Operating System:

Published:

03 May 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1510.2
           Cisco Adaptive Security Appliance Software and Cisco
                     Firepower Threat Defense Software
                                3 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adaptive Security Appliance Software and Firepower Threat Defense Software
Publisher:         Cisco Systems
Impact/Access:     Access Privileged Data   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Cross-site Scripting     -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1715 CVE-2019-1714 CVE-2019-1708
                   CVE-2019-1701 CVE-2019-1697 CVE-2019-1695
                   CVE-2019-1694 CVE-2019-1693 CVE-2019-1687
                   CVE-2018-15388  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftds-ldapdos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-entropy
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftdtcp-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sd-cpu-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-bypass
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-xss

Comment: This bulletin contains ten (10) Cisco Systems security advisories.

Revision History:  May 3 2019: Fixed release 6.3.0.3 is now available; added L2 filtering bypass and FTD XSS.
                   May 2 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense
Software MOBIKE Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-asa-ftd-ike-dos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:37 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvm72145

CVE-2019-1708    

CWE-404

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Internet Key Exchange Version 2 Mobility and
    Multihoming Protocol (MOBIKE) feature for the Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to cause a memory leak or a
    reload of an affected device that leads to a denial of service (DoS)
    condition.

    The vulnerability is due to the incorrect processing of certain MOBIKE
    packets. An attacker could exploit this vulnerability by sending crafted
    MOBIKE packets to an affected device to be processed. A successful exploit
    could cause an affected device to continuously consume memory and
    eventually reload, resulting in a DoS condition. The MOBIKE feature is
    supported only for IPv4 addresses.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products that are running a
    vulnerable release of Cisco ASA Software or FTD Software if configured for
    MOBIKE ^ 1 :

       3000 Series Industrial Security Appliances (ISAs)
       ASA 5500 Series Adaptive Security Appliances
       ASA 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Firepower 4100 Series
       Firepower 9300 Security Appliance
       FTD Virtual (FTDv)

    ^ 1 The MOBIKE support for IPsec IKEv2 remote access VPNs was added as of
    9.8(1). The MOBIKE feature is always enabled and cannot be disabled by the
    user. See the Details section for more information.

    MOBIKE is enabled for each Security Association only when the client
    proposes it and the ASA accepts it. The device should be considered
    vulnerable if Internet Key Exchange Version 2 (IKEv2) remote access VPN is
    configured. The administrator can issue the show running-config command and
    check for the crypto ikev2 enable <interface> command and the tunnel-group
    <tunnel_group_name> type remote-access command (also called connection
    profile).

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Adaptive Security Virtual Appliance (ASAv)
       ASA 1000V Cloud Firewall
       Firepower 2100 Series Security Appliance

Details

  o MOBIKE extends ASA remote access VPNs to support mobile device roaming.
    This support means the endpoint IP address for a MOBIKE device IKE/IPsec
    Security Association can be updated rather than deleted when the device
    moves from its current connection point to another.

    For additional information about the MOBIKE feature, refer to About Mobike
    and Remote Access VPNs .

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Cisco ASA Software

     Cisco ASA   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    Prior to 9.4 Not vulnerable       9.4.4.34
    ^1
    9.4          Not vulnerable       9.4.4.34
    9.5 ^1       Not vulnerable       9.6.4.25
    9.6          Not vulnerable       9.6.4.25
    9.7 ^1       Not vulnerable       9.8.4
    9.8          9.8.4                9.8.4
    9.9          9.9.2.50             9.9.2.50
    9.10         9.10.1.17            9.10.1.17
    9.12         Not vulnerable       Not Vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

     Cisco FTD   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    6.0          Not vulnerable       6.2.3.12
    6.0.1        Not vulnerable       6.2.3.12
    6.1.0        Not vulnerable       6.2.3.12
    6.2.0        Not vulnerable       6.2.3.12
    6.2.1        Not vulnerable       6.2.3.12
    6.2.2        6.2.3.12             6.2.3.12
    6.2.3        6.2.3.12             6.2.3.12
    6.3.0        6.3.0.3              6.3.0.3
    6.4.0        Not vulnerable       Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-ike-dos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense
Software TCP Timer Handling Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-asa-frpwrtd-dos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:45 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn78174

CVE-2019-1694    

CWE-20

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the TCP processing engine of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to cause an affected device
    to reload, resulting in a denial of service (DoS) condition.

    The vulnerability is due to the improper handling of TCP traffic. An
    attacker could exploit this vulnerability by sending a specific sequence of
    packets at a high rate through an affected device. A successful exploit
    could allow the attacker to temporarily disrupt traffic through the device
    while it reboots.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-frpwrtd-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects both physical and virtual appliances if a
    vulnerable release of Cisco ASA Software or FTD Software is running on any
    of the following Cisco products:

       3000 Series Industrial Security Appliances (ISAs)
       ASA 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliance
       FTD Virtual (FTDv)

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco ASA
    Software or FTD Software running on the following platforms:

       ASA 1000V Cloud Firewall
       ASA 5505 Adaptive Security Appliance ^ 1

    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Cisco ASA Software

     Cisco ASA   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    Prior to 9.4 Not vulnerable       9.4.4.34
    ^1
    9.4          9.4.4.34             9.4.4.34
    9.5 ^1       9.6.4.25             9.6.4.25
    9.6          9.6.4.25             9.6.4.25
    9.7 ^1       9.8.4                9.8.4
    9.8          9.8.4                9.8.4
    9.9          9.9.2.50             9.9.2.50
    9.10         9.10.1.17            9.10.1.17
    9.12         Not vulnerable       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

     Cisco FTD   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    6.0          6.2.3.12             6.2.3.12
    6.0.1        6.2.3.12             6.2.3.12
    6.1.0        6.2.3.12             6.2.3.12
    6.2.0        6.2.3.12             6.2.3.12
    6.2.1        6.2.3.12             6.2.3.12
    6.2.2        6.2.3.12             6.2.3.12
    6.2.3        6.2.3.12             6.2.3.12
    6.3.0        6.3.0.3              6.3.0.3
    6.4.0        Not Vulnerable       Not Vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-frpwrtd-dos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Lightweight Directory Access Protocol Denial of Service Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190501-asa-ftds-ldapdos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:53 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn20985

CVE-2019-1697    

CWE-20

CVSS Score:
6.8  AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the implementation of the Lightweight Directory Access
    Protocol (LDAP) feature in Cisco Adaptive Security Appliance (ASA) Software
    and Firepower Threat Defense (FTD) Software could allow an unauthenticated,
    remote attacker to cause an affected device to reload, resulting in a
    denial of service (DoS) condition.

    The vulnerabilities are due to the improper parsing of LDAP packets sent to
    an affected device. An attacker could exploit these vulnerabilities by
    sending a crafted LDAP packet, using Basic Encoding Rules (BER), to be
    processed by an affected device. A successful exploit could allow the
    attacker to cause the affected device to reload, resulting in a DoS
    condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftds-ldapdos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products on both physical
    and virtual appliances if they are running Cisco ASA Software or FTD
    Software and if LDAP authentication is configured:

       3000 Series Industrial Security Appliances (ISA)
       ASA 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       FTD Virtual (FTDv)
    For information about affected software releases, consult the tables in the
    Fixed Software section of this advisory.

    Determining Whether the Cisco ASA or FTD Software Is Configured for LDAP
    Authentication

    The administrator can check for configured LDAP authentication by using the
    show aaa-server | include Server Protocol: ldap to determine whether an
    LDAP authentication server is configured.

        asa# show aaa-server | include Server Protocol: ldap
        Server Protocol: ldap

    For detailed information about the Cisco ASA and FTD Software LDAP
    configuration, refer to CLI Book 1: Cisco ASA Series General Operations CLI
    Configuration Guide .

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       ASA 1000V Cloud Firewall
       ASA 5500 Series Adaptive Security Appliances

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. In the following table(s), the left
    column lists Cisco software releases. The right column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    release that includes the fix for this vulnerability.

    Cisco ASA Software

    Cisco ASA Software Release Recommended Release for This Vulnerability
    Prior to 9.4 ^1            Not vulnerable
    9.4                        Not vulnerable
    9.5 ^1                     Not vulnerable
    9.6                        9.6.4.25
    9.7 ^1                     9.8.4
    9.8                        9.8.4
    9.9                        9.9.2.50
    9.10                       9.10.1.17
    9.12                       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

    Cisco FTD Software Release Recommended Release for This Vulnerability
    6.0                        Not vulnerable
    6.0.1                      Not vulnerable
    6.1.0                      Not vulnerable
    6.2.0                      Not vulnerable
    6.2.1                      6.2.3.12
    6.2.2                      6.2.3.12
    6.2.3                      6.2.3.12
    6.3.0                      6.3.0.3
    6.4.0                      Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftds-ldapdos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

isco Adaptive Security Appliance Software and Firepower Threat Defense
Software Low-Entropy Keys Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-asa-ftd-entropy

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:49 GMT

Version 1.1:     Final

Workarounds:     Yes

Cisco Bug IDs:   CSCvj52266

CVE-2019-1715    

CWE-332

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Deterministic Random Bit Generator (DRBG), also
    known as Pseudorandom Number Generator (PRNG), used in Cisco Adaptive
    Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
    Software could allow an unauthenticated, remote attacker to cause a
    cryptographic collision, enabling the attacker to discover the private key
    of an affected device.

    The vulnerability is due to insufficient entropy in the DRBG when
    generating cryptographic keys. An attacker could exploit this vulnerability
    by generating a large number of cryptographic keys on an affected device
    and looking for collisions with target devices. A successful exploit could
    allow the attacker to impersonate an affected target device or to decrypt
    traffic secured by an affected key that is sent to or from an affected
    target device.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-entropy

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products that are running
    Cisco ASA Software Releases 9.8 or 9.9 or FTD Software Releases 6.2.1,
    6.2.2, or 6.2.3:

       3000 Series Industrial Security Appliances (ISAs)
       Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 4100 Series
       Firepower 9300 ASA Security Module
       Firepower Threat Defense Virtual

    Note: Devices running other releases of Cisco ASA Software or FTD Software
    may also be vulnerable if they are configured with at least one of the
    following:

       A Trustpoint that is based on an RSA or ECDSA key pair that has been
        generated while running an affected release
       An RSA key pair for use with SSH Access that has been generated while
        running an affected release

    If no Trustpoint is configured and no RSA key pair for use with SSH Access
    is present, a device is vulnerable only while running an affected release.

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    ASA Software

    In the following table, the left column lists the Cisco ASA features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined.

          Cisco ASA Feature             Possible Vulnerable Configuration
    Adaptive Security Device       http server enable <port>
    Manager (ASDM) ^1              http <remote_ip_address>
                                   <remote_subnet_mask> <interface_name>
    AnyConnect SSL VPN             webvpn
                                   enable <interface_name>
                                   http server enable <port>
    Cisco Security Manager ^1      http <remote_ip_address>
                                   <remote_subnet_mask> <interface_name>
    Clientless SSL VPN (WebVPN)    webvpn
                                   enable <interface_name>
                                   crypto ikev1 enable <interface_name>
    IKEv1 VPN (Remote Access and   crypto ikev1 policy <priority>
    LAN-to-LAN)                    authentication rsa-sig
    using Certificate-based        tunnel-group <tunnel_group_name>
    Authentication                 ipsec-attributes
                                   trust-point <trustpoint_name>
                                   crypto ikev2 enable <interface_name>
    IKEv2 VPN (Remote Access and   tunnel-group <tunnel_group_name>
    LAN-to-LAN)                    ipsec-attributes
    using Certificate-based        ikev2 remote-authentication certificate
    Authentication                 ikev2 local-authentication certificate
                                   <trustpoint_name>
    Local Certificate Authority    crypto ca server
    (CA)                           no shutdown
    Mobile Device Manager (MDM)    mdm-proxy
    Proxy                          enable <interface_name>
                                   webvpn
    Mobile User Security (MUS)     mus password <password>
                                   mus server enable port <port #>
                                   mus <address> <mask> <interface_name>
    Proxy Bypass                   webvpn
                                   proxy-bypass
    REST API ^1                    rest-api image disk0:/<image name>
                                   rest-api agent
    SSH Access ^2                  ssh <remote_ip_address> <remote_subnet_mask>
                                   <interface_name>

    ^ 1 ASDM, CSM, and REST API services are accessible only from an IP address
    in the configured http command range.
    ^ 2 SSH service is accessible only from an IP address in the configured ssh
    command range.

    FTD Software

    In the following table, the left column lists the Cisco FTD features that
    are potentially vulnerable. The right column indicates the basic
    configuration for the feature from the show running-config CLI command, if
    it can be determined.

          Cisco FTD Feature             Possible Vulnerable Configuration
    AnyConnect SSL VPN ^1,2        webvpn
                                   enable <interface_name
    Clientless SSL VPN (WebVPN) ^2 webvpn
                                   enable <interface_name>
                                   http server enable <port #>
    HTTP Service enabled ^3,4      http <remote_ip_address>
                                   <remote_subnet_mask> <interface_name>
                                   crypto ikev1 enable <interface_name>
    IKEv1 VPN (Remote Access and   crypto ikev1 policy <priority>
    LAN-to-LAN)                    authentication rsa-sig
    using Certificate-based        tunnel-group <tunnel_group_name>
    Authentication ^1,2            ipsec-attributes
                                   trust-point <trustpoint_name>
                                   crypto ikev2 enable <interface_name>
    IKEv2 VPN (Remote Access and   tunnel-group <tunnel_group_name>
    LAN-to-LAN)                    ipsec-attributes
    using Certificate-based        ikev2 remote-authentication certificate
    Authentication ^1,2            ikev2 local-authentication certificate
                                   <trustpoint_name>
    SSH Service ^5                 ssh <remote_ip_address> <remote_subnet_mask>
                                   <interface_name>

    ^ 1 Remote Access VPN features are enabled via Devices > VPN > Remote
    Access in the Cisco FMC or via Device > Remote Access VPN in Cisco
    Firepower Device Manager (FDM).
    ^ 2 The Clientless SSL VPN feature is not officially supported but can be
    enabled via FlexConfig.
    ^ 3 The HTTP feature is enabled via Firepower Threat Defense Platform
    Settings > HTTP in the Cisco Firepower Management Console (FMC).
    ^ 4 HTTP service is accessible only from an IP address in the configured
    http command range.
    ^ 5 SSH is accessible only from an IP address in the configured ssh command
    range.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco ASA
    Software or FTD Software running on the following platforms:

       ASA 1000V Cloud Firewall
       ASA 5505 Adaptive Security Appliance ^ 1
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Firepower 2100 Series
    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

Workarounds

  o To avoid the use of potentially weak cryptographic keys, administrators can
    generate a key pair and a corresponding certificate on a trusted device
    outside of the Cisco ASA or FTD device and then import the base 64 encoded
    PKCS #12 file containing the keys and certificate(s) to the Cisco ASA or
    FTD device using the crypto ca import <trust-point-name> pkcs12 
    <passphrase> command in global configuration mode.

    See the ASA 8.x: Renew and Install the SSL Certificate with ASDM tech note
    for further details, including steps for how to accomplish this task via
    the Cisco Adaptive Security Device Manager (ASDM).

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Note: After upgrading to a fixed release, administrators must re-generate
    all RSA and ECDSA key pairs that were generated on an affected device while
    running a vulnerable release.

    Cisco ASA Software

     Cisco ASA   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    Prior to 9.4 Not vulnerable       9.4.4.34
    ^1
    9.4          Not vulnerable       9.4.4.34
    9.5 ^1       Not vulnerable       9.6.4.25
    9.6          Not vulnerable       9.6.4.25
    9.7 ^1       Not vulnerable       9.8.4
    9.8          9.8.4                9.8.4
    9.9          9.9.2.50             9.9.2.50
    9.10         Not vulnerable       9.10.1.17
    9.12         Not vulnerable       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

     Cisco FTD   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    6.0          Not vulnerable       6.2.3.12
    6.0.1        Not vulnerable       6.2.3.12
    6.1.0        Not vulnerable       6.2.3.12
    6.2.0        Not vulnerable       6.2.3.12
    6.2.1        6.2.3.12             6.2.3.12
    6.2.2        6.2.3.12             6.2.3.12
    6.2.3        6.2.3.12             6.2.3.12
    6.3.0        6.3.0.3              6.3.0.3
    6.4.0        Not vulnerable       Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Greg Zaverucha of Microsoft for reporting this
    vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-entropy

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software TCP Proxy Denial of Service Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190501-asa-ftdtcp-dos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:48 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvk44166

CVE-2019-1687    

CWE-20

CVSS Score:
6.8  AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the TCP proxy functionality for Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to cause the device to
    restart unexpectedly, resulting in a denial of service (DoS) condition.

    The vulnerability is due to an error in TCP-based packet inspection, which
    could cause the TCP packet to have an invalid Layer 2 (L2)-formatted
    header. An attacker could exploit this vulnerability by sending a crafted
    TCP packet sequence to the targeted device. A successful exploit could
    allow the attacker to cause a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftdtcp-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    an affected release of Cisco ASA Software or FTD Software:

       3000 Series Industrial Security Appliances (ISA)
       ASA 1000V Cloud Firewall
       ASA 5500 Series Adaptive Security Appliances
       ASA 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances

    For information about affected software releases, consult the tables in the
    Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. In the following table(s), the left
    column lists Cisco software releases. The right column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    release that includes the fix for this vulnerability.

    Cisco ASA Software

    Cisco ASA Software Release Recommended Release for This Vulnerability
    Prior to 9.4 ^1            9.4.4.34
    9.4                        9.4.4.34
    9.5 ^1                     9.6.4.25
    9.6                        9.6.4.25
    9.7 ^1                     9.8.4
    9.8                        9.8.4
    9.9                        9.9.2.50
    9.10                       9.10.1.17
    9.12                       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

    Cisco FTD Software Release Recommended Release for This Vulnerability
    6.0                        6.2.3.12
    6.0.1                      6.2.3.12
    6.1.0                      6.2.3.12
    6.2.0                      6.2.3.12
    6.2.1                      6.2.3.12
    6.2.2                      6.2.3.12
    6.2.3                      6.2.3.12
    6.3.0                      6.3.0.3
    6.4.0                      Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftdtcp-dos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

isco Adaptive Security Appliance Software and Firepower Threat Defense
Software VPN SAML Authentication Bypass Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-asaftd-saml-vpn

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:39 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn72570

CVE-2019-1714    

CWE-255

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the implementation of Security Assertion Markup Language
    (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and
    AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA)
    Software and Cisco Firepower Threat Defense (FTD) Software could allow an
    unauthenticated, remote attacker to successfully establish a VPN session to
    an affected device.

    The vulnerability is due to improper credential management when using NT
    LAN Manager (NTLM) or basic authentication. An attacker could exploit this
    vulnerability by opening a VPN session to an affected device after another
    VPN user has successfully authenticated to the affected device via SAML
    SSO. A successful exploit could allow the attacker to connect to secured
    networks behind the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asaftd-saml-vpn

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products that are running
    Cisco ASA Software Release 9.7.1 or later or Cisco FTD Software Release
    6.2.1 or later configured for SAML 2.0-based SSO for Clientless SSL VPN
    (WebVPN) or AnyConnect Remote Access VPN :

       3000 Series Industrial Security Appliances (ISAs)
       Adaptive Security Appliance (ASA) 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       Firepower Threat Defense Virtual

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    ASA and FTD Features

    Cisco ASA Software and FTD Software are vulnerable only if all of the
    following features are configured:

     1. SAML 2.0 Identity Provider (IdP)
     2. SAML 2.0 Service Provider (SP)
     3. AnyConnect Remote Access VPN or Clientless SSL VPN (WebVPN)

    Note: SAML 2.0 for AnyConnect features are first supported as of ASA
    Release 9.7.1, FTD Release 6.2.1, and AnyConnect Secure Mobility Client
    Release 4.4.00243.

    To determine whether ASA or FTD is configured with a SAML 2.0 IdP,
    administrators can use the show webvpn saml idp CLI command. The following
    output shows an ASA configured with a SAML 2.0 IdP:

        ciscoasa# show webvpn saml idp
         saml idp my_domain_idp
          url sign-in https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect
          url sign-out https://asa-dev.my.domain.com/idp/endpoint/HttpRedirect
          trustpoint idp my_domain_trustpoint
          trustpoint sp asa_trustpoint

    To determine whether ASA or FTD is configured with SAML 2.0 SP,
    administrators can use the show running-config tunnel-group | include
    remote-access|webvpn-attributes|saml CLI command. The following output
    shows an ASA configured with SAML 2.0 SP:

        ciscoasa# show running-config tunnel-group | include remote-access|webvpn-attributes|saml
        tunnel-group cloud_idp_onelogin type remote-access
        tunnel-group cloud_idp_onelogin webvpn-attributes
         authentication saml
         saml identity-provider my_domain_idp

    To determine whether ASA or FTD is configured for AnyConnect Remote Access
    VPN or Clientless SSL VPN (WebVPN), administrators can use the show
    running-config CLI command and consult the following table for vulnerable
    configurations:

                 Feature                       Vulnerable Configuration
                                       crypto ikev2 enable <interface_name>
    AnyConnect IKEv2 Remote Access     client-services port <port #>
    (with client services)             webvpn
                                       anyconnect enable
    AnyConnect IKEv2 Remote Access     crypto ikev2 enable <interface_name>
    (without client services)          webvpn
                                       anyconnect enable
    AnyConnect SSL VPN                 webvpn
                                       enable <interface_name>
    Clientless SSL VPN (WebVPN)        webvpn
                                       enable <interface_name>

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco ASA
    Software or FTD Software running on the following platforms:

       ASA 1000V Cloud Firewall
       ASA 5505 Adaptive Security Appliance ^ 1

    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Cisco ASA Software

     Cisco ASA   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    Prior to 9.4 Not vulnerable       9.4.4.34
    ^1
    9.4          Not vulnerable       9.4.4.34
    9.5 ^1       Not vulnerable       9.6.4.25
    9.6          Not vulnerable       9.6.4.25
    9.7 ^1       9.8.4                9.8.4
    9.8          9.8.4                9.8.4
    9.9          9.9.2.50             9.9.2.50
    9.10         9.10.1.17            9.10.1.17
    9.12         Not vulnerable       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

     Cisco FTD   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    6.0          Not vulnerable       6.2.3.12
    6.0.1        Not vulnerable       6.2.3.12
    6.1.0        Not vulnerable       6.2.3.12
    6.2.0        Not vulnerable       6.2.3.12
    6.2.1        6.2.3.12             6.2.3.12
    6.2.2        6.2.3.12             6.2.3.12
    6.2.3        6.2.3.12             6.2.3.12
    6.3.0        6.3.0.3              6.3.0.3
    6.4.0        Not vulnerable       Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asaftd-saml-vpn

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software WebVPN Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-sd-cpu-dos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:57 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvj33780

CVE-2018-15388   

CWE-400

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the WebVPN login process of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to cause increased CPU
    utilization on an affected device.

    The vulnerability is due to excessive processing load for existing WebVPN
    login operations. An attacker could exploit this vulnerability by sending
    multiple WebVPN login requests to the device. A successful exploit could
    allow the attacker to increase CPU load on the device, resulting in a
    denial of service (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-sd-cpu-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products that are running
    Cisco ASA Software or FTD Software when configured for WebVPN:

       3000 Series Industrial Security Appliances (ISAs)
       Adaptive Security Appliance (ASA) 1000V Cloud Firewall
       ASA 5505 Series Adaptive Security Appliance ^ 1
       ASA 5500-X Series Firewalls
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 ASA Security Module
       Firepower Threat Defense Virtual

    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    Determining If WebVPN Is Enabled

    To determine if the WebVPN service is enabled on a device, administrators
    can use the show running-config webvpn privileged EXEC command and refer to
    the output of the command. The following example shows the output of the
    command for a device that has the WebVPN service enabled:

        ciscoasa# show running-config webvpn

        .
        .
        .
        webvpn
        enable interface_name
        .
        .
        .

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Indicators of Compromise

  o During active exploitation of this vulnerability, administrators may notice
    increased CPU usage by the Unicorn Proxy Thread process. This can be
    checked by issuing the show processes cpu-usage non-zero command at the CLI
    and reviewing the statistics for the Unicorn Proxy Thread process.

        ciscoasa# show processes cpu-usage non-zero
        Hardware:   ASA5516
        Cisco Adaptive Security Appliance Software Version 9.8(2)38
        ASLR enabled, text region 7f313ea71000-7f3142d61bb4
        PC         Thread       5Sec     1Min     5Min   Process
        0x00007f3140f35888   0x00002aaacfaa8b20     7.7%     5.0%     3.0%   Unicorn Proxy Thread
           -          -         9.5%     1.9%     0.8%   DATAPATH-0-2044
           -          -         3.6%     1.4%     0.8%   DATAPATH-1-2045

    It should be noted that the previous output is an example. Administrators
    would need to compare the output values from their device to baseline
    values from normal device operation.

Workarounds

  o There are no workarounds that address this vulnerability.

    It is possible that during active exploitation an administrator could
    mitigate the attack by implementing an ACL to block the incoming requests
    or perform rate-limiting.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Cisco ASA Software

    +-------------+-------------------+---------------------------------------+
    |  Cisco ASA  |    Recommended    |    Recommended Release for All the    |
    |  Software   | Release for This  |   Vulnerabilities Described in the    |
    |   Release   |   Vulnerability   |       Collection of Advisories        |
    +-------------+-------------------+---------------------------------------+
    | Prior to    | 9.4.4.34          | 9.4.4.34                              |
    | 9.4 ^1      |                   |                                       |
    +-------------+-------------------+---------------------------------------+
    | 9.4         | 9.4.4.34          | 9.4.4.34                              |
    +-------------+-------------------+---------------------------------------+
    | 9.5 ^1      | 9.6.4.25          | 9.6.4.25                              |
    +-------------+-------------------+---------------------------------------+
    | 9.6         | 9.6.4.25          | 9.6.4.25                              |
    +-------------+-------------------+---------------------------------------+
    | 9.7         | 9.8.4             | 9.8.4                                 |
    +-------------+-------------------+---------------------------------------+
    | 9.8         | 9.8.4             | 9.8.4                                 |
    +-------------+-------------------+---------------------------------------+
    | 9.9         | 9.9.2.50          | 9.9.2.50                              |
    +-------------+-------------------+---------------------------------------+
    | 9.10        | Not vulnerable    | 9.10.1.17                             |
    +-------------+-------------------+---------------------------------------+
    | 9.12        | Not vulnerable    | Not vulnerable                        |
    +-------------+-------------------+---------------------------------------+
    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

    +---------------+-------------------+-------------------------------------+
    |     Cisco     |    Recommended    |   Recommended Release for All the   |
    | Firepower and | Release for This  |  Vulnerabilities Described in the   |
    | FMC Software  |   Vulnerability   |      Collection of Advisories       |
    +---------------+-------------------+-------------------------------------+
    | 6.0           | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.0.1         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.1.0         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.2.0         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.2.1         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.2.2         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.2.3         | 6.2.3.12          | 6.2.3.12                            |
    +---------------+-------------------+-------------------------------------+
    | 6.3.0         | Not vulnerable    | 6.3.0.3                             |
    +---------------+-------------------+-------------------------------------+
    | 6.4.0         | Not vulnerable    | Not vulnerable                      |
    +---------------+-------------------+-------------------------------------+

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Jason Moulder of Pratum for reporting this
    vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Action Links for This Advisory

  o Snort Rule 49996

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-sd-cpu-dos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software WebVPN Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20190501-asa-ftd-dos

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:47 GMT

Version 1.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn77957

CVE-2019-1693    

CWE-399

CVSS Score:
7.7  AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the WebVPN service of Cisco Adaptive Security Appliance
    (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could
    allow an authenticated, remote attacker to cause a denial of service (DoS)
    condition on an affected device.

    The vulnerability is due to improper management of authenticated sessions
    in the WebVPN portal. An attacker could exploit this vulnerability by
    authenticating with valid credentials and accessing a specific URL in the
    WebVPN portal. A successful exploit could allow the attacker to cause the
    device to reload, resulting in a temporary DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products that are running a
    vulnerable release of Cisco ASA Software or FTD Software and have the
    WebVPN (either Clientless WebVPN or AnyConnect WebVPN) service enabled:

       3000 Series Industrial Security Appliances (ISAs)
       ASA 1000V Cloud Firewall
       ASA 5500-X Series Firewalls
       ASA 5505 Adaptive Security Appliance ^ 1
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       FTD Virtual (FTDv)

    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Determining Whether the WebVPN Service Is Enabled

    To determine whether the WebVPN service is running on a device,
    administrators can log in to the device, use the show running-config webvpn
    command in the CLI, and refer to the output of the command. The following
    example shows the output of the command for a device that has the WebVPN
    service enabled:

        ciscoasa# show running-config webvpn
        .
        .
        .
        webvpn
         enable <interface_name>
        .
        .
        .

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To ensure a complete upgrade
    solution, customers should consider that this advisory is part of a
    collection that includes the following advisories:

       cisco-sa-20190501-asa-csrf : Cisco Adaptive Security Appliance Software
        Cross-Site Request Forgery Vulnerability
       cisco-sa-20190501-asa-frpwrtd-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software TCP Timer Handling
        Denial of Service Vulnerability
       cisco-sa-20190501-asa-ftd-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability
       cisco-sa-20190501-asa-ftd-entropy : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software Low-Entropy Keys
        Vulnerability
       cisco-sa-20190501-asa-ftd-ike-dos : Cisco Adaptive Security Appliance
        Software and Cisco Firepower Threat Defense Software MOBIKE Denial of
        Service Vulnerability
       cisco-sa-20190501-asaftd-saml-vpn : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software VPN SAML Authentication
        Bypass Vulnerability
       cisco-sa-20190501-asa-ipsec-dos : Cisco Adaptive Security Appliance
        Software IPsec Denial of Service Vulnerability
       cisco-sa-20190501-firepower-dos : Cisco Firepower Threat Defense
        Software TCP Ingress Handler Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-dos: Cisco Firepower Threat Defense Software
        Packet Processing Denial of Service Vulnerability
       cisco-sa-20190501-frpwr-smb-snort : Cisco Firepower Threat Defense
        Software SMB Protocol Preprocessor Detection Engine Denial of Service
        Vulnerabilities
       cisco-sa-20190501-sd-cpu-dos : Cisco Adaptive Security Appliance
        Software and Firepower Threat Defense Software WebVPN Denial of Service
        Vulnerability

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the release that includes the
    fix for this vulnerability. The right column indicates whether a release is
    affected by all the vulnerabilities described in this collection of
    advisories and which release includes fixes for those vulnerabilities.

    Cisco ASA Software

     Cisco ASA   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    Prior to 9.4 9.4.4.34             9.4.4.34
    ^1
    9.4          9.4.4.34             9.4.4.34
    9.5 ^1       9.6.4.25             9.6.4.25
    9.6          9.6.4.25             9.6.4.25
    9.7 ^1       9.8.4                9.8.4
    9.8          9.8.4                9.8.4
    9.9          9.9.2.50             9.9.2.50
    9.10         9.10.1.17            9.10.1.17
    9.12         Not vulnerable       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.

    Cisco FTD Software

     Cisco FTD   Recommended Release         Recommended Release for All
      Software         for This           Vulnerabilities Described in the
      Release       Vulnerability             Collection of Advisories
    6.0          Not vulnerable       6.2.3.12
    6.0.1        Not vulnerable       6.2.3.12
    6.1.0        Not vulnerable       6.2.3.12
    6.2.0        Not vulnerable       6.2.3.12
    6.2.1        6.2.3.12             6.2.3.12
    6.2.2        6.2.3.12             6.2.3.12
    6.2.3        6.2.3.12             6.2.3.12
    6.3.0        6.3.0.3              6.3.0.3
    6.4.0        Not vulnerable       Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Qian Chen of Qihoo 360 Information Security
    Department for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Action Links for This Advisory

  o Snort Rule 50007

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-dos

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance and Firepower Threat Defense Software Layer 2
Filtering Bypass Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190501-asa-ftd-bypass

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:44 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvm75358

CVE-2019-1695    

CWE-284

CVSS Score:
4.3  AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the detection engine of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, adjacent attacker to send data directly to
    the kernel of an affected device.

    The vulnerability exists because the software improperly filters Ethernet
    frames sent to an affected device. An attacker could exploit this
    vulnerability by sending crafted packets to the management interface of an
    affected device. A successful exploit could allow the attacker to bypass
    the Layer 2 (L2) filters and send data directly to the kernel of the
    affected device. A malicious frame successfully delivered would make the
    target device generate a specific syslog entry.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-bypass

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Firepower 2100 Series devices that are
    running a vulnerable release of Cisco ASA Software or FTD Software. For
    information about which Cisco ASA Software and FTD Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device and use the show version command in
    the CLI. The following example shows the output of the command for a device
    that is running Cisco FTD Software Release 6.2.2:

        > show version

        ------------------[ ftd ]-----------------------
        Model : Cisco Firepower 2130 Threat Defense (77) Version 6.2.2 (Build 81)
        UUID : 0cd3595a-7efa-11e7-aaa1-ee3989c8bf25
        Rules update version : 2017-12-20-001-vrt
        VDB version : 290
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. In the following table(s), the left
    column lists Cisco software releases. The right column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    release that includes the fix for this vulnerability.

    Cisco ASA Software

    Cisco ASA Software Release Recommended Release for This Vulnerability
    Prior to 9.4 ^1            Not vulnerable
    9.4                        Not vulnerable
    9.5 ^1                     Not vulnerable
    9.6                        Not vulnerable
    9.7 ^1                     Not vulnerable
    9.8 ^2                     9.8.4
    9.9                        9.9.2.50
    9.10                       9.10.1.17
    9.12                       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for this
    vulnerability.
    ^ 2 Only software releases 9.8.2 and later are vulnerable.

    Cisco FTD Software

    Cisco FTD Software Release Recommended Release for This Vulnerability
    6.0                        Not vulnerable
    6.0.1                      Not vulnerable
    6.1.0                      Not vulnerable
    6.2.0                      Not vulnerable
    6.2.1                      6.2.3.12
    6.2.2                      6.2.3.12
    6.2.3                      6.2.3.12
    6.3.0                      6.3.0.3
    6.4.0                      Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-bypass

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

isco Adaptive Security Appliance and Firepower Threat Defense Software WebVPN
Cross-Site Scripting Vulnerabilities

Priority:        Medium

Advisory ID:     cisco-sa-20190501-asa-ftd-xss

First Published: 2019 May 1 16:00 GMT

Last Updated:    2019 May 2 17:42 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvn78674CSCvo11406CSCvo11416CSCvo17033

CVE-2019-1701    

CWE-79

CVSS Score:
4.8  AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X

Summary

  o Multiple vulnerabilities in the WebVPN service of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    could allow an authenticated, remote attacker to conduct a cross-site
    scripting (XSS) attack against a user of the WebVPN portal of an affected
    device.

    The vulnerabilities exist because the software insufficiently validates
    user-supplied input on an affected device. An attacker could exploit these
    vulnerabilities by persuading a user of the interface to click a crafted
    link. A successful exploit could allow the attacker to execute arbitrary
    script code in the context of the affected interface or access sensitive
    browser-based information. An attacker would need administrator privileges
    on the device to exploit these vulnerabilities.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-xss

Affected Products

  o Vulnerable Products

    These vulnerabilities affect the following Cisco products that are running
    a vulnerable release of Cisco ASA Software or FTD Software and have the
    WebVPN service enabled:

       3000 Series Industrial Security Appliances (ISAs)
       ASA 1000V Cloud Firewall
       ASA 5500-X Series Firewalls
       ASA 5505 Adaptive Security Appliance ^ 1
       ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
       Adaptive Security Virtual Appliance (ASAv)
       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       FTD Virtual (FTDv)

    ^ 1 ASA 5500 Series Adaptive Security Appliances other than the ASA 5505
    have reached the end-of-support milestone and are no longer evaluated for
    security vulnerabilities.

    For information about which Cisco ASA Software and FTD Software releases
    are vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version | include
    Version command in the CLI, and refer to the output of the command. The
    following example shows the output of the command for a device that is
    running Cisco ASA Software Release 9.9.2.18:

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.9.2.18
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM login window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determining the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. In the following table(s), the left
    column lists Cisco software releases. The right column indicates whether a
    release is affected by the vulnerabilities described in this advisory and
    the release that includes the fix for these vulnerabilities.

    Cisco ASA Software

    Cisco ASA Software Release Recommended Release for These Vulnerabilities
    Prior to 9.4 ^1            9.4.4.34
    9.4                        9.4.4.34
    9.5 ^1                     9.6.4.25
    9.6                        9.6.4.25
    9.7 ^1                     9.8.4
    9.8                        9.8.4
    9.9                        9.9.2.50
    9.10                       9.10.1.17
    9.12                       Not vulnerable

    ^ 1 Cisco ASA Software releases prior to Release 9.4 and Cisco ASA Software
    Releases 9.5 and 9.7 have reached end of maintenance. Customers should
    migrate to a supported release that includes the fix for these
    vulnerabilities.

    Cisco FTD Software

    Cisco FTD Software Release Recommended Release for These Vulnerabilities
    6.0                        Not vulnerable
    6.0.1                      Not vulnerable
    6.1.0                      Not vulnerable
    6.2.0                      Not vulnerable
    6.2.1                      6.2.3.12
    6.2.2                      6.2.3.12
    6.2.3                      6.2.3.12
    6.3.0                      6.3.0.3
    6.4.0                      Not vulnerable

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerabilities that are
    described in this advisory.

Source

  o Cisco would like to thank Qian Chen of Qihoo 360 Information Security
    Department for reporting one of these vulnerabilities. The other
    vulnerabilities in this advisory were found during internal security
    testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Action Links for This Advisory

  o Understanding Cross-Site Scripting (XSS) Threat Vectors

Related to This Advisory

  o Cross-Site Scripting

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190501-asa-ftd-xss

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    |         | Updated the FTD fixed       |          |        |             |
    | 1.1     | releases table to indicate  | Fixed    | Final  | 2019-May-02 |
    |         | that FTD Software Release   | Software |        |             |
    |         | 6.3.0.3 is available.       |          |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2019-May-01 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXMuSfmaOgq3Tt24GAQjkdw/8DiKsS2E62FJv+fUc4b8KSH5ja+JX1uht
pzUkPcwE/c0XwNjubsA5Z8IUpyjPlnJPfnPBMG7wio6uNlODTsIrhxOMvi+asVm6
fcO1WY58tNXcOP/sejgm6hjW/ms45g/yAd3iuIkzg4ZDD/wTXncpdw7ppMDJkDDf
EdoGzxmuxZBEHzDvb8E9D9iuqmHDubKPrbopEvk3A/k4QjhokkX+LlwbY7tOsb+w
S+2Csvda1CivosLTRlRQHYV5aQI3n8a6QP31Sz6zAtStazMaUqWT1MnL+YGMCYSf
Rt0MzOjLsX96tlAC92BZgLVJXq3Tu4+t9Ay4ZxPlj/tJHfcVNpf5mGS0REfG+LOq
83ApKG4WvfI9V7CJwZBq9t9A+tyg9LB9pdeBmhHoZA+p9YaiGlNRAYQBZ27DOBQX
Mfw6PFcHAH0/YSo492zA+cw+n8/V2xUGBXXAqn7QRUKe82wVTeGGEqRT1zn/DKlJ
ziZcsYheObdiKW1tcrR65iKR7+qhI+gYxR2rCT9sJGpWvAfEDoa47/73Z2YugQEa
Kjsd2GMtQtBcJHXLtlyiOm0XZnpoQlU3vRCS5w3PnAPBlV/HM1uhfsapLK4IWyOS
teXs5SyCEqVv1zhDg4mYlxhlVMQBeArRSk2dkH6cbRaloS0IUlKnaZ2bnXqYkn3Y
GqP7YipVsy0=
=Obog
-----END PGP SIGNATURE-----