Vulnerability Details : CVE-2020-3125
A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2020-3125
Probability of exploitation activity in the next 30 days: 1.37%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 85 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-3125
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
Cisco Systems, Inc. |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-3125
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2020-3125
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS
Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass VulnerabilityVendor Advisory
Products affected by CVE-2020-3125
- Cisco » Adaptive Security Appliance SoftwareVersions from including (>=) 9.8 and before (<) 9.8.4.15cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
- Cisco » Adaptive Security Appliance SoftwareVersions from including (>=) 9.10 and before (<) 9.10.1.37cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
- Cisco » Adaptive Security Appliance SoftwareVersions from including (>=) 9.13 and before (<) 9.13.1.7cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
- Cisco » Adaptive Security Appliance SoftwareVersions from including (>=) 9.12 and before (<) 9.12.3.2cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
- Cisco » Adaptive Security Appliance SoftwareVersions from including (>=) 9.9 and before (<) 9.9.2.66cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5505_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5510_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5512-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5515-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5520_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5525-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5540_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5545-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5550_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5555-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5580_firmware:9.10\(1.220\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:asa_5585-x_firmware:9.10\(1.220\):*:*:*:*:*:*:*