ESB-2018.2980 - [Cisco] Cisco Firepower products: Multiple vulnerabilities 2018-10-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2980
 Multiple vulnerabilities have been identified in Cisco Firepower products
                              4 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Firepower products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15390 CVE-2018-0455 CVE-2018-0453

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-fp-cmd-injection
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-fp-smb-snort
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ftd-inspect-dos

Comment: This bulletin contains three (3) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco Firepower Management Center and Firepower System Software Sourcefire
Tunnel Control Channel Command Execution Vulnerability

Priority:           Medium
Advisory ID:        cisco-sa-20181003-fp-cmd-injection
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvg46466
CVE-2018-0453
CWE-264
CVSS Score:         Base 8.2
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Sourcefire tunnel control channel protocol in Cisco
    Firepower System Software running on Cisco Firepower Threat Defense (FTD)
    sensors could allow an authenticated, local attacker to execute specific
    CLI commands with root privileges on the Cisco Firepower Management Center
    (FMC), or through Cisco FMC on other Firepower sensors and devices that are
    controlled by the same Cisco FMC. To send the commands, the attacker must
    have root privileges for at least one affected sensor or the Cisco FMC.

    The vulnerability exists because the affected software performs
    insufficient checks for certain CLI commands, if the commands are executed
    via a Sourcefire tunnel connection. An attacker could exploit this
    vulnerability by authenticating with root privileges to a Firepower sensor
    or Cisco FMC, and then sending specific CLI commands to the Cisco FMC or
    through the Cisco FMC to another Firepower sensor via the Sourcefire tunnel
    connection. A successful exploit could allow the attacker to modify device
    configurations or delete files on the device that is running Cisco FMC
    Software or on any Firepower device that is managed by Cisco FMC.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-fp-cmd-injection

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products, if they are
    running a vulnerable release of Cisco Firepower System Software:
      - Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
      - Adaptive Security Appliance (ASA) 5500-X Series Next-Generation
        Firewalls
      - FirePOWER 7000 Series Appliances
      - FirePOWER 8000 Series Appliances
      - Firepower 2100 Series Security Appliances
      - Firepower 4100 Series Security Appliances
      - Firepower 9300 Series Security Appliances
      - Firepower Management Center
      - Firepower Threat Defense
      - Firepower Threat Defense Virtual (FTDv)
      - Virtual Next-Generation Intrusion Prevention System (NGIPSv)

    For information about which Cisco Firepower System Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Determine the Firepower System Software Release

    To determine which Cisco Firepower System Software release is running on a
    device, administrators can log in to the device, use the show version
     command in the CLI, and refer to the output of the command. The following
    example shows the output of the command for a device that is running Cisco
    Firepower System Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ---------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:
      - 3000 Series Industrial Security Appliances (ISAs)
      - Adaptive Security Appliance (ASA) Software
      - Intrusion Prevention System (IPS) Software

Details

  o Cisco FMC is the management device on the network for Cisco Firepower
    sensors. Firepower sensors run Cisco Firepower Threat Defense (FTD)
    Software. For more information about Firepower software and platforms,
    refer to the Cisco Firepower Compatibility Guide.

    The Sourcefire tunnel control channel protocol is used by Cisco FMC to
    manage and control Firepower sensors. A Sourcefire tunnel connection, which
    is a connection that uses this protocol, is used for communication between
    Cisco FMC and Firepower sensors. Cisco FMC is intended to control Firepower
    sensors. However, authentication should be required for Firepower sensors
    to issue commands to Cisco FMC or to other devices that are managed by
    Cisco FMC. The vulnerability described in this advisory is caused by a lack
    of authentication.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about affected and fixed software releases, consult the
    Cisco bug ID(s) at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-fp-cmd-injection

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Firepower System Software Detection Engine Denial of Service
Vulnerability

Priority:           High
Advisory ID:        cisco-sa-20181003-fp-smb-snort
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvg28189
CVE-2018-0455
CWE-19
CVSS Score:         Base 8.6
CVSS:               3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
CVE-2018-0455

Summary

  o A vulnerability in the Server Message Block Version 2 (SMBv2) and Version 3
    (SMBv3) protocol implementation for the Cisco Firepower System Software
    could allow an unauthenticated, remote attacker to cause the device to run
    low on system memory, possibly preventing the device from forwarding
    traffic. It is also possible that a manual reload of the device may be
    required to clear the condition.

    The vulnerability is due to incorrect SMB header validation. An attacker
    could exploit this vulnerability by sending a custom SMB file transfer
    through the targeted device. A successful exploit could cause the device to
    consume an excessive amount of system memory and prevent the SNORT process
    from forwarding network traffic. This vulnerability can be exploited using
    either IPv4 or IPv6 in combination with SMBv2 or SMBv3 network traffic.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181003-fp-smb-snort

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Firepower System Software running on any
    of the following Cisco products:

      - Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
      - Adaptive Security Appliance (ASA) 5500-X Series Next-Generation
        Firewalls
      - Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances
      - Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances
      - Firepower 2100 Series Security Appliances
      - Firepower 4100 Series Security Appliances
      - FirePOWER 7000 Series Appliances
      - FirePOWER 8000 Series Appliances
      - Firepower 9300 Series Security Appliances
      - FirePOWER Threat Defense for Integrated Services Routers (ISRs)
      - Firepower Threat Defense Virtual
      - Industrial Ethernet 3000 Series Switches
      - Next-Generation Intrusion Prevention System (NGIPSv)
      - Virtual Next-Generation Intrusion Prevention System (NGIPSv)

    For information about which Cisco Firepower System Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Determine the Cisco Firepower System Software Release

    To determine which Cisco Firepower System Software release is running on a
    device, administrators can log in to the device, use the show version
    command in the CLI, and refer to the output of the command. The following
    example shows the output of the command for a device that is running Cisco
    Firepower System Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:
      - Adaptive Security Appliance (ASA) Software
      - Firepower Management Center
      - Meraki MX Security Appliances

Indicators of Compromise

  o During an active exploitation of this vulnerability, it is possible that
    the SNORT process could be in Disk Sleep (or in D state) as observed by the
    operating system command top:

        top - 2017-03-20 13:34:36 up 16 days, 11:57, 0 users, load average: 1.40, 0.76
        Tasks: 100 total, 1 running, 99 sleeping, 0 stopped, 0 zombie
        Cpu(s): 6.4%us, 3.9%sy, 0.0%ni, 54.8%id, 34.0%wa, 0.0%hi, 0.0%si, 0.9%st
        Mem: 3303936k total, 3181128k used, 122808k free, 16944k buffers
        Swap: 3310920k total, 1346860k used, 1964060k free, 207644k cached
        PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
        21732 sfsnort 1 -19 2148m 1.1g 25m D 17 33.9 309:16.55 snort
        21733 sfsnort 1 -19 2154m 1.1g 26m D 8 34.4 337:19.92 snort

    SNORT instances in the D state are hung and cannot be recovered. These
    unrecoverable instances could prevent traffic from passing through the
    device, and could indicate that the vulnerability is being exploited on the
    device. Please contact the Cisco Technical Assistance Center (TAC) if
    additional assistance is required to determine whether the device has been
    compromised by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table, the left column lists releases of Cisco software.
    The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability.

    -----------------------------------------------------------------------
    - Cisco Firepower System Software    | First Fixed Release for This   -
    -                                    | Vulnerability                  -
    -------------------------------------+---------------------------------
    - 6.0                                | 6.1.0.7                        -
    -------------------------------------+---------------------------------
    - 6.0.1                              | 6.1.0.7                        -
    -------------------------------------+---------------------------------
    - 6.1.0                              | 6.1.0.7                        -
    -------------------------------------+---------------------------------
    - 6.2.0                              | 6.2.0.5                        -
    -------------------------------------+---------------------------------
    - 6.2.1                              | 6.2.2.3                        -
    -------------------------------------+---------------------------------
    - 6.2.2                              | 6.2.2.3                        -
    -------------------------------------+---------------------------------
    - 6.2.3                              | Not vulnerable                 -
    -----------------------------------------------------------------------

    To upgrade to a fixed release of Cisco Firepower System Software, customers
    can do one of the following:

      - For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade and, after
        installation is complete, reapply the access control policy. The Snort
        version that is installed depends on the FMC release.
      - For devices that are managed by using Cisco Adaptive Security Device
        Manager (ASDM) or Cisco Firepower Device Manager (FDM), use the ASDM or
        FDM interface to install the upgrade and, after installation is
        complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-fp-smb-snort

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.


- --------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Firepower Threat Defense Software FTP Inspection Denial of Service
Vulnerability

Priority:           High
Advisory ID:        cisco-sa-20181003-ftd-inspect-dos
First Published:    2018 October 3 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvh77456
CVE-2018-15390
CWE-399
CVSS Score:         Base 8.6
CVSS:               3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
CVE-2018-15390
CWE-399

Summary

  o A vulnerability in the FTP inspection engine of Cisco Firepower Threat
    Defense (FTD) Software could allow an unauthenticated, remote attacker to
    cause an affected device to reload, resulting in a denial of service (DoS)
    condition.

    The vulnerability exists because the affected software fails to release
    spinlocks when a device is running low on system memory, if the software is
    configured to apply FTP inspection and an access control rule to transit
    traffic, and the access control rule is associated with an FTP file policy.
    An attacker could exploit this vulnerability by sending a high rate of
    transit traffic through an affected device to cause a low-memory condition
    on the device. A successful exploit could allow the attacker to cause a
    software panic on the affected device, which could cause the device to
    reload and result in a temporary DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ftd-inspect-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Firepower Threat Defense (FTD) Software
    Releases 6.2.3.x prior to Release 6.2.3.4, if FTP inspection is enabled, an
    access control rule with an associated FTP file policy is also enabled, and
    the software is running on any of the following Cisco products:

      - 3000 Series Industrial Security Appliances (ISAs)
      - ASA 5500-X Series Next-Generation Firewalls
      - Firepower 2100 Series Security Appliances
      - Firepower 4100 Series Security Appliances
      - Firepower 9300 ASA Security Module
      - Firepower Threat Defense Virtual (FTDv)

    FTP inspection is enabled by default in Cisco FTD Software. For detailed
    information about the default settings for application inspection policies,
    refer to the Cisco ASA Series Firewall CLI Configuration Guide.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Determine Whether FTP File Policies Are Associated with a Rule

    To determine whether FTP file policies are associated with access control
    rules that are enabled for a device, administrators can do either of the
    following:

      - For devices that are managed by using Cisco Firepower Management Center
        (FMC), open Cisco FMC, choose Policies > Access Control > Malware &
        File, and then choose an access control rule. Click the File Policy tab
        to view detailed information about any file policies that are
        associated with the rule.
      - For devices that are managed by using Cisco Firepower Device Manager
        (FDM), open Cisco FDM, choose Policies > Access Control, and then
        choose an access control rule. Click the File Policy tab to view
        detailed information about any file policies that are associated with
        the rule. Note that Cisco FDM supports use of predefined file policies
        only. Administrators cannot create file policies for access control
        rules.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software.

Workarounds

  o There are no workarounds that address this vulnerability. However,
    administrators can disable FTP inspection. To disable FTP inspection in
    Cisco FTD Software Releases 6.2 and later, use Cisco FMC to add the
    following FlexConfig policy:

        policy-map global_policy
         class inspection_default
          no inspect ftp

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, consider that this advisory is part of a collection that includes
    the following advisories:

      - cisco-sa-20181003-asa-dma-dos: Cisco Adaptive Security Appliance Direct
        Memory Access Denial of Service Vulnerability
      - cisco-sa-20181003-ftd-inspect-dos: Cisco Firepower Threat Defense
        Software FTP Inspection Denial of Service Vulnerability

    In the following table(s), the left column lists releases of Cisco
    software. The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by all the vulnerabilities described in this
    collection of advisories and which release includes fixes for those
    vulnerabilities.

    Cisco FTD        First Fixed Release  First Fixed Release for All
    Software Release for This             Vulnerabilities Described in the
                     Vulnerability        Collection of Advisories
    6.0              Not vulnerable       Migrate to 6.1.0.7
    6.0.1            Not vulnerable       Migrate to 6.1.0.7
    6.1.0            Not vulnerable       6.1.0.7
    6.2.0            Not vulnerable       6.2.0.7 (future release)
    6.2.1            Not vulnerable       Migrate to 6.2.2.5 (future release)
    6.2.2            Not vulnerable       6.2.2.5 (future release)
                     6.2.3.4              6.2.3.4
    6.2.3            6.2.3-85^1           6.2.3-85^1
                     6.2.3-991^2          6.2.3-991^2

^1 The software image for Cisco Firepower Threat Defense Virtual (FTDv) for the
    AWS Cloud.
    ^2 The software image for Cisco FTDv for the Microsoft Azure Cloud.

    To upgrade to a fixed release of Cisco Firepower System Software, customers
    can do one of the following:

      - For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade and, after
        installation is complete, reapply the access control policy. The Snort
        version that is installed depends on the FMC release.
      - For devices that are managed by using Cisco Adaptive Security Device
        Manager (ASDM) or Cisco Firepower Device Manager (FDM), use the ASDM or
        FDM interface to install the upgrade and, after installation is
        complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ftd-inspect-dos

Revision History

    +----------+---------------------------+----------+--------+------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    +----------+---------------------------+----------+--------+------------------+
    | 1.0      | Initial public release.   | --        | Final  | 2018-October-03  |
    +----------+---------------------------+----------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7ViJGaOgq3Tt24GAQgAGQ/+LuLUfEKG7Q5W+Wk4GFUD9RGDqXHGIKqS
OKTa9vA4xvdUDO27IZ1kULSEKA7qt0EhFA9KBwS+7UH0b8RK7T2s9dkYxpdTIh7E
hAsm299hBLy7esZ/qLsb+golu9mYIT3BymzySn7N0r36j6KIdnRBLe2EVtdtHm+5
W6tRqBY0ZYPAmrSRI267mvVbwIbngXdzTa077kmkWoUPV3F07u7jrKpwFhZRwwR+
lEkCPn7Er3O0heqq+rGvPp2DWlF/HInOSfc0uxQsffUk/M/JkOxu+NURu0kGGmhY
h9I2uJS3ZYqiSieTBMDl3LeeGJC5BZSM9CkCPYMahBlVzx3OsqmhTLMPTVkFDie0
lnPNgp6Sf3BO14XJd41bGaJ0w5iAjCsIqemNX9NQrWykM7uHt66WXB9MQPNWB083
SC32uqiif9n73CAU1RtlyFG7etj0sS43Pj5xHu+rH+U1D/PUzZinTSWkbrrEOUuQ
rClwuv4KGpvyjtc9quJzuBuR91aLopciyQtkfgnetYPYNJeXggWgv35mYa42bjsg
n25txRwpf3S8sgIdQk6td607pGIwAJKQNHS26gAxHJW+hVGW5fWAovQWEjYf7nAj
O1Y2Du23VQytQ6w2pg7LDyqUAycbjQ7Uvsn+e2Xc1SL6XkEqB53yOTDi2gq5TuVs
afgO8QPPjVw=
=RGij
-----END PGP SIGNATURE-----

« Back to bulletins