-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3163
    Multiple Vulnerabilities in Cisco Firepower Threat Defense Software
                              19 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Firepower Threat Defense Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1982 CVE-2019-1981 CVE-2019-1980
                   CVE-2019-1978  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-srb
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-nspd
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-null
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-http

Comment: This bulletin contains four (4) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190816-ftd-srb

First Published: 2019 August 16 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq39955

CVE-2019-1978    

CWE-264

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the stream reassembly component of Cisco Firepower
    Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
    Cisco Firepower Management Center Software could allow an unauthenticated,
    remote attacker to bypass filtering protections.

    The vulnerability is due to improper reassembly of traffic streams. An
    attacker could exploit this vulnerability by sending crafted streams
    through an affected device. An exploit could allow the attacker to bypass
    filtering and deliver malicious requests to protected systems that would
    otherwise be blocked.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-srb

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected all releases of
    Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
    for ASA, and Cisco Firepower Management Center Software.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-srb

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-16  |
    +---------+--------------------------+---------+--------+-----------------+

- -------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190816-ftd-nspd

First Published: 2019 August 16 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq39888

CVE-2019-1980    

CWE-264

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the protocol detection component of Cisco Firepower
    Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
    Cisco Firepower Management Center Software could allow an unauthenticated,
    remote attacker to bypass filtering protections.

    The vulnerability is due to improper detection of the initial use of a
    protocol on a nonstandard port. An attacker could exploit this
    vulnerability by sending traffic on a nonstandard port for the protocol in
    use through an affected device. An exploit could allow the attacker to
    bypass filtering and deliver malicious requests to protected systems that
    would otherwise be blocked. Once the initial protocol flow on the
    nonstandard port is detected, future flows on the nonstandard port will be
    successfully detected and handled as configured by the applied policy.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-nspd

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected all releases of
    Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
    for ASA, and Cisco Firepower Management Center Software.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-nspd

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-16  |
    +---------+--------------------------+---------+--------+-----------------+

- -------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection
Bypass Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190816-ftd-null

First Published: 2019 August 16 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq39915

CVE-2019-1981    

CWE-264

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the normalization functionality of Cisco Firepower
    Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
    Cisco Firepower Management Center Software could allow an unauthenticated,
    remote attacker to bypass filtering protections.

    The vulnerability is due to insufficient normalization of a text-based
    payload. An attacker could exploit this vulnerability by sending traffic
    that contains specifically obfuscated payloads through an affected device.
    An exploit could allow the attacker to bypass filtering and deliver
    malicious payloads to protected systems that would otherwise be blocked.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-null

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected all releases of
    Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
    for ASA, and Cisco Firepower Management Center Software.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-null

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-16  |
    +---------+--------------------------+---------+--------+-----------------+

- -------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190816-ftd-http

First Published: 2019 August 16 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvj19544CSCvq07297

CVE-2019-1982    

CWE-264

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the HTTP traffic filtering component of Cisco Firepower
    Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
    Cisco Firepower Management Center Software could allow an unauthenticated,
    remote attacker to bypass filtering protections.

    The vulnerability is due to improper handling of HTTP requests, including
    those communicated over a secure HTTPS connection, that contain maliciously
    crafted headers. An attacker could exploit this vulnerability by sending
    malicious requests to an affected device. An exploit could allow the
    attacker to bypass filtering and deliver malicious requests to protected
    systems, allowing attackers to deliver malicious content that would
    otherwise be blocked.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-http

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Firepower
    Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
    Cisco Firepower Management Center Software.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190816-ftd-http

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-16  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXVnxeGaOgq3Tt24GAQh91w//fpn4Mf9j6/r4BqsR0Li9CFRma1IDE1h7
CBzMYvRlBgPtYV63opxoKLgd6zPec3f2CZ6B0qV1s/lxGtzJ/isAM5iO/CPCoDLu
6b/H6nGeZbf3h/nLBxUBnIdnrWTuFbl0JsLve7AaPFJyAqS807vWIOkVOBmfU1Pi
pdyIDXkmAaE6dtOt7xsLu0nVgC0W6PF4MCe3PSeAzC26Foo9y+xETQNteOl0JmJg
/thk+JbSoCScL7F0+mV2iB4E7oV+cJyW5juEWpL95STL5kvB4cZfjT3dxENFHBwM
YQZwy2kJeCkyGZXsXm7vLWFVogypgX8/hSeA6kyDWpHKOUtVMYriTCGxjiet9N9C
WskwYPw68qqZ4PkYHHC2aThxmfwfYl2NrCrvtN9FjJC7rHuSbb9+HXbDDRKoTUmk
67j+wqU056IJBHZEJxwMtO5tSMiXs+T1vz8FdYhoTzl6hSkHIi0aeM+ufzstMnJk
nmbng86MudmCwXsJzmUhMu0sCc3HeYCgyF7fhFHVf8fiyn05B1kyh7RobP44Nl3Q
rt1ZC8a6h5YKGPmIzfrhS+cLF9uM9BUEDfmNG/s84CmEo29NltI3d7IMeNGNUkj2
Ce87htjCkNvoNRHVZNMuKh8C3uWpfUkv1nc89v8eyeEqf4w2HiUqcy96u1I3eSl/
T7UJZWIvE0I=
=CD6t
-----END PGP SIGNATURE-----