Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3163
Multiple Vulnerabilities in Cisco Firepower Threat Defense Software
19 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1982 CVE-2019-1981 CVE-2019-1980
CVE-2019-1978
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-srb
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-nspd
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-null
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-http
Comment: This bulletin contains four (4) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190816-ftd-srb
First Published: 2019 August 16 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvq39955
CVE-2019-1978
CWE-264
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the stream reassembly component of Cisco Firepower
Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
Cisco Firepower Management Center Software could allow an unauthenticated,
remote attacker to bypass filtering protections.
The vulnerability is due to improper reassembly of traffic streams. An
attacker could exploit this vulnerability by sending crafted streams
through an affected device. An exploit could allow the attacker to bypass
filtering and deliver malicious requests to protected systems that would
otherwise be blocked.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-srb
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected all releases of
Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
for ASA, and Cisco Firepower Management Center Software.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-srb
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-16 |
+---------+--------------------------+---------+--------+-----------------+
- -------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190816-ftd-nspd
First Published: 2019 August 16 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvq39888
CVE-2019-1980
CWE-264
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the protocol detection component of Cisco Firepower
Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
Cisco Firepower Management Center Software could allow an unauthenticated,
remote attacker to bypass filtering protections.
The vulnerability is due to improper detection of the initial use of a
protocol on a nonstandard port. An attacker could exploit this
vulnerability by sending traffic on a nonstandard port for the protocol in
use through an affected device. An exploit could allow the attacker to
bypass filtering and deliver malicious requests to protected systems that
would otherwise be blocked. Once the initial protocol flow on the
nonstandard port is detected, future flows on the nonstandard port will be
successfully detected and handled as configured by the applied policy.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-nspd
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected all releases of
Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
for ASA, and Cisco Firepower Management Center Software.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-nspd
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-16 |
+---------+--------------------------+---------+--------+-----------------+
- -------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection
Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190816-ftd-null
First Published: 2019 August 16 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvq39915
CVE-2019-1981
CWE-264
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the normalization functionality of Cisco Firepower
Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
Cisco Firepower Management Center Software could allow an unauthenticated,
remote attacker to bypass filtering protections.
The vulnerability is due to insufficient normalization of a text-based
payload. An attacker could exploit this vulnerability by sending traffic
that contains specifically obfuscated payloads through an affected device.
An exploit could allow the attacker to bypass filtering and deliver
malicious payloads to protected systems that would otherwise be blocked.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-null
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected all releases of
Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software
for ASA, and Cisco Firepower Management Center Software.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-null
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-16 |
+---------+--------------------------+---------+--------+-----------------+
- -------------------------------------------------------------------------------
Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190816-ftd-http
First Published: 2019 August 16 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvj19544CSCvq07297
CVE-2019-1982
CWE-264
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the HTTP traffic filtering component of Cisco Firepower
Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
Cisco Firepower Management Center Software could allow an unauthenticated,
remote attacker to bypass filtering protections.
The vulnerability is due to improper handling of HTTP requests, including
those communicated over a secure HTTPS connection, that contain maliciously
crafted headers. An attacker could exploit this vulnerability by sending
malicious requests to an affected device. An exploit could allow the
attacker to bypass filtering and deliver malicious requests to protected
systems, allowing attackers to deliver malicious content that would
otherwise be blocked.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-http
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Firepower
Threat Defense Software, Cisco FirePOWER Services Software for ASA, and
Cisco Firepower Management Center Software.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank NSS Labs, Inc. for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190816-ftd-http
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-16 |
+---------+--------------------------+---------+--------+-----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVnxeGaOgq3Tt24GAQh91w//fpn4Mf9j6/r4BqsR0Li9CFRma1IDE1h7
CBzMYvRlBgPtYV63opxoKLgd6zPec3f2CZ6B0qV1s/lxGtzJ/isAM5iO/CPCoDLu
6b/H6nGeZbf3h/nLBxUBnIdnrWTuFbl0JsLve7AaPFJyAqS807vWIOkVOBmfU1Pi
pdyIDXkmAaE6dtOt7xsLu0nVgC0W6PF4MCe3PSeAzC26Foo9y+xETQNteOl0JmJg
/thk+JbSoCScL7F0+mV2iB4E7oV+cJyW5juEWpL95STL5kvB4cZfjT3dxENFHBwM
YQZwy2kJeCkyGZXsXm7vLWFVogypgX8/hSeA6kyDWpHKOUtVMYriTCGxjiet9N9C
WskwYPw68qqZ4PkYHHC2aThxmfwfYl2NrCrvtN9FjJC7rHuSbb9+HXbDDRKoTUmk
67j+wqU056IJBHZEJxwMtO5tSMiXs+T1vz8FdYhoTzl6hSkHIi0aeM+ufzstMnJk
nmbng86MudmCwXsJzmUhMu0sCc3HeYCgyF7fhFHVf8fiyn05B1kyh7RobP44Nl3Q
rt1ZC8a6h5YKGPmIzfrhS+cLF9uM9BUEDfmNG/s84CmEo29NltI3d7IMeNGNUkj2
Ce87htjCkNvoNRHVZNMuKh8C3uWpfUkv1nc89v8eyeEqf4w2HiUqcy96u1I3eSl/
T7UJZWIvE0I=
=CD6t
-----END PGP SIGNATURE-----