Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3634
Cisco Firepower Threat Defense Software Vulnerabilities
22 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3577 CVE-2020-3565 CVE-2020-3563
CVE-2020-3533 CVE-2020-3514 CVE-2020-3352
CVE-2020-3317
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-hidcmd-pFDeWVBd
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-inline-dos-nXqUyEqM
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-container-esc-FmYqFBQV
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snmp-dos-R8ENPbOs
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-mf3822Z
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tcp-dos-GDcZDqAf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tcp-intercept-bypass-xG9M3PbY
Comment: This bulletin contains seven (7) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software Hidden Commands Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftd-hidcmd-pFDeWVBd
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvq43920
CVE-2020-3352
CWE-912
CVSS Score:
5.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
Summary
o A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software
could allow an authenticated, local attacker to access hidden commands.
The vulnerability is due to the presence of undocumented configuration
commands. An attacker could exploit this vulnerability by performing
specific steps that make the hidden commands accessible. A successful
exploit could allow the attacker to make configuration changes to various
sections of an affected device that should not be exposed to CLI access.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-hidcmd-pFDeWVBd
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco FTD Software.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Cisco FTD Software
Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than release 6.2.2 ^1 Migrate to a fixed release.
6.2.2 Migrate to a fixed release.
6.2.3 Migrate to a fixed release.
6.3.0 6.3.0.6 (future release)
6.4.0 6.4.0.10
6.5.0 6.5.0.5 (future release)
6.6.0 6.6.1
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-hidcmd-pFDeWVBd
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software Inline Pair/Passive Mode Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ftd-inline-dos-nXqUyEqM
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt02409
CVE-2020-3577
CWE-20
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the ingress packet processing path of Cisco Firepower
Threat Defense (FTD) Software for interfaces that are configured either as
Inline Pair or in Passive mode could allow an unauthenticated, adjacent
attacker to cause a denial of service (DoS) condition.
The vulnerability is due to insufficient validation when Ethernet frames
are processed. An attacker could exploit this vulnerability by sending
malicious Ethernet frames through an affected device. A successful exploit
could allow the attacker do either of the following:
Fill the /ngfw partition on the device: A full /ngfw partition could
result in administrators being unable to log in to the device
(including logging in through the console port) or the device being
unable to boot up correctly. Note: Manual intervention is required to
recover from this situation. Customers are advised to contact the Cisco
Technical Assistance Center (TAC) to help recover a device in this
condition.
Cause a process crash: The process crash would cause the device to
reload. No manual intervention is necessary to recover the device after
the reload.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-inline-dos-nXqUyEqM
This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 17 Cisco Security
Advisories that describe 17 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: October 2020 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco FTD Software with an interface that is configured in at
least one of the following modes:
Inline Pair
Inline Pair with Tap
Passive
Passive (ERSPAN)
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Whether Inline Pairs are Configured
The checks in this section cover both Inline Pairs and Inline Pairs with
Tap.
Option 1: Use the CLI
Use the show inline-set CLI command. If that command returns at least one
Interface-Pair , the device is vulnerable. If the output is empty or the
command does not exist, the device is not vulnerable. The following example
shows the output of a device with an Inline Pair that has interfaces
Ethernet1/6 and Ethernet1/8 configured:
> show inline-set
Inline-set Inline-Pair-1
Mtu is 1500 bytes
Failsafe mode is on/activated
Failsecure mode is off
Tap mode is off
Propagate-link-state option is on
hardware-bypass mode is disabled
Interface-Pair[1]:
Interface: Ethernet1/6 "INSIDE"
Current-Status: UP
Interface: Ethernet1/8 "OUTSIDE"
Current-Status: UP
Bridge Group ID: 509
>
Option 2: Use the Cisco Firepower Management Center (FMC) GUI
Choose Devices > Device Management > [Edit Device] > Inline Sets and verify
whether any Interface Pairs are configured.
Note: Inline Sets cannot be configured using Cisco Firepower Device Manager
(FDM).
Determine Whether Passive Interfaces are Configured
The checks in this section cover both Passive and Passive (ERSPAN)
interfaces.
Option 1: Use the CLI
Access the Lina CLI by using the system support diagnostic-cli command.
Then, use the show running-config interface | include mode passive command.
If that command returns output, at least one passive interface is
configured and the device is vulnerable. If that command returns empty
output, the device is not vulnerable. The following example shows the
output of the show running-config interface | include mode passive command
on a device that has one passive interface configured:
ftd# show running-config interface | include mode passive
mode passive
Option 2: Use the Cisco FMC GUI or FDM GUI
In the Cisco FMC GUI, choose Devices > Device Management > [Edit Device] >
Interfaces > [Edit Physical Interface] and verify whether any interfaces
are set to Passive mode.
In the Cisco FDM GUI, choose Device > Interfaces > [Edit Physical
Interface] and verify whether any interfaces are set to Passive mode. If
the Mode drop-down menu does not exist, passive interfaces cannot be
configured on the platform and the device is not vulnerable.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
Firepower Management Center (FMC) Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the vulnerabilities described in this
bundle and which release includes fixes for those vulnerabilities.
Cisco FTD Software
Cisco FTD First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
6.2.2 ^1 release.
6.2.2 Migrate to a fixed Migrate to a fixed release.
release.
6.2.3 Migrate to a fixed Migrate to a fixed release.
release.
6.3.0 6.3.0.6 (future Migrate to a fixed release.
release)
6.4.0 6.4.0.10 Migrate to a fixed release.
6.5.0 6.5.0.5 (future Migrate to a fixed release.
release)
6.6.0 6.6.1 6.6.1
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-inline-dos-nXqUyEqM
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software Multi-Instance Container Escape
Vulnerability
Priority: High
Advisory ID: cisco-sa-ftd-container-esc-FmYqFBQV
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvu08422
CVE-2020-3514
CWE-216
Summary
o A vulnerability in the multi-instance feature of Cisco Firepower Threat
Defense (FTD) Software could allow an authenticated, local attacker to
escape the container for their Cisco FTD instance and execute commands with
root privileges in the host namespace. The attacker must have valid
credentials on the device.
The vulnerability exists because a configuration file that is used at
container startup has insufficient protections. An attacker could exploit
this vulnerability by modifying a specific container configuration file on
the underlying file system. A successful exploit could allow the attacker
to execute commands with root privileges within the host namespace. This
could allow the attacker to impact other running Cisco FTD instances or the
host Cisco FXOS device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-container-esc-FmYqFBQV
This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 17 Cisco Security
Advisories that describe 17 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: October 2020 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FTD Software that is configured for
multi-instance operation:
Firepower 4100 Series Security Appliances
Firepower 9300 Series Security Appliances
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether a device is providing multi-instance services,
administrators can log in to the Cisco FXOS CLI and use the show
app-instance command within the ssa scope. If the Deploy Type field has a
value of Container , application instances are present and the device is
vulnerable. The following example shows the command output for a vulnerable
device:
firepower# scope ssa
firepower /ssa # show app-instance
App Identifier Slot Admin Oper Running Startup Deploy Turbo Profile Cluster Cluster
Name ID State State Version Version Type Mode Name State Role
----- ------- ------ ------ ----- ------- ------- ------ ----- ----- ------- -------
ftd ftd1 1 Enabled Online 6.2.3.14 6.2.3.14 Native No Not None
Applicable
ftd ftd2-1 2 Enabled Online 6.4.0.4 6.4.0.4 Container No mid Not None
Applicable
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software or Cisco Firepower Management Center
(FMC) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the vulnerabilities described in this
bundle and which release includes fixes for those vulnerabilities.
Cisco FTD Software
Cisco FTD First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Multi-instance not Migrate to a fixed release.
6.2.2 ^1 supported.
6.2.2 Multi-instance not Migrate to a fixed release.
supported.
6.2.3 Multi-instance not Migrate to a fixed release.
supported.
6.3.0 6.3.0.6 (future Migrate to a fixed release.
release)
6.4.0 6.4.0.10 Migrate to a fixed release.
6.5.0 6.5.0.5 (future Migrate to a fixed release.
release)
6.6.0 6.6.1 6.6.1
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-container-esc-FmYqFBQV
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ftd-snmp-dos-R8ENPbOs
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvu80370
CVE-2020-3533
CWE-400
Summary
o A vulnerability in the Simple Network Management Protocol (SNMP) input
packet processor of Cisco Firepower Threat Defense (FTD) Software could
allow an unauthenticated, remote attacker to cause an affected device to
restart unexpectedly.
The vulnerability is due to a lack of sufficient memory management
protections under heavy SNMP polling loads. An attacker could exploit this
vulnerability by sending a high rate of SNMP requests to the SNMP daemon
through the management interface on an affected device. A successful
exploit could allow the attacker to cause the SNMP daemon process to
consume a large amount of system memory over time, which could then lead to
an unexpected device restart, causing a denial of service (DoS) condition.
This vulnerability affects all versions of SNMP.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-snmp-dos-R8ENPbOs
This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 17 Cisco Security
Advisories that describe 17 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: October 2020 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco FTD Software and SNMP is configured on the device
management interface.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Whether SNMP is Configured
Option 1: Use the CLI
On devices that are running Cisco FTD Software, use the show running-config
snmp CLI command. It is available from Diagnostic CLI mode only. To enter
Diagnostic CLI mode, use the system support diagnostic-cli command in the
regular Cisco FTD CLI. If the snmp-server host management address is
configured, the device is considered vulnerable, as shown in the following
example:
ftd# show running-config snmp
snmp-server enable
snmp-server host management 192.168.1.5
Option 2: Use the Firepower Management Center GUI
On devices that are running Cisco Firepower Management Center (FMC)
Software, choose Devices > Platform Settings > Enable SNMP Servers . If the
interface of an SNMP server in the hosts tab is configured for the Cisco
FTD management interface, then the device is considered vulnerable.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software or Cisco Firepower Management Center
(FMC) Software.
Workarounds
o There is a workaround that addresses this vulnerability.
Administrators can disable SNMP polling to the management interface of the
Cisco FTD device.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the vulnerabilities described in this
bundle and which release includes fixes for those vulnerabilities.
Cisco FTD Software
Cisco FTD First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Not vulnerable. Migrate to a fixed release.
6.2.2 ^1
6.2.2 Not vulnerable. Migrate to a fixed release.
6.2.3 Not vulnerable. Migrate to a fixed release.
6.3.0 Not vulnerable. Migrate to a fixed release.
6.4.0 Not vulnerable. Migrate to a fixed release.
6.5.0 Not vulnerable. Migrate to a fixed release.
6.6.0 6.6.1 6.6.1
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Santosh Krishnamurthy of Cisco during
internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-snmp-dos-R8ENPbOs
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software SSL Input Validation Denial of Service
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftd-ssl-mf3822Z
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvs28290
CVE-2020-3317
CWE-20
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the ssl_inspection component of Cisco Firepower Threat
Defense (FTD) Software could allow an unauthenticated, remote attacker to
crash Snort instances.
The vulnerability is due to insufficient input validation in the
ssl_inspection component. An attacker could exploit this vulnerability by
sending a malformed TLS packet through a Cisco Adaptive Security Appliance
(ASA). A successful exploit could allow the attacker to crash a Snort
instance, resulting in a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-ssl-mf3822Z
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco FTD Software.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Cisco FTD Software
Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than 6.2.2 ^1 Not vulnerable.
6.2.2 Not vulnerable.
6.2.3 Not vulnerable.
6.3.0 Not vulnerable.
6.4.0 6.4.0.10
6.5.0 6.5.0.5 (future release)
6.6.0 Not vulnerable.
6.6.1 Not vulnerable.
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Santosh Krishnamurthy of Cisco during
internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-ssl-mf3822Z
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software TCP Flood Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-ftd-tcp-dos-GDcZDqAf
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvs56888
CVE-2020-3563
CWE-400
CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the packet processing functionality of Cisco Firepower
Threat Defense (FTD) Software could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition on an affected
device.
The vulnerability is due to inefficient memory management. An attacker
could exploit this vulnerability by sending a large number of TCP packets
to a specific port on an affected device. A successful exploit could allow
the attacker to exhaust system memory, which could cause the device to
reload unexpectedly. No manual intervention is needed to recover the device
after it has reloaded.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-tcp-dos-GDcZDqAf
This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 17 Cisco Security
Advisories that describe 17 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: October 2020 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco FTD Software.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software or Cisco Firepower Management Center
(FMC) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the vulnerabilities described in this
bundle and which release includes fixes for those vulnerabilities.
Cisco FTD Software
Cisco FTD First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Not vulnerable. Migrate to a fixed release.
6.2.2 ^1
6.2.2 Not vulnerable. Migrate to a fixed release.
6.2.3 Not vulnerable. Migrate to a fixed release.
6.3.0 6.3.0.6 (future Migrate to a fixed release.
release)
6.4.0 6.4.0.10 Migrate to a fixed release.
6.5.0 6.5.0.5 (future Migrate to a fixed release.
release)
6.6.0 Not vulnerable. 6.6.1
1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as
releases 6.2.0 and 6.2.1, have reached end of software maintenance.
Customers are advised to migrate to a supported release that includes the
fix for this vulnerability.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Sanmith Prakash of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ftd-tcp-dos-GDcZDqAf
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software TCP Intercept Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-tcp-intercept-bypass-xG9M3PbY
First Published: 2020 October 21 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr53058
CVE-2020-3565
CWE-284
Summary
o A vulnerability in the TCP Intercept functionality of Cisco Firepower
Threat Defense (FTD) Software could allow an unauthenticated, remote
attacker to bypass configured Access Control Policies (including
Geolocation) and Service Polices on an affected system.
The vulnerability exists because TCP Intercept is invoked when the
embryonic connection limit is reached, which can cause the underlying
detection engine to process the packet incorrectly. An attacker could
exploit this vulnerability by sending a crafted stream of traffic that
matches a policy on which TCP Intercept is configured. A successful exploit
could allow the attacker to match on an incorrect policy, which could allow
the traffic to be forwarded when it should be dropped. In addition, the
traffic could incorrectly be dropped.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-tcp-intercept-bypass-xG9M3PbY
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco FTD Software
releases earlier than 6.4.0.8, 6.5.0.4, and 6.6.0 if TCP Intercept is
configured.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Determine Whether TCP Intercept is Configured
In the Cisco Firepower Management Center (FMC) GUI, choose Access Control >
Access Control > Threat Defense Policy (for the rule) and check if there is
a value configured for Connections > Maximum Embryonic and Connections Per
Client > Maximum Embryonic .
For additional information, see Threat Defense Service Policies .
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software or Cisco Firepower Management Center
(FMC) Software.
Details
o By default, there are no limits on how many connections can go to or
through a Cisco FTD device. To protect servers from denial of service (DoS)
attacks, administrators can use policy rules to set limits on particular
traffic classes. Specifically, setting limits on embryonic connections
(those that have not finished the TCP handshake), will protect against SYN
flooding attacks. When embryonic connection limits are exceeded, the TCP
Intercept component gets involved to proxy connections and ensure that
attacks are throttled.
For additional information, see Protect Servers from a SYN Flood DoS Attack
(TCP Intercept) .
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco FTD Software releases 6.4.0.8 and later,
6.5.0.4 and later, and 6.6.0 and later contained the fix for this
vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
To upgrade to a fixed release of Cisco FTD Software, do one of the
following:
For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-tcp-intercept-bypass-xG9M3PbY
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-OCT-21 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX5DzNONLKJtyKPYoAQiR7g/9HEMaXjFIr1UnpYBE4VW17NEDJ5MPWPmA
yQN+R/zV8cnTSvvqHv42ezQGBrQC4mf8NRfzMZYvvb+kjur+6FuvDLrkDbSyNowG
PPwlVGjUuJ/F+u6EblNtHNrXpFMHdaPTLM0fr6xbixbEhGAimYGVIVoR8fDYVEJt
p7fGYNB//BWo32AT9IMHXBW9smR61a2+bTuwf87cWDhTXUZ+uXzZHYm8ncUQu7Cx
OWe3KolyOR9RsP6+Ntulem55bvrr1EHlsrqrajTJMEXeP6Wo1S1EBUjvG4O/eD7K
VECTLuycFaQ8/EdEeg6rwvBwVIiGrkw2GFMb3GR9oNavgJ+DgW99qWYO/gUL7ohU
KqzXfbggGOQn9SlF1dotRn8aTgMJlhLsrabKcN4d+8/1rNMTGXsoSoHSKpwdn0mm
PFg/LSC1OqNanQh8j0wvVqj+51d5YTZAvhK/JQV5YpL4qps3nMVa9EOXRehQKoSi
I+GvVePXDBDs/OLj30HZ0REFyqXCFB9GnhrgRJyH2la5M+tuFnD5BYhz+yqpoAre
5If3zKcG4n1ZbLxSToPt1jObn5zU9BhyjCJknw7Zy2syMNEOuIddAyDqMEp6RfWo
Yaq+TUsbqBi6SMfe1gDLzIzITl9WRKdDbMezxE2MCyKvPl02JP8e9k68rQ2qkXdG
vR/nCceTaVo=
=erH8
-----END PGP SIGNATURE-----