The high-severity vulnerability in Cisco’s security network software could lay exposed sensitive data – such as web cookies and WebVPN configurations – to unauthenticated, remote attackers. The flaw lies in Cisco’s network security Firepower Threat Defense (FTD) software along with its Adaptive Security Appliance (ASA) software.
The flaw detected, was in the web services interface of Cisco’s Firepower Threat Defense (FTD) software, a part of its suite of traffic management products and network security, and its Adaptive Security Appliance software, the OS for its family of ASA corporate network security devices.
A cyber attacker could exploit the vulnerability by sending a crafted HTTP request containing directory traversal character sequences to any affected device. A successful attack could allow attackers to view arbitrary files within the web services file system on any targeted device.
The vulnerability ranks 7.5 out of 10 on the CVSS scale, which is due to a lack of adequate input validation of URLs in HTTP requests processed by various affected devices. Specifically, the vulnerability permits attackers to conduct directory traversal attacks, which incorporates HTTP attack enabling bad actors to access restricted directories to execute commands outside the web server’s root directory.
To Read More: Threatpost