Strix
26.1K

CVE-2020-3125

CRITICALCVSS 9.8/10EPSS 2.36%

Last modified

CVE-2020-3125 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. EPSS estimates a 2.36% chance of exploitation in the next 30 days.

Description

A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
2.36%

81.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoAsa 5505 Firmware9.10\(1.220\)
CiscoAsa 5510 Firmware9.10\(1.220\)
CiscoAsa 5512-X Firmware9.10\(1.220\)
CiscoAsa 5515-X Firmware9.10\(1.220\)
CiscoAsa 5520 Firmware9.10\(1.220\)
CiscoAsa 5525-X Firmware9.10\(1.220\)
CiscoAsa 5540 Firmware9.10\(1.220\)
CiscoAsa 5545-X Firmware9.10\(1.220\)
CiscoAsa 5550 Firmware9.10\(1.220\)
CiscoAsa 5555-X Firmware9.10\(1.220\)
CiscoAsa 5580 Firmware9.10\(1.220\)
CiscoAsa 5585-X Firmware9.10\(1.220\)
CiscoAdaptive Security Appliance Software>= 9.8, < 9.8.4.15
CiscoAdaptive Security Appliance Software>= 9.9, < 9.9.2.66
CiscoAdaptive Security Appliance Software>= 9.10, < 9.10.1.37
CiscoAdaptive Security Appliance Software>= 9.12, < 9.12.3.2
CiscoAdaptive Security Appliance Software>= 9.13, < 9.13.1.7

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-3125?
A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.
How severe is CVE-2020-3125?
CVE-2020-3125 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 2.36% probability of exploitation in the next 30 days.
How do I fix CVE-2020-3125?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-3125?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST