Published:
03 May 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1510.2 Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software 3 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adaptive Security Appliance Software and Firepower Threat Defense Software Publisher: Cisco Systems Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1715 CVE-2019-1714 CVE-2019-1708 CVE-2019-1701 CVE-2019-1697 CVE-2019-1695 CVE-2019-1694 CVE-2019-1693 CVE-2019-1687 CVE-2018-15388 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftds-ldapdos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-entropy https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftdtcp-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sd-cpu-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-bypass https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-xss Comment: This bulletin contains ten (10) Cisco Systems security advisories. Revision History: May 3 2019: Fixed release 6.3.0.3 is now available; added L2 filtering bypass and FTD XSS. May 2 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190501-asa-ftd-ike-dos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:37 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvm72145 CVE-2019-1708 CWE-404 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Internet Key Exchange Version 2 Mobility and Multihoming Protocol (MOBIKE) feature for the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to the incorrect processing of certain MOBIKE packets. An attacker could exploit this vulnerability by sending crafted MOBIKE packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition. The MOBIKE feature is supported only for IPv4 addresses. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products that are running a vulnerable release of Cisco ASA Software or FTD Software if configured for MOBIKE ^ 1 : 3000 Series Industrial Security Appliances (ISAs) ASA 5500 Series Adaptive Security Appliances ASA 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Firepower 4100 Series Firepower 9300 Security Appliance FTD Virtual (FTDv) ^ 1 The MOBIKE support for IPsec IKEv2 remote access VPNs was added as of 9.8(1). The MOBIKE feature is always enabled and cannot be disabled by the user. See the Details section for more information. MOBIKE is enabled for each Security Association only when the client proposes it and the ASA accepts it. The device should be considered vulnerable if Internet Key Exchange Version 2 (IKEv2) remote access VPN is configured. The administrator can issue the show running-config command and check for the crypto ikev2 enable <interface> command and the tunnel-group <tunnel_group_name> type remote-access command (also called connection profile). For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Virtual Appliance (ASAv) ASA 1000V Cloud Firewall Firepower 2100 Series Security Appliance Details o MOBIKE extends ASA remote access VPNs to support mobile device roaming. This support means the endpoint IP address for a MOBIKE device IKE/IPsec Security Association can be updated rather than deleted when the device moves from its current connection point to another. For additional information about the MOBIKE feature, refer to About Mobike and Remote Access VPNs . Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Prior to 9.4 Not vulnerable 9.4.4.34 ^1 9.4 Not vulnerable 9.4.4.34 9.5 ^1 Not vulnerable 9.6.4.25 9.6 Not vulnerable 9.6.4.25 9.7 ^1 Not vulnerable 9.8.4 9.8 9.8.4 9.8.4 9.9 9.9.2.50 9.9.2.50 9.10 9.10.1.17 9.10.1.17 9.12 Not vulnerable Not Vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories 6.0 Not vulnerable 6.2.3.12 6.0.1 Not vulnerable 6.2.3.12 6.1.0 Not vulnerable 6.2.3.12 6.2.0 Not vulnerable 6.2.3.12 6.2.1 Not vulnerable 6.2.3.12 6.2.2 6.2.3.12 6.2.3.12 6.2.3 6.2.3.12 6.2.3.12 6.3.0 6.3.0.3 6.3.0.3 6.4.0 Not vulnerable Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-ike-dos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190501-asa-frpwrtd-dos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:45 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvn78174 CVE-2019-1694 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the TCP processing engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper handling of TCP traffic. An attacker could exploit this vulnerability by sending a specific sequence of packets at a high rate through an affected device. A successful exploit could allow the attacker to temporarily disrupt traffic through the device while it reboots. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-frpwrtd-dos Affected Products o Vulnerable Products This vulnerability affects both physical and virtual appliances if a vulnerable release of Cisco ASA Software or FTD Software is running on any of the following Cisco products: 3000 Series Industrial Security Appliances (ISAs) ASA 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliance FTD Virtual (FTDv) For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco ASA Software or FTD Software running on the following platforms: ASA 1000V Cloud Firewall ASA 5505 Adaptive Security Appliance ^ 1 ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Prior to 9.4 Not vulnerable 9.4.4.34 ^1 9.4 9.4.4.34 9.4.4.34 9.5 ^1 9.6.4.25 9.6.4.25 9.6 9.6.4.25 9.6.4.25 9.7 ^1 9.8.4 9.8.4 9.8 9.8.4 9.8.4 9.9 9.9.2.50 9.9.2.50 9.10 9.10.1.17 9.10.1.17 9.12 Not vulnerable Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories 6.0 6.2.3.12 6.2.3.12 6.0.1 6.2.3.12 6.2.3.12 6.1.0 6.2.3.12 6.2.3.12 6.2.0 6.2.3.12 6.2.3.12 6.2.1 6.2.3.12 6.2.3.12 6.2.2 6.2.3.12 6.2.3.12 6.2.3 6.2.3.12 6.2.3.12 6.3.0 6.3.0.3 6.3.0.3 6.4.0 Not Vulnerable Not Vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-frpwrtd-dos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Lightweight Directory Access Protocol Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-20190501-asa-ftds-ldapdos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:53 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvn20985 CVE-2019-1697 CWE-20 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerabilities are due to the improper parsing of LDAP packets sent to an affected device. An attacker could exploit these vulnerabilities by sending a crafted LDAP packet, using Basic Encoding Rules (BER), to be processed by an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftds-ldapdos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products on both physical and virtual appliances if they are running Cisco ASA Software or FTD Software and if LDAP authentication is configured: 3000 Series Industrial Security Appliances (ISA) ASA 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances FTD Virtual (FTDv) For information about affected software releases, consult the tables in the Fixed Software section of this advisory. Determining Whether the Cisco ASA or FTD Software Is Configured for LDAP Authentication The administrator can check for configured LDAP authentication by using the show aaa-server | include Server Protocol: ldap to determine whether an LDAP authentication server is configured. asa# show aaa-server | include Server Protocol: ldap Server Protocol: ldap For detailed information about the Cisco ASA and FTD Software LDAP configuration, refer to CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide . Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: ASA 1000V Cloud Firewall ASA 5500 Series Adaptive Security Appliances Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release Recommended Release for This Vulnerability Prior to 9.4 ^1 Not vulnerable 9.4 Not vulnerable 9.5 ^1 Not vulnerable 9.6 9.6.4.25 9.7 ^1 9.8.4 9.8 9.8.4 9.9 9.9.2.50 9.10 9.10.1.17 9.12 Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Software Release Recommended Release for This Vulnerability 6.0 Not vulnerable 6.0.1 Not vulnerable 6.1.0 Not vulnerable 6.2.0 Not vulnerable 6.2.1 6.2.3.12 6.2.2 6.2.3.12 6.2.3 6.2.3.12 6.3.0 6.3.0.3 6.4.0 Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftds-ldapdos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- isco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability Priority: High Advisory ID: cisco-sa-20190501-asa-ftd-entropy First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:49 GMT Version 1.1: Final Workarounds: Yes Cisco Bug IDs: CSCvj52266 CVE-2019-1715 CWE-332 CVSS Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Deterministic Random Bit Generator (DRBG), also known as Pseudorandom Number Generator (PRNG), used in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a cryptographic collision, enabling the attacker to discover the private key of an affected device. The vulnerability is due to insufficient entropy in the DRBG when generating cryptographic keys. An attacker could exploit this vulnerability by generating a large number of cryptographic keys on an affected device and looking for collisions with target devices. A successful exploit could allow the attacker to impersonate an affected target device or to decrypt traffic secured by an affected key that is sent to or from an affected target device. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-entropy Affected Products o Vulnerable Products This vulnerability affects the following Cisco products that are running Cisco ASA Software Releases 9.8 or 9.9 or FTD Software Releases 6.2.1, 6.2.2, or 6.2.3: 3000 Series Industrial Security Appliances (ISAs) Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services Adaptive Security Virtual Appliance (ASAv) Firepower 4100 Series Firepower 9300 ASA Security Module Firepower Threat Defense Virtual Note: Devices running other releases of Cisco ASA Software or FTD Software may also be vulnerable if they are configured with at least one of the following: A Trustpoint that is based on an RSA or ECDSA key pair that has been generated while running an affected release An RSA key pair for use with SSH Access that has been generated while running an affected release If no Trustpoint is configured and no RSA key pair for use with SSH Access is present, a device is vulnerable only while running an affected release. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. ASA Software In the following table, the left column lists the Cisco ASA features that are potentially vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined. Cisco ASA Feature Possible Vulnerable Configuration Adaptive Security Device http server enable <port> Manager (ASDM) ^1 http <remote_ip_address> <remote_subnet_mask> <interface_name> AnyConnect SSL VPN webvpn enable <interface_name> http server enable <port> Cisco Security Manager ^1 http <remote_ip_address> <remote_subnet_mask> <interface_name> Clientless SSL VPN (WebVPN) webvpn enable <interface_name> crypto ikev1 enable <interface_name> IKEv1 VPN (Remote Access and crypto ikev1 policy <priority> LAN-to-LAN) authentication rsa-sig using Certificate-based tunnel-group <tunnel_group_name> Authentication ipsec-attributes trust-point <trustpoint_name> crypto ikev2 enable <interface_name> IKEv2 VPN (Remote Access and tunnel-group <tunnel_group_name> LAN-to-LAN) ipsec-attributes using Certificate-based ikev2 remote-authentication certificate Authentication ikev2 local-authentication certificate <trustpoint_name> Local Certificate Authority crypto ca server (CA) no shutdown Mobile Device Manager (MDM) mdm-proxy Proxy enable <interface_name> webvpn Mobile User Security (MUS) mus password <password> mus server enable port <port #> mus <address> <mask> <interface_name> Proxy Bypass webvpn proxy-bypass REST API ^1 rest-api image disk0:/<image name> rest-api agent SSH Access ^2 ssh <remote_ip_address> <remote_subnet_mask> <interface_name> ^ 1 ASDM, CSM, and REST API services are accessible only from an IP address in the configured http command range. ^ 2 SSH service is accessible only from an IP address in the configured ssh command range. FTD Software In the following table, the left column lists the Cisco FTD features that are potentially vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined. Cisco FTD Feature Possible Vulnerable Configuration AnyConnect SSL VPN ^1,2 webvpn enable <interface_name Clientless SSL VPN (WebVPN) ^2 webvpn enable <interface_name> http server enable <port #> HTTP Service enabled ^3,4 http <remote_ip_address> <remote_subnet_mask> <interface_name> crypto ikev1 enable <interface_name> IKEv1 VPN (Remote Access and crypto ikev1 policy <priority> LAN-to-LAN) authentication rsa-sig using Certificate-based tunnel-group <tunnel_group_name> Authentication ^1,2 ipsec-attributes trust-point <trustpoint_name> crypto ikev2 enable <interface_name> IKEv2 VPN (Remote Access and tunnel-group <tunnel_group_name> LAN-to-LAN) ipsec-attributes using Certificate-based ikev2 remote-authentication certificate Authentication ^1,2 ikev2 local-authentication certificate <trustpoint_name> SSH Service ^5 ssh <remote_ip_address> <remote_subnet_mask> <interface_name> ^ 1 Remote Access VPN features are enabled via Devices > VPN > Remote Access in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). ^ 2 The Clientless SSL VPN feature is not officially supported but can be enabled via FlexConfig. ^ 3 The HTTP feature is enabled via Firepower Threat Defense Platform Settings > HTTP in the Cisco Firepower Management Console (FMC). ^ 4 HTTP service is accessible only from an IP address in the configured http command range. ^ 5 SSH is accessible only from an IP address in the configured ssh command range. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco ASA Software or FTD Software running on the following platforms: ASA 1000V Cloud Firewall ASA 5505 Adaptive Security Appliance ^ 1 ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Firepower 2100 Series ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. Workarounds o To avoid the use of potentially weak cryptographic keys, administrators can generate a key pair and a corresponding certificate on a trusted device outside of the Cisco ASA or FTD device and then import the base 64 encoded PKCS #12 file containing the keys and certificate(s) to the Cisco ASA or FTD device using the crypto ca import <trust-point-name> pkcs12 <passphrase> command in global configuration mode. See the ASA 8.x: Renew and Install the SSL Certificate with ASDM tech note for further details, including steps for how to accomplish this task via the Cisco Adaptive Security Device Manager (ASDM). Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Note: After upgrading to a fixed release, administrators must re-generate all RSA and ECDSA key pairs that were generated on an affected device while running a vulnerable release. Cisco ASA Software Cisco ASA Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Prior to 9.4 Not vulnerable 9.4.4.34 ^1 9.4 Not vulnerable 9.4.4.34 9.5 ^1 Not vulnerable 9.6.4.25 9.6 Not vulnerable 9.6.4.25 9.7 ^1 Not vulnerable 9.8.4 9.8 9.8.4 9.8.4 9.9 9.9.2.50 9.9.2.50 9.10 Not vulnerable 9.10.1.17 9.12 Not vulnerable Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories 6.0 Not vulnerable 6.2.3.12 6.0.1 Not vulnerable 6.2.3.12 6.1.0 Not vulnerable 6.2.3.12 6.2.0 Not vulnerable 6.2.3.12 6.2.1 6.2.3.12 6.2.3.12 6.2.2 6.2.3.12 6.2.3.12 6.2.3 6.2.3.12 6.2.3.12 6.3.0 6.3.0.3 6.3.0.3 6.4.0 Not vulnerable Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Greg Zaverucha of Microsoft for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-entropy Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software TCP Proxy Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-20190501-asa-ftdtcp-dos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:48 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvk44166 CVE-2019-1687 CWE-20 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the TCP proxy functionality for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to an error in TCP-based packet inspection, which could cause the TCP packet to have an invalid Layer 2 (L2)-formatted header. An attacker could exploit this vulnerability by sending a crafted TCP packet sequence to the targeted device. A successful exploit could allow the attacker to cause a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftdtcp-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running an affected release of Cisco ASA Software or FTD Software: 3000 Series Industrial Security Appliances (ISA) ASA 1000V Cloud Firewall ASA 5500 Series Adaptive Security Appliances ASA 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances For information about affected software releases, consult the tables in the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release Recommended Release for This Vulnerability Prior to 9.4 ^1 9.4.4.34 9.4 9.4.4.34 9.5 ^1 9.6.4.25 9.6 9.6.4.25 9.7 ^1 9.8.4 9.8 9.8.4 9.9 9.9.2.50 9.10 9.10.1.17 9.12 Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Software Release Recommended Release for This Vulnerability 6.0 6.2.3.12 6.0.1 6.2.3.12 6.1.0 6.2.3.12 6.2.0 6.2.3.12 6.2.1 6.2.3.12 6.2.2 6.2.3.12 6.2.3 6.2.3.12 6.3.0 6.3.0.3 6.4.0 Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftdtcp-dos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- isco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability Priority: High Advisory ID: cisco-sa-20190501-asaftd-saml-vpn First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:39 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvn72570 CVE-2019-1714 CWE-255 CVSS Score: 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to successfully establish a VPN session to an affected device. The vulnerability is due to improper credential management when using NT LAN Manager (NTLM) or basic authentication. An attacker could exploit this vulnerability by opening a VPN session to an affected device after another VPN user has successfully authenticated to the affected device via SAML SSO. A successful exploit could allow the attacker to connect to secured networks behind the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asaftd-saml-vpn Affected Products o Vulnerable Products This vulnerability affects the following Cisco products that are running Cisco ASA Software Release 9.7.1 or later or Cisco FTD Software Release 6.2.1 or later configured for SAML 2.0-based SSO for Clientless SSL VPN (WebVPN) or AnyConnect Remote Access VPN : 3000 Series Industrial Security Appliances (ISAs) Adaptive Security Appliance (ASA) 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances Firepower Threat Defense Virtual For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. ASA and FTD Features Cisco ASA Software and FTD Software are vulnerable only if all of the following features are configured: 1. SAML 2.0 Identity Provider (IdP) 2. SAML 2.0 Service Provider (SP) 3. AnyConnect Remote Access VPN or Clientless SSL VPN (WebVPN) Note: SAML 2.0 for AnyConnect features are first supported as of ASA Release 9.7.1, FTD Release 6.2.1, and AnyConnect Secure Mobility Client Release 4.4.00243. To determine whether ASA or FTD is configured with a SAML 2.0 IdP, administrators can use the show webvpn saml idp CLI command. The following output shows an ASA configured with a SAML 2.0 IdP: ciscoasa# show webvpn saml idp saml idp my_domain_idp url sign-in https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect url sign-out https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect trustpoint idp my_domain_trustpoint trustpoint sp asa_trustpoint To determine whether ASA or FTD is configured with SAML 2.0 SP, administrators can use the show running-config tunnel-group | include remote-access|webvpn-attributes|saml CLI command. The following output shows an ASA configured with SAML 2.0 SP: ciscoasa# show running-config tunnel-group | include remote-access|webvpn-attributes|saml tunnel-group cloud_idp_onelogin type remote-access tunnel-group cloud_idp_onelogin webvpn-attributes authentication saml saml identity-provider my_domain_idp To determine whether ASA or FTD is configured for AnyConnect Remote Access VPN or Clientless SSL VPN (WebVPN), administrators can use the show running-config CLI command and consult the following table for vulnerable configurations: Feature Vulnerable Configuration crypto ikev2 enable <interface_name> AnyConnect IKEv2 Remote Access client-services port <port #> (with client services) webvpn anyconnect enable AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (without client services) webvpn anyconnect enable AnyConnect SSL VPN webvpn enable <interface_name> Clientless SSL VPN (WebVPN) webvpn enable <interface_name> Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco ASA Software or FTD Software running on the following platforms: ASA 1000V Cloud Firewall ASA 5505 Adaptive Security Appliance ^ 1 ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Prior to 9.4 Not vulnerable 9.4.4.34 ^1 9.4 Not vulnerable 9.4.4.34 9.5 ^1 Not vulnerable 9.6.4.25 9.6 Not vulnerable 9.6.4.25 9.7 ^1 9.8.4 9.8.4 9.8 9.8.4 9.8.4 9.9 9.9.2.50 9.9.2.50 9.10 9.10.1.17 9.10.1.17 9.12 Not vulnerable Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories 6.0 Not vulnerable 6.2.3.12 6.0.1 Not vulnerable 6.2.3.12 6.1.0 Not vulnerable 6.2.3.12 6.2.0 Not vulnerable 6.2.3.12 6.2.1 6.2.3.12 6.2.3.12 6.2.2 6.2.3.12 6.2.3.12 6.2.3 6.2.3.12 6.2.3.12 6.3.0 6.3.0.3 6.3.0.3 6.4.0 Not vulnerable Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asaftd-saml-vpn Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190501-sd-cpu-dos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:57 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj33780 CVE-2018-15388 CWE-400 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the WebVPN login process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause increased CPU utilization on an affected device. The vulnerability is due to excessive processing load for existing WebVPN login operations. An attacker could exploit this vulnerability by sending multiple WebVPN login requests to the device. A successful exploit could allow the attacker to increase CPU load on the device, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-sd-cpu-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products that are running Cisco ASA Software or FTD Software when configured for WebVPN: 3000 Series Industrial Security Appliances (ISAs) Adaptive Security Appliance (ASA) 1000V Cloud Firewall ASA 5505 Series Adaptive Security Appliance ^ 1 ASA 5500-X Series Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 ASA Security Module Firepower Threat Defense Virtual ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining If WebVPN Is Enabled To determine if the WebVPN service is enabled on a device, administrators can use the show running-config webvpn privileged EXEC command and refer to the output of the command. The following example shows the output of the command for a device that has the WebVPN service enabled: ciscoasa# show running-config webvpn . . . webvpn enable interface_name . . . Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Indicators of Compromise o During active exploitation of this vulnerability, administrators may notice increased CPU usage by the Unicorn Proxy Thread process. This can be checked by issuing the show processes cpu-usage non-zero command at the CLI and reviewing the statistics for the Unicorn Proxy Thread process. ciscoasa# show processes cpu-usage non-zero Hardware: ASA5516 Cisco Adaptive Security Appliance Software Version 9.8(2)38 ASLR enabled, text region 7f313ea71000-7f3142d61bb4 PC Thread 5Sec 1Min 5Min Process 0x00007f3140f35888 0x00002aaacfaa8b20 7.7% 5.0% 3.0% Unicorn Proxy Thread - - 9.5% 1.9% 0.8% DATAPATH-0-2044 - - 3.6% 1.4% 0.8% DATAPATH-1-2045 It should be noted that the previous output is an example. Administrators would need to compare the output values from their device to baseline values from normal device operation. Workarounds o There are no workarounds that address this vulnerability. It is possible that during active exploitation an administrator could mitigate the attack by implementing an ACL to block the incoming requests or perform rate-limiting. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Cisco ASA Software +-------------+-------------------+---------------------------------------+ | Cisco ASA | Recommended | Recommended Release for All the | | Software | Release for This | Vulnerabilities Described in the | | Release | Vulnerability | Collection of Advisories | +-------------+-------------------+---------------------------------------+ | Prior to | 9.4.4.34 | 9.4.4.34 | | 9.4 ^1 | | | +-------------+-------------------+---------------------------------------+ | 9.4 | 9.4.4.34 | 9.4.4.34 | +-------------+-------------------+---------------------------------------+ | 9.5 ^1 | 9.6.4.25 | 9.6.4.25 | +-------------+-------------------+---------------------------------------+ | 9.6 | 9.6.4.25 | 9.6.4.25 | +-------------+-------------------+---------------------------------------+ | 9.7 | 9.8.4 | 9.8.4 | +-------------+-------------------+---------------------------------------+ | 9.8 | 9.8.4 | 9.8.4 | +-------------+-------------------+---------------------------------------+ | 9.9 | 9.9.2.50 | 9.9.2.50 | +-------------+-------------------+---------------------------------------+ | 9.10 | Not vulnerable | 9.10.1.17 | +-------------+-------------------+---------------------------------------+ | 9.12 | Not vulnerable | Not vulnerable | +-------------+-------------------+---------------------------------------+ ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software +---------------+-------------------+-------------------------------------+ | Cisco | Recommended | Recommended Release for All the | | Firepower and | Release for This | Vulnerabilities Described in the | | FMC Software | Vulnerability | Collection of Advisories | +---------------+-------------------+-------------------------------------+ | 6.0 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.0.1 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.1.0 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.2.0 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.2.1 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.2.2 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.2.3 | 6.2.3.12 | 6.2.3.12 | +---------------+-------------------+-------------------------------------+ | 6.3.0 | Not vulnerable | 6.3.0.3 | +---------------+-------------------+-------------------------------------+ | 6.4.0 | Not vulnerable | Not vulnerable | +---------------+-------------------+-------------------------------------+ To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Jason Moulder of Pratum for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 49996 URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-sd-cpu-dos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190501-asa-ftd-dos First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:47 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvn77957 CVE-2019-1693 CWE-399 CVSS Score: 7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the WebVPN service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper management of authenticated sessions in the WebVPN portal. An attacker could exploit this vulnerability by authenticating with valid credentials and accessing a specific URL in the WebVPN portal. A successful exploit could allow the attacker to cause the device to reload, resulting in a temporary DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products that are running a vulnerable release of Cisco ASA Software or FTD Software and have the WebVPN (either Clientless WebVPN or AnyConnect WebVPN) service enabled: 3000 Series Industrial Security Appliances (ISAs) ASA 1000V Cloud Firewall ASA 5500-X Series Firewalls ASA 5505 Adaptive Security Appliance ^ 1 ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances FTD Virtual (FTDv) ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Determining Whether the WebVPN Service Is Enabled To determine whether the WebVPN service is running on a device, administrators can log in to the device, use the show running-config webvpn command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that has the WebVPN service enabled: ciscoasa# show running-config webvpn . . . webvpn enable <interface_name> . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To ensure a complete upgrade solution, customers should consider that this advisory is part of a collection that includes the following advisories: cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software TCP Timer Handling Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software Packet Processing Denial of Service Vulnerability cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Denial of Service Vulnerability In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Prior to 9.4 9.4.4.34 9.4.4.34 ^1 9.4 9.4.4.34 9.4.4.34 9.5 ^1 9.6.4.25 9.6.4.25 9.6 9.6.4.25 9.6.4.25 9.7 ^1 9.8.4 9.8.4 9.8 9.8.4 9.8.4 9.9 9.9.2.50 9.9.2.50 9.10 9.10.1.17 9.10.1.17 9.12 Not vulnerable Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Recommended Release Recommended Release for All Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories 6.0 Not vulnerable 6.2.3.12 6.0.1 Not vulnerable 6.2.3.12 6.1.0 Not vulnerable 6.2.3.12 6.2.0 Not vulnerable 6.2.3.12 6.2.1 6.2.3.12 6.2.3.12 6.2.2 6.2.3.12 6.2.3.12 6.2.3 6.2.3.12 6.2.3.12 6.3.0 6.3.0.3 6.3.0.3 6.4.0 Not vulnerable Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Qian Chen of Qihoo 360 Information Security Department for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 50007 URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-dos Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance and Firepower Threat Defense Software Layer 2 Filtering Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20190501-asa-ftd-bypass First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:44 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvm75358 CVE-2019-1695 CWE-284 CVSS Score: 4.3 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the detection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to send data directly to the kernel of an affected device. The vulnerability exists because the software improperly filters Ethernet frames sent to an affected device. An attacker could exploit this vulnerability by sending crafted packets to the management interface of an affected device. A successful exploit could allow the attacker to bypass the Layer 2 (L2) filters and send data directly to the kernel of the affected device. A malicious frame successfully delivered would make the target device generate a specific syslog entry. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-bypass Affected Products o Vulnerable Products This vulnerability affects Cisco Firepower 2100 Series devices that are running a vulnerable release of Cisco ASA Software or FTD Software. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.2: > show version ------------------[ ftd ]----------------------- Model : Cisco Firepower 2130 Threat Defense (77) Version 6.2.2 (Build 81) UUID : 0cd3595a-7efa-11e7-aaa1-ee3989c8bf25 Rules update version : 2017-12-20-001-vrt VDB version : 290 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the release that includes the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release Recommended Release for This Vulnerability Prior to 9.4 ^1 Not vulnerable 9.4 Not vulnerable 9.5 ^1 Not vulnerable 9.6 Not vulnerable 9.7 ^1 Not vulnerable 9.8 ^2 9.8.4 9.9 9.9.2.50 9.10 9.10.1.17 9.12 Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for this vulnerability. ^ 2 Only software releases 9.8.2 and later are vulnerable. Cisco FTD Software Cisco FTD Software Release Recommended Release for This Vulnerability 6.0 Not vulnerable 6.0.1 Not vulnerable 6.1.0 Not vulnerable 6.2.0 Not vulnerable 6.2.1 6.2.3.12 6.2.2 6.2.3.12 6.2.3 6.2.3.12 6.3.0 6.3.0.3 6.4.0 Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-bypass Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- isco Adaptive Security Appliance and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerabilities Priority: Medium Advisory ID: cisco-sa-20190501-asa-ftd-xss First Published: 2019 May 1 16:00 GMT Last Updated: 2019 May 2 17:42 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvn78674CSCvo11406CSCvo11416CSCvo17033 CVE-2019-1701 CWE-79 CVSS Score: 4.8 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the WebVPN service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the WebVPN portal of an affected device. The vulnerabilities exist because the software insufficiently validates user-supplied input on an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. An attacker would need administrator privileges on the device to exploit these vulnerabilities. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-xss Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco products that are running a vulnerable release of Cisco ASA Software or FTD Software and have the WebVPN service enabled: 3000 Series Industrial Security Appliances (ISAs) ASA 1000V Cloud Firewall ASA 5500-X Series Firewalls ASA 5505 Adaptive Security Appliance ^ 1 ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances FTD Virtual (FTDv) ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505 have reached the end-of-support milestone and are no longer evaluated for security vulnerabilities. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco ASA Software Release To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version | include Version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.9.2.18: ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.9.2.18 Device Manager Version 7.4(1) . . . If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM Home pane. Determining the Cisco FTD Software Release To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command. The following example shows the output of the command for a device that is running Cisco FTD Software Release 6.2.0: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities described in this advisory and the release that includes the fix for these vulnerabilities. Cisco ASA Software Cisco ASA Software Release Recommended Release for These Vulnerabilities Prior to 9.4 ^1 9.4.4.34 9.4 9.4.4.34 9.5 ^1 9.6.4.25 9.6 9.6.4.25 9.7 ^1 9.8.4 9.8 9.8.4 9.9 9.9.2.50 9.10 9.10.1.17 9.12 Not vulnerable ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software Releases 9.5 and 9.7 have reached end of maintenance. Customers should migrate to a supported release that includes the fix for these vulnerabilities. Cisco FTD Software Cisco FTD Software Release Recommended Release for These Vulnerabilities 6.0 Not vulnerable 6.0.1 Not vulnerable 6.1.0 Not vulnerable 6.2.0 Not vulnerable 6.2.1 6.2.3.12 6.2.2 6.2.3.12 6.2.3 6.2.3.12 6.3.0 6.3.0.3 6.4.0 Not vulnerable To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Qian Chen of Qihoo 360 Information Security Department for reporting one of these vulnerabilities. The other vulnerabilities in this advisory were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Understanding Cross-Site Scripting (XSS) Threat Vectors Related to This Advisory o Cross-Site Scripting URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190501-asa-ftd-xss Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | | Updated the FTD fixed | | | | | 1.1 | releases table to indicate | Fixed | Final | 2019-May-02 | | | that FTD Software Release | Software | | | | | 6.3.0.3 is available. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2019-May-01 | +---------+-----------------------------+----------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXMuSfmaOgq3Tt24GAQjkdw/8DiKsS2E62FJv+fUc4b8KSH5ja+JX1uht pzUkPcwE/c0XwNjubsA5Z8IUpyjPlnJPfnPBMG7wio6uNlODTsIrhxOMvi+asVm6 fcO1WY58tNXcOP/sejgm6hjW/ms45g/yAd3iuIkzg4ZDD/wTXncpdw7ppMDJkDDf EdoGzxmuxZBEHzDvb8E9D9iuqmHDubKPrbopEvk3A/k4QjhokkX+LlwbY7tOsb+w S+2Csvda1CivosLTRlRQHYV5aQI3n8a6QP31Sz6zAtStazMaUqWT1MnL+YGMCYSf Rt0MzOjLsX96tlAC92BZgLVJXq3Tu4+t9Ay4ZxPlj/tJHfcVNpf5mGS0REfG+LOq 83ApKG4WvfI9V7CJwZBq9t9A+tyg9LB9pdeBmhHoZA+p9YaiGlNRAYQBZ27DOBQX Mfw6PFcHAH0/YSo492zA+cw+n8/V2xUGBXXAqn7QRUKe82wVTeGGEqRT1zn/DKlJ ziZcsYheObdiKW1tcrR65iKR7+qhI+gYxR2rCT9sJGpWvAfEDoa47/73Z2YugQEa Kjsd2GMtQtBcJHXLtlyiOm0XZnpoQlU3vRCS5w3PnAPBlV/HM1uhfsapLK4IWyOS teXs5SyCEqVv1zhDg4mYlxhlVMQBeArRSk2dkH6cbRaloS0IUlKnaZ2bnXqYkn3Y GqP7YipVsy0= =Obog -----END PGP SIGNATURE-----