive Technologies have published a proof-of-concept exploit for CVE-2020-3580. There are reports of researchers pursuing bug bounties using this exploit.
According to Tenable, on October 21, 2020, Cisco released a security advisory and patches to address multiple cross-site scripting (XSS) vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software web services. In April, Cisco updated the advisory to account for an incomplete fix of CVE-2020-3581.
Leo Pate, Application Security Consultant at nVisium, a Falls Church, Va.-based application security provider, explains that the impact of exploiting the vulnerability identified in CVE-2020-3580 allows an attacker to modify the device's configuration. "While this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code. Updating to the latest versions of the affected software on an organization’s affected devices is recommended, however, there is more that can be done to mitigate this vulnerability. Organizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn't needed, then it should be disabled."
"Exploits for appliances that may sit on the vanishing perimeter generally garner interest, fortunately in this case there are at least two things working against rampant exploitation. First, a patch has been available since October. Second, an element of social engineering is required. This should provide some level of confidence for organizations with reasonable patch cycles and a security awareness program," says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company. "That said, the fact remains that exploitable conditions in appliances we rely on for security is a fact of life – effective organizations don’t just have a plan to play patch whack-a-mole, catching up to the latest threat after the fact, but proactively deploy detection and response capabilities so they can get ahead of threats."
On June 24, Positive Technologies tweeted a proof-of-concept (PoC) exploit for CVE-2020-3580. Shortly after, Mikhail Klyuchnikov, a researcher at Positive Technologies also tweeted that other researchers are chasing bug bounties for this vulnerability. Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild, Tenable researchers say.
Pate says "Security researchers are constantly disclosing PoCs for known exploits with the vast majority following unwritten responsible disclosure standards. When vulnerabilities are discovered, security researchers typically report these vulnerabilities to the organization that built the software before releasing them publicly. They work with the organization to help find a solution to the vulnerability and give them time to push out an update before releasing the information they discovered publicly. It should be noted that security researchers are under no obligation to withhold the information they discovered."