CVE-2020-3125

Description

A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.

Related CPE's

ociscoasa_5505_firmware9.10\(1.220\)*******

hciscoasa_5505-*******

ociscoasa_5510_firmware9.10\(1.220\)*******

hciscoasa_5510-*******

ociscoasa_5512-x_firmware9.10\(1.220\)*******

hciscoasa_5512-x-*******

ociscoasa_5515-x_firmware9.10\(1.220\)*******

hciscoasa_5515-x-*******

ociscoasa_5520_firmware9.10\(1.220\)*******

hciscoasa_5520-*******

References

20200506 Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability

Vendor Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

NONE

UserInteraction

NONE

Scope

UNCHANGED

ConfidentialityImpact

HIGH

IntegrityImpact

HIGH

AvailabilityImpact

HIGH

BaseScore

9.8

BaseSeverity

CRITICAL

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:N/C:P/I:P/A:P

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

NONE

ConfidentialityImpact

PARTIAL

IntegrityImpact

PARTIAL

AvailabilityImpact

PARTIAL

BaseScore

6.800000190734863

Created by Yello
About Severity.io