CISA has added a significant cybersecurity alert to its catalog, highlighting the known exploited vulnerability CVE-2020-3259 affecting Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability, with a severity score of 7.5, enables an unauthenticated, remote attacker to retrieve memory contents by exploiting a buffer tracking issue in the web services interface. The disclosure of confidential information becomes a risk when the software parses invalid URLs from crafted GET requests.
The severity of the vulnerability is underscored by the potential impact on systems, and CISA recommends immediate action. Specific affected configurations, namely certain AnyConnect and WebVPN setups, are outlined. The provided CVSS scores from NIST and Cisco Systems, Inc. may differ, emphasizing the importance of considering multiple sources for vulnerability assessments.
Mitigations involve applying vendor instructions or discontinuing the use of the affected products if mitigations are unavailable. CISA references the vendor advisory for detailed information and urges adherence to BOD 22-01 and the Known Exploited Vulnerabilities Catalog for guidance. The due date for required actions is March 7, 2024, emphasizing the urgency of addressing this critical vulnerability promptly.
