ESB-2020.1615.3

Operating System:

[Cisco]

Published:

18 May 2020

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Resources > Security Bulletins > ESB-2020.1615.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2020.1615.3
Multiple vulnerabilities found in Cisco Adaptive Security
Appliance and Firepower Threat Defence
18 May 2020

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Cisco Firepower Threat Defence
Cisco Adaptive Security Appliance Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3306 CVE-2020-3305 CVE-2020-3303
CVE-2020-3298 CVE-2020-3259 CVE-2020-3254
CVE-2020-3196 CVE-2020-3195 CVE-2020-3191
CVE-2020-3187 CVE-2020-3125

Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-BqYFRJt9
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-qk8cTGLz
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-P43GCE5j
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgcp-SUqB8VKH
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-dos-RhMQY8qx
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB

Comment: This bulletin contains twelve (12) security advisories.

Revision History: May 18 2020: Vendor released minor update
May 12 2020: Vendor released update 1.2 to clarify fixed release table
May 7 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Web Services Path Traversal Vulnerability

Priority: High

Advisory ID: cisco-sa-asaftd-path-JE3azWw43

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:52 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvr55825

CVE-2020-3187

CWE-22

CVSS Score:
9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:X/RC:X

Summary

o A vulnerability in the web services interface of Cisco Adaptive Security
Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
could allow an unauthenticated, remote attacker to conduct directory
traversal attacks and obtain read and delete access to sensitive files on a
targeted system.

The vulnerability is due to a lack of proper input validation of the HTTP
URL. An attacker could exploit this vulnerability by sending a crafted HTTP
request containing directory traversal character sequences. An exploit
could allow the attacker to view or delete arbitrary files on the targeted
system. When the device is reloaded after exploitation of this
vulnerability, any files that were deleted are restored.

The attacker can only view and delete files within the web services file
system. This file system is enabled when the affected device is configured
with either WebVPN or AnyConnect features. This vulnerability can not be
used to obtain access to ASA or FTD system files or underlying operating
system (OS) files. Reloading the affected device will restore all files
within the web services file system.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-path-JE3azWw43

This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 12 Cisco Security
Advisories that describe 12 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA,
FMC, and FTD Software Security Advisory Bundled Publication .

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect
or WebVPN configuration.

ASA Software

In the following table, the left column lists the Cisco ASA features that
are vulnerable. The right column indicates the basic configuration for the
feature from the show running-config CLI command. If the device is
configured for one of these features, it is vulnerable.

Cisco ASA Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(with client services) client-services port <port #>
AnyConnect SSL VPN webvpn
enable <interface_name>
Clientless SSL VPN webvpn
enable <interface_name>

FTD Software

In the following table, the left column lists the Cisco FTD features that
are vulnerable. The right column indicates the basic configuration for the
feature from the show running-config CLI command. If the device is
configured for one of these features, it is vulnerable.

Cisco FTD Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(with client services) ^1,2 client-services port <port #>
AnyConnect SSL VPN ^1,2 webvpn
enable <interface_name>

1. Remote Access VPN features are enabled via Devices > VPN > Remote Access
in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower
Device Manager (FDM).
2. Remote Access VPN features are first supported as of Cisco FTD Software
Release 6.2.2.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Details

o The attacker can view and delete files within the web services file system
only. The web services file system is enabled for the WebVPN and AnyConnect
features outlined in the Vulnerable Products section of this advisory;
therefore, this vulnerability does not apply to the ASA and FTD system
files or underlying operating system (OS) files. The Web Services files
that the attacker can view may have information such as WebVPN
configuration, bookmarks, web cookies, partial web content, and HTTP URLs.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates whether
a release is affected by any of the vulnerabilities described in this
bundle and which release includes fixes for those vulnerabilities.

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.5 ^1 release.
9.6 9.6.4.40 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.15 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.37 9.10.1.40
9.12 9.12.3.2 9.12.3.9
9.13 9.13.1.7 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7,
have reached end of software maintenance. Customers are advised to migrate
to a supported release that includes the fix for this vulnerability.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier
than Migrate to a fixed release. Migrate to a fixed release.
6.2.3 ^1
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 6.4.0.8 and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later
6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 6.5.0.4 and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later
6.6.0 Not vulnerable. 6.6.0

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
of software maintenance. Customers are advised to migrate to a supported
release that includes the fix for this vulnerability.

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

For devices that are managed by using Cisco Firepower Management Center
(FMC), use the FMC interface to install the upgrade. After installation
is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After installation
is complete, reapply the access control policy.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Mikhail Klyuchnikov of Positive Technologies for
reporting this vulnerability.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-path-JE3azWw43

Revision History

o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
| 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 |
| | releases 6.4.0 and 6.5.0. | Releases | | |
+---------+-----------------------------+----------+--------+-------------+
| | Updated ASA Fixed Release | | | |
| | table to indicate 9.10.1.40 | Fixed | | |
| 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 |
| | release instead of | | | |
| | 9.10.1.39. | | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-MAY-06 |
+---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Web Services Information Disclosure Vulnerability

Priority: High

Advisory ID: cisco-sa-asaftd-info-disclose-9eJtycMB

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:21 GMT

Version 1.3: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvt15163

CVE-2020-3259

CWE-200

CVSS Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

Summary

o A vulnerability in the web services interface of Cisco Adaptive Security
Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
could allow an unauthenticated, remote attacker to retrieve memory contents
on an affected device, which could lead to the disclosure of confidential
information.

The vulnerability is due to a buffer tracking issue when the software
parses invalid URLs that are requested from the web services interface. An
attacker could exploit this vulnerability by sending a crafted GET request
to the web services interface. A successful exploit could allow the
attacker to retrieve memory contents, which could lead to the disclosure of
confidential information.

Note: This vulnerability affects only specific AnyConnect and WebVPN
configurations. For more information, see the Vulnerable Products section.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-info-disclose-9eJtycMB

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect
or WebVPN configuration.

Cisco ASA Software

In the following table, the left column lists the Cisco ASA Software
features that are vulnerable. The right column indicates the basic
configuration for the feature from the show running-config CLI command. If
the device is running a vulnerable release and is configured for one of
these features, it is vulnerable.

Cisco ASA Software Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(with client services) client-services port <port #>
AnyConnect SSL VPN webvpn
enable <interface_name>
Clientless SSL VPN webvpn
enable <interface_name>

Cisco FTD Software

In the following table, the left column lists the Cisco FTD Software
features that are vulnerable. The right column indicates the basic
configuration for the feature from the show running-config CLI command. If
the device is running a vulnerable release and is configured for one of
these features, it is vulnerable.

Cisco FTD Software Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(with client services) ^1,2 client-services port <port #>
AnyConnect SSL VPN ^1,2 webvpn
enable <interface_name>

1. Remote Access VPN features are enabled by using Devices > VPN > Remote
Access in Cisco Firepower Management Center (FMC) or by using Device >
Remote Access VPN in Cisco Firepower Device Manager (FDM).
2. Remote Access VPN features are first supported in Cisco FTD Software
Release 6.2.2.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Details

o The confidential information that could be disclosed is memory on the
system heap. The contents of this memory can be different on each system
and at different times but can include web cookies for the AnyConnect and
WebVPN features, usernames, email addresses, certificates, and actual heap
addresses.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.5 ^1 release.
9.5 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.6 9.6.4.41 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.20 9.8.4.20
9.9 9.9.2.67 9.9.2.67
9.10 9.10.1.40 9.10.1.40
9.12 9.12.3.9 9.12.3.9
9.13 9.13.1.10 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier Migrate to a fixed release.
than Migrate to a fixed release.
6.2.3 ^1
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020) 6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 and later and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later later
6.5.0.5 (future release) 6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 and later and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later later
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Mikhail Klyuchnikov and Nikita Abramov of
Positive Technologies for reporting this vulnerability.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-info-disclose-9eJtycMB

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software SSL/TLS Denial of Service Vulnerability

Priority: High

Advisory ID: cisco-sa-asa-ssl-vpn-dos-qY7BHpjN

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 13:55 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvp49481CSCvp93468

CVE-2020-3196

CWE-400

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security
(TLS) handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to exhaust memory resources on the affected device, leading
to a denial of service (DoS) condition.

The vulnerability is due to improper resource management for inbound SSL/
TLS connections. An attacker could exploit this vulnerability by
establishing multiple SSL/TLS connections with specific conditions to the
affected device. A successful exploit could allow the attacker to exhaust
the memory on the affected device, causing the device to stop accepting new
SSL/TLS connections and resulting in a DoS condition for services on the
device that process SSL/TLS traffic. Manual intervention is required to
recover an affected device.

Cisco has released software updates that address the vulnerability
described in this advisory. There are no workarounds that address this
vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ssl-vpn-dos-qY7BHpjN

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or FTD Software and have a feature enabled
that causes the device to process SSL/TLS messages. These features include,
but are not limited to, the following:

AnyConnect SSL VPN
Clientless SSL VPN
HTTP server used for the management interface

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.

Determine Whether a Device Could Process SSL or TLS Messages

To verify whether a device that is running Cisco ASA Software or Cisco FTD
Software could process SSL or TLS packets, use the show asp table socket |
include SSL|DTLS command and verify that it returns output. When this
command returns any output, the device is vulnerable. When this command
returns empty output, the device is not affected by the vulnerability
described in this advisory. The following example shows the output of the
show asp table socket | include SSL|DTLS command from a device that is
vulnerable:

ftd# show asp table socket | include SSL|DTLS
SSL 0005aa68 LISTEN x.x.x.x:443 0.0.0.0:*
SSL 002d9e38 LISTEN x.x.x.x:8443 0.0.0.0:*
DTLS 0018f7a8 LISTEN 10.0.0.250:443 0.0.0.0:*

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Details

o An affected device could stop accepting new SSL/TLS connections. Manual
intervention would be required to recover the device. To do so, an
administrator can log in to the CLI of the device and clear connections by
using the following command:

clear conn all

If multiple connections are seen from specific IP addresses, the
administrator can use the following command:

clear conn all address ip-address

Caution: The clear conn all command will clear all connections to or
traversing through the device, regardless of whether they are SSL/TLS
connections or whether they are improperly using system memory.
Administrators are advised to use this command with care.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.6 ^1 release.
9.6 9.6.4.40 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.20 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.37 9.10.1.40
9.12 9.12.3.2 9.12.3.9
9.13 9.13.1.7 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020) 6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 and later and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later later
6.5.0.5 (future release) 6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 and later and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later later
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during the resolution of a Cisco TAC support
case.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ssl-vpn-dos-qY7BHpjN

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software OSPF Packets Processing Memory Leak Vulnerability

Priority: High

Advisory ID: cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:05 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvr92168

CVE-2020-3195

CWE-400

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Open Shortest Path First (OSPF) implementation in
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat
Defense (FTD) Software could allow an unauthenticated, remote attacker to
cause a memory leak on an affected device.

The vulnerability is due to incorrect processing of certain OSPF packets.
An attacker could exploit this vulnerability by sending a series of crafted
OSPF packets to be processed by an affected device. A successful exploit
could allow the attacker to continuously consume memory on an affected
device and eventually cause it to reload, resulting in a denial of service
(DoS) condition.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products that are running a vulnerable
release of Cisco ASA Software or Cisco FTD Software that is configured to
support OSPF routing with the capability of processing Link-Local Signaling
(LLS) blocks enabled. The LLS block processing is enabled by default.

For information about which Cisco ASA Software and FTD Software releases
are vulnerable, see the Fixed Software section of this advisory.

Determine Whether OSPF Routing Is Configured on an ASA Device

To determine whether OSPF routing is configured on an ASA device,
administrators can use the show ospf privileged mode command. If no output
is returned, OSPF routing is not configured. In the following example, the
device is configured for OSPF routing:

asa# show ospf

Routing Process "ospf 2" with ID 10.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
.
.
.

Determine Whether OSPF Routing Is Configured on an FTD Device

To determine whether OSPF routing is configured on an FTD device,
administrators can do one of the following:

For devices that are managed by using Cisco Firepower Management Center
(FMC), choose Devices > Device Management , select the device of
interest, and then choose Routing > OSPF . If either Process 1 or
Process 2 has a check mark, OSPF is enabled on the device.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), choose Device > Advanced Configuration > View Configuration >
Smart CLI > Routing . If there is an object with the type of OSPF ,
then OSPF is enabled on the device.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Not Vulnerable. Migrate to a fixed release.
9.4 ^1
9.4 ^1 Not Vulnerable. Migrate to a fixed release.
9.5 ^1 Not Vulnerable. Migrate to a fixed release.
9.6 Not Vulnerable. Migrate to a fixed release.
9.7 ^1 Not Vulnerable. Migrate to a fixed release.
9.8 Not Vulnerable. 9.8.4.20
9.9 Not Vulnerable. 9.9.2.67
9.10 Not Vulnerable. 9.10.1.40
9.12 9.12.3.2 9.12.3.9
9.13 9.13.1.7 9.13.1.10
9.14 Not Vulnerable. Not Vulnerable.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier
than Not Vulnerable. Migrate to a fixed release.
6.1.0 ^1
6.1.0 Not Vulnerable. Migrate to a fixed release.
6.2.0 Not Vulnerable. Migrate to a fixed release.
6.2.1 Not Vulnerable. Migrate to a fixed release.
6.2.2 Not Vulnerable. Migrate to a fixed release.
6.2.3.16 (June 2020)
6.2.3 Not Vulnerable. Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release)
6.3.0 Not Vulnerable. Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020) 6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
6.4.0 and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
later
6.5.0.5 (future release) 6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 and later and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later later
6.6.0 Not Vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during the resolution of a Cisco TAC support
case.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Media Gateway Control Protocol Denial of Service Vulnerabilities

Priority: High

Advisory ID: cisco-sa-asaftd-mgcp-SUqB8VKH

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:31 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvp16945CSCvp16949

CVE-2020-3254

CWE-400

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP)
inspection feature of Cisco Adaptive Security Appliance (ASA) Software and
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to cause a denial of service (DoS) condition on an affected
device.

The vulnerabilities are due to inefficient memory management. An attacker
could exploit these vulnerabilities by sending crafted MGCP packets through
an affected device. An exploit could allow the attacker to cause memory
exhaustion resulting in a restart of an affected device, causing a DoS
condition for traffic traversing the device.

Cisco has released software updates that address the vulnerabilities
described in this advisory. There are no workarounds that address these
vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-mgcp-SUqB8VKH

Affected Products

o Vulnerable Products

These vulnerabilities affect Cisco products if they are running a
vulnerable release of Cisco ASA Software or Cisco FTD Software and they are
configured to inspect MGCP traffic. MGCP inspection is not enabled in the
default inspection policy.

For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.

Determining if MGCP Inspection Is Enabled

To determine whether MGCP inspection is enabled, administrators can use the
show running-config policy-map command, followed by the show running-config
service-policy command.

Use the show running-config policy-map command, and check whether the
inspect mgcp <map_name> command is present in at least one policy map. In
the following output, the global-policy policy map includes the inspect
mgcp <map_name> command:

asa# show running-config policy-map
!
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect mgcp <map_name>
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225

Use the show running-config service-policy command, and check whether the
policy map is applied, either globally or to a single interface. The
following output shows the global-policy policy map applied globally:

asa# show running-config service-policy
service-policy global_policy global

If the policy map that contains the inspect mgcp <map_name> command is
applied globally or to an interface, MGCP inspection is enabled.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.

Cisco has confirmed that these vulnerabilities do not affect Cisco
Firepower Management Center (FMC).

Workarounds

o There are no workarounds that address these vulnerabilities.

To reduce the attack surface for exploitation of these vulnerabilities,
administrators could implement an access control policy that denies MGCP
traffic on untrusted interfaces.

Fixed Software

o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

In the following tables, the left column lists Cisco software releases. The
center column indicates whether a release is affected by the
vulnerabilities described in this advisory and the first release that
includes the fix for these vulnerabilities. The right column indicates
whether a release is affected by any of the vulnerabilities described in
this bundle and which release includes fixes for those vulnerabilities.

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Major for These Vulnerabilities Described in the Bundle
Release Vulnerabilities of Advisories
Earlier Migrate to a fixed Migrate to a fixed release.
than 9.5 ^1 release.
9.5 Migrate to a fixed Migrate to a fixed release.
release.
9.6 9.6.4.34 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.7 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.27 9.10.1.40
9.12 9.12.2.1 9.12.3.9
9.13 Not vulnerable. 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

Cisco First Fixed Release for These Vulnerabilities First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Major
Release
Earlier
than Migrate to a fixed release. Migrate to a fixed release.
6.1.0 ^
1
6.1.0 Migrate to a fixed release. Migrate to a fixed release.
6.2.0 Migrate to a fixed release. Migrate to a fixed release.
6.2.1 Migrate to a fixed release. Migrate to a fixed release.
6.2.2 Migrate to a fixed release. Migrate to a fixed release.
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release)
6.3.0 6.3.0.4 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 6.4.0.4 and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later
6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 Not vulnerable. and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.

Source

o These vulnerabilities were found during internal security testing.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-mgcp-SUqB8VKH

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Malformed OSPF Packets Processing Denial of Service Vulnerability

Priority: High

Advisory ID: cisco-sa-asa-ftd-ospf-dos-RhMQY8qx

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:10 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvs50459

CVE-2020-3298

CWE-125

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Open Shortest Path First (OSPF) implementation of
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat
Defense (FTD) Software could allow an unauthenticated, remote attacker to
cause the reload of an affected device, resulting in a denial of service
(DoS) condition.

The vulnerability is due to improper memory protection mechanisms while
processing certain OSPF packets. An attacker could exploit this
vulnerability by sending a series of malformed OSPF packets in a short
period of time to an affected device. A successful exploit could allow the
attacker to cause a reload of the affected device, resulting in a DoS
condition for client traffic that is traversing the device.

Cisco has released software updates that address the vulnerability
described in this advisory. There are no workarounds that address this
vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ftd-ospf-dos-RhMQY8qx

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products that are running a vulnerable
release of Cisco ASA Software or Cisco FTD Software that is configured to
support OSPF routing with LLS block processing enabled. Note: LLS block
processing is enabled by default.

Determine Whether OSPF Routing Is Configured on an ASA Device

asa# show ospf

Routing Process "ospf 2" with ID 10.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
.
.
.

Determine Whether OSPF Routing Is Configured on an FTD Device

To determine whether OSPF routing is configured on an FTD device,
administrators can do one of the following:

For information about which Cisco ASA Software and FTD Software releases
are vulnerable, see the Fixed Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

In the following tables, the left column lists Cisco software releases. The
center column indicates whether a release is affected by the vulnerability
described in this advisory and the first release that includes the fix for
this vulnerability. The right column indicates whether a release is
affected by any of the vulnerabilities described in this bundle and which
release includes fixes for those vulnerabilities.

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Not vulnerable. Migrate to a fixed release.
9.5 ^1
9.5 ^1 Not vulnerable. Migrate to a fixed release.
9.6 9.6.4.40 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.17 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.37 9.10.1.40
9.12 9.12.3.7 9.12.3.9
9.13 9.13.1.7 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier
than Not vulnerable. Migrate to a fixed release.
6.1.0 ^1
6.1.0 Not vulnerable. Migrate to a fixed release.
6.2.0 Not vulnerable. Migrate to a fixed release.
6.2.1 Not vulnerable. Migrate to a fixed release.
6.2.2 Not vulnerable. Migrate to a fixed release.
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020) 6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 and later and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later later
6.5.0.5 (future release) 6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 and later and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later later
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found by Santosh Krishnamurthy of Cisco during
internal security testing.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-ftd-ospf-dos-RhMQY8qx

Revision History

o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
| 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 |
| | releases 6.4.0 and 6.5.0. | Releases | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-MAY-06 |
+---------+-----------------------------+----------+--------+-------------+
| | Updated ASA Fixed Release | | | |
| | table to indicate 9.10.1.40 | Fixed | | |
| 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 |
| | release instead of | | | |
| | 9.10.1.39. | | | |
+---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software IPv6 DNS Denial of Service Vulnerability

Priority: High

Advisory ID: cisco-sa-asaftd-ipv6-67pA658k

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 15 14:36 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvr07419

CVE-2020-3191

CWE-20

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive
Security Appliance (ASA) Software and Firepower Threat Defense (FTD)
Software could allow an unauthenticated, remote attacker to cause the
device to unexpectedly reload, resulting in a denial of service (DoS)
condition.

The vulnerability is due to improper length validation of a field in an
IPv6 DNS packet. An attacker could exploit this vulnerability by sending a
crafted DNS query over IPv6, which traverses the affected device. An
exploit could allow the attacker to cause the device to reload, resulting
in a DoS condition. This vulnerability is specific to DNS over IPv6 traffic
only.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-ipv6-67pA658k

Affected Products

o Vulnerable Products

This vulnerability affects vulnerable releases of Cisco ASA Software or FTD
Software when configured with the IPv6 protocol.

Determining Whether IPv6 Routes Are Present

Administrators can use the show ipv6 route summary CLI command to determine
if there are IPv6 routes present over which DNS can traverse. If the
command returns the presence of at least two nonlocal routes in the output,
the device is considered vulnerable.

ciscoasa# show ipv6 route summary

IPv6 Routing Table Summary - 6 entries
3 local, 1 connected, 2 static, 0 BGP, 0 IS-IS, 0 OSPF
Number of prefixes:
/0: 1, /3: 1, /8: 1, /10: 1, /64: 1, /128: 1

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC).

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.5 ^1 release.
9.6 9.6.4.36 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.12 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.37 9.10.1.40
9.12 9.12.2.9 9.12.3.9
9.13 Not vulnerable. 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier
than Migrate to a fixed release. Migrate to a fixed release.
6.1.0 ^1
6.1.0 Migrate to a fixed release. Migrate to a fixed release.
6.2.0 Migrate to a fixed release. Migrate to a fixed release.
6.2.1 Migrate to a fixed release. Migrate to a fixed release.
6.2.2 Migrate to a fixed release. Migrate to a fixed release.
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
6.4.0 6.4.0.6 and later
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
later
6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
6.5.0 Not vulnerable. and later
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
and later
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
later
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found by Sanmith Prakash of Cisco during internal
security testing.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-ipv6-67pA658k

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software IKEv1 Denial of Service Vulnerability

Priority: Medium

Advisory ID: cisco-sa-asa-dos-BqYFRJt9

FirstÂ Published: 2020Â MayÂ 6Â 16:00Â GMT

VersionÂ 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs: CSCvq66080

CVE-2020-3303

CWE-399

CVSSÂ Score:
6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower
Threat Defense (FTD) Software could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper management of system memory. An
attacker could exploit this vulnerability by sending malicious IKEv1
traffic to an affected device. A successful exploit could allow the
attacker to cause a DoS condition on the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-dos-BqYFRJt9

Affected Products

o Vulnerable Products

At the time of publication, this vulnerability affected vulnerable
releases of Cisco ASA Software and FTD Software.

For information about which Cisco software releases are vulnerable, see
the Fixed Software section of this advisory. See the Details section in
the bug ID(s) at the top of this advisory for the most complete and
current information.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco
Firepower Management Center (FMC).

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.

Fixed Releases

At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.

The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.

Cisco ASA Software

Cisco ASA Software Release First Fixed Release for This Vulnerability
Earlier than 9.5^1 Migrate to a fixed release.
9.6 9.6.4.36
9.7^1 Migrate to a fixed release.
9.8 9.8.4.10
9.9 Migrate to a fixed release.
9.10 9.10.1.30
9.12 9.12.2.9
9.13 Not vulnerable.
9.14 Not vulnerable.

1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have
reached end of software maintenance. Customers are advised to migrate to a
supported release that includes the fix for this vulnerability.

Cisco FTD Software

Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than 6.1.0^1 Migrate to a fixed release.
6.1.0 Migrate to a fixed release.
6.2.0 Migrate to a fixed release.
6.2.1 Migrate to a fixed release.
6.2.2 Migrate to a fixed release.
6.2.3 Migrate to a fixed release.
6.3.0 6.3.0.5
6.4.0 6.4.0.6
6.5.0 Not vulnerable.
6.6.0 Not vulnerable.

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
software maintenance. Customers are advised to migrate to a supported
release that includes the fix for this vulnerability.

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

For devices that are managed by using Cisco Firepower Management
Center (FMC), use the FMC interface to install the upgrade. After
installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After
installation is complete, reapply the access control policy.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during the resolution of a Cisco TAC support
case.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

o Subscribe

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-dos-BqYFRJt9

Revision History

o
+----------+----------------------------+----------+---------+---------------+
| Version | Description | Section | Status | Date |
+----------+----------------------------+----------+---------+---------------+
| 1.0 | Initial public release. | -- | Final | 2020-MAY-06 |
+----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software DHCP Denial of Service Vulnerability

Priority: Medium

Advisory ID: cisco-sa-asaftd-dos-qk8cTGLz

FirstÂ Published: 2020Â MayÂ 6Â 16:00Â GMT

VersionÂ 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs: CSCvq41939

CVE-2020-3306

CWE-400

CVSSÂ Score:
6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the DHCP module of Cisco Adaptive Security Appliance
(ASA) Software and Cisco Firepower Threat Defense (FTD) Software could
allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on the affected device.

The vulnerability is due to incorrect processing of certain DHCP packets.
An attacker could exploit this vulnerability by sending a crafted DHCP
packet to the affected device. A successful exploit could allow the
attacker to cause a DoS condition on the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-dos-qk8cTGLz

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products that are running a vulnerable
release of Cisco ASA Software or Cisco FTD Software.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco
Firepower Management Center (FMC).

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.

Fixed Releases

Cisco ASA Software

Cisco ASA Software Release First Fixed Release for This Vulnerability
Earlier than 9.5^1 Migrate to a fixed release.
9.6 9.6.4.34
9.7^1 Migrate to a fixed release.
9.8 9.8.4.10
9.9 Migrate to a fixed release.
9.10 9.10.1.30
9.12 9.12.3
9.13 Not vulnerable.
9.14 Not vulnerable.

1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have
reached end of software maintenance. Customers are advised to migrate to a
supported release that includes the fix for this vulnerability.

Cisco FTD Software

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
software maintenance. Customers are advised to migrate to a supported
release that includes the fix for this vulnerability.

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

For devices that are managed by using Cisco Firepower Management
Center (FMC), use the FMC interface to install the upgrade. After
installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After
installation is complete, reapply the access control policy.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

o Subscribe

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-dos-qk8cTGLz

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software BGP Denial of Service Vulnerability

Priority: Medium

Advisory ID: cisco-sa-asa-dos-P43GCE5j

FirstÂ Published: 2020Â MayÂ 6Â 16:00Â GMT

VersionÂ 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs: CSCvq66092

CVE-2020-3305

CWE-400

CVSSÂ Score:
6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the implementation of the Border Gateway Protocol (BGP)
module in Cisco Adaptive Security Appliance (ASA) Software and Cisco
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of certain BGP packets.
An attacker could exploit this vulnerability by sending a crafted BGP
packet. A successful exploit could allow the attacker to cause a DoS
condition on the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-dos-P43GCE5j

Affected Products

o Vulnerable Products

At the time of publication, this vulnerability affected vulnerable
releases of Cisco ASA Software and Cisco FTD Software.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco
Firepower Management Center (FMC).

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.

Fixed Releases

Cisco ASA Software

1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have
reached end of software maintenance. Customers are advised to migrate to a
supported release that includes the fix for this vulnerability.

Cisco FTD Software

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
software maintenance. Customers are advised to migrate to a supported
release that includes the fix for this vulnerability.

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

For devices that are managed by using Cisco Firepower Management
Center (FMC), use the FMC interface to install the upgrade. After
installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager
(FDM), use the FDM interface to install the upgrade. After
installation is complete, reapply the access control policy.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

o Subscribe

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asa-dos-P43GCE5j

Revision History

- --------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass
Vulnerability

Priority: High

Advisory ID: cisco-asa-kerberos-bypass-96Gghe2sS

FirstÂ Published: 2020Â MayÂ 6Â 16:00Â GMT

VersionÂ 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs: CSCvq73534

CVE-2020-3125

CWE-287

CVSSÂ Score:
8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Kerberos authentication feature of Cisco Adaptive
Security Appliance (ASA) Software could allow an unauthenticated, remote
attacker to impersonate the Kerberos key distribution center (KDC) and
bypass authentication on an affected device that is configured to perform
Kerberos authentication for VPN or local device access.

The vulnerability is due to insufficient identity verification of the KDC
when a successful authentication response is received. An attacker could
exploit this vulnerability by spoofing the KDC server response to the ASA
device. This malicious response would not have been authenticated by the
KDC. A successful attack could allow an attacker to bypass Kerberos
authentication.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

Note: Configuration changes after the software upgrade are necessary to
address this vulnerability. See the Details section of this advisory for
additional information.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-asa-kerberos-bypass-96Gghe2sS

This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
Security Advisory Bundled Publication, which includes 12 Cisco Security
Advisories that describe 12 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: May 2020 Cisco
ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products if they are running Cisco ASA
Software with Kerberos authentication configured for VPN or local device
access.

Determine Whether Kerberos Authentication Is Configured

Administrators can use the show running-config aaa-server | include
kerberos command to determine whether a Kerberos server is configured. The
following example shows the output of the command for a device that has
one Kerberos server configured that is named asaKerberosTestServer:

device(config)# show running-config aaa-server | include kerberos
aaa-server asaKerberosTestServer protocol kerberos
kerberos-realm DEV.ASA.TEST

If the Kerberos server name that is returned in the output is referenced
elsewhere in the configuration^1, that Kerberos server is being used for
authentication. Administrators can use the show running-config all |
include <kerberos server name> command to verify whether Kerberos
authentication is configured. In the following example, the Kerberos
server name asaKerberosTestServer is configured for Secure Shell (SSH)
console authentication (Kerberos authentication can also be configured for
VPN access):

device(config)# show running-config all | include asaKerberosTestServer
aaa-server asaKerberosTestServer protocol kerberos
aaa-server asaKerberosTestServer (inside) host DEV.ASA.TEST
aaa authentication ssh console asaKerberosTestServer

1. The kcd-server <kerberos server name> CLI command is an exception. If
the only instance of the Kerberos server name is this command, the device
is not vulnerable.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect
Cisco Firepower Management Center (FMC) Software or Cisco Firepower Threat
Defense (FTD) Software.

Details

o Configuration changes after the software upgrade are necessary to address
this vulnerability. Cisco ASA devices are vulnerable and can still be
exploited unless the CLI commands validate-kdc and aaa kerberos
import-keytab are configured. These new configuration commands ensure that
the ASA validates the KDC during every user authentication transaction,
which prevents the vulnerability that is described in this security
advisory.

Administrators can configure the new commands by entering the validate-kdc
command and then the aaa kerberos import-keytab command in the device CLI.

When the validate-kdc command is enabled, the ASA will validate the
Kerberos server (KDC) during every user authentication transaction with
that server by requesting a service ticket for the user and verifying the
response against a previously stored key table (keytab). The aaa kerberos
import-keytab command imports a Kerberos keytab file to the ASA.

The following output shows the configuration of the validate-kdc and aaa
kerberos import-keytab commands:

device(config)# validate-kdc
device(config)# aaa kerberos import-keytab disk0:mykeytab

device# show aaa kerberos keytab

Principal: host/testing@DEV.ASA.TEST

Key version: 10

Key type: arcfour (23)

For more information about the new commands, see the Cisco ASA Series
Command Reference, A - H Commands (aaa kerberos import-keytab command) and
the Cisco ASA Series Command Reference, T - Z Commands (validate-kdc
command).

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

In the following table(s), the left column lists Cisco software releases.
The center column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. The right column indicates
whether a release is affected by any of the vulnerabilities described in
this bundle and which release includes fixes for those vulnerabilities.

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerability Vulnerabilities Described in the Bundle
Release of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.6^1 release.
9.6 Migrate to a fixed Migrate to a fixed release.
release.
9.7^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.15 9.8.4.20
9.9 9.9.2.66 9.9.2.67
9.10 9.10.1.37 9.10.1.39
9.12 9.12.3.2 9.12.3.9
9.13 9.13.1.7 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have
reached end of software maintenance. Customers are advised to migrate to a
supported release that includes the fix for this vulnerability.

Note 1: This vulnerability is fixed in Cisco ASA Software releases 9.8 and
later through a new set of configuration commands. Cisco ASA devices are
vulnerable and can still be exploited unless the CLI commands validate-kdc
and aaa kerberos import-keytab are configured. For more information, see
the Details section of this advisory.

Note 2: Cisco does not recommend that customers use Kerberos
authentication if the Kerberos authentication server is outside of the
known, trusted network for any Cisco ASA Software release unless the
validate-kdc and aaa kerberos import-keytab commands have been configured.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Yoav Iellin, Yaron Kassner, Dor Segal, and Rotem
Zach of Silverfort for reporting this vulnerability.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

o Subscribe

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-asa-kerberos-bypass-96Gghe2sS

Revision History

- -----------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Web Services Information Disclosure Vulnerability

Priority: High

Advisory ID: cisco-sa-asaftd-info-disclose-9eJtycMB

First Published: 2020 May 6 16:00 GMT

Last Updated: 2020 May 11 23:00 GMT

Version 1.2: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvt15163

CVE-2020-3259

CWE-200

CVSS Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

Summary

o A vulnerability in the web services interface of Cisco Adaptive Security
Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
could allow an unauthenticated, remote attacker to retrieve memory contents
on an affected device, which could lead to the disclosure of confidential
information.

Note: This vulnerability affects only specific AnyConnect and WebVPN
configurations. For more information, see the Vulnerable Products section.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-info-disclose-9eJtycMB

Affected Products

o Vulnerable Products

This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect
or WebVPN configuration.

Cisco ASA Software

Cisco FTD Software

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.

Details

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco ASA Software

Cisco ASA First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Migrate to a fixed Migrate to a fixed release.
9.5 ^1 release.
9.5 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.6 9.6.4.41 Migrate to a fixed release.
9.7 ^1 Migrate to a fixed Migrate to a fixed release.
release.
9.8 9.8.4.20 9.8.4.20
9.9 9.9.2.67 9.9.2.67
9.10 9.10.1.40 9.10.1.40
9.12 9.12.3.9 9.12.3.9
9.13 9.13.1.10 9.13.1.10
9.14 Not vulnerable. Not vulnerable.

Cisco FTD Software

Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities
FTD Described in the Bundle of Advisories
Software
Release
Earlier Migrate to a fixed release.
than Migrate to a fixed release.
6.2.3 ^1
6.2.3.16 (June 2020) 6.2.3.16 (June 2020)
6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
6.3.0.6 (future release) 6.3.0.6 (future release)
6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
6.4.0.9 (May 2020) 6.4.0.9 (May 2020)
Cisco_FTD_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_Hotfix_AY-6.4.0.9-2.sh.REL.tar
6.4.0 Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-2.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-2.sh.REL.tar
6.5.0.5 (future release) 6.5.0.5 (future release)
Cisco_FTD_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_Hotfix_H-6.5.0.5-1.sh.REL.tar
6.5.0 Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-1.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-1.sh.REL.tar
Cisco_FTD_SSP_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_Hotfix_H-6.5.0.5-1.sh.REL.tar
6.6.0 Not vulnerable. 6.6.0

To upgrade to a fixed release of Cisco FTD Software, customers can do one
of the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Mikhail Klyuchnikov and Nikita Abramov of
Positive Technologies for reporting this vulnerability.

Cisco Security Vulnerability Policy

Related to This Advisory

o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
Advisory Bundled Publication

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-asaftd-info-disclose-9eJtycMB

Revision History

o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
| 1.2 | Updated ASA Fixed Releases | Fixed | Final | 2020-MAY-11 |
| | table with 9.6 release. | Software | | |
+---------+-----------------------------+----------+--------+-------------+
| | Updated ASA Fixed Releases | | | |
| | table to indicate 9.10.1.40 | Fixed | | |
| 1.1 | as the correct fixed | Software | Final | 2020-MAY-06 |
| | release instead of | | | |
| | 9.10.1.39. | | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-MAY-06 |
+---------+-----------------------------+----------+--------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXsHyoONLKJtyKPYoAQjPWhAAo0hC417ao5LwgupzIRDlnwf/OxY5s70p
bl8QSlrMj2MgnTbxCHcpCS9lo6bDPLfSlnBm6VhBtvwXEYBrXH79TKBpQ/gEYXhh
RUT2QDLhQd8JembmoL1JjsR4z9U16mlr5DUrLYapHXhRtvDNzf31hBb50Bp1ele9
W5BHNhUyvJ1cmgGr8iDLDaSEOxcxZ2vDzVD6eacdEgnY/mjFYirZInNohU7m8tGW
qECSsYYRacaXOnj+Rh20wSyjEXdXEpH3A1snbvlJxEsDqynC8xAxf7mMWnSb0dDA
T8+mJeZ/g1eADnU4yfsxqG89nwUBJvgGGCeM2pblPHFdnivIDEjTWkixjmEqCFey
Ve/LETg9sslcNRw3lZ+zEq908OHgmVSlP5VyFFAUaRlTWP2QtsLtEvlWRnDg59EN
h4r6LiZZ6RUfCek9LP97Q6jRh7afh9dNmukkhpbFMxVYAllWQZNyHTHRADxUS6sT
EYH9rx2EdHzvq5lTvSyAi2NsncA3u15xT/60INc949hkMlJJCkWg0ghwFiXjCl/D
I8zhx0zu9N/y3Vd+lWGsWJ2cdEkVqMBbf1BJ4/N+cXjPq0qbOaciNerriGZAQg6s
xQET/xtaH/ITxDIoSLst/77ehYoNF7qess4dgzsGWOKNUQwe09eDcicBELrlXNoQ
70FYoyfbW4s=
=Gcn9
-----END PGP SIGNATURE-----