Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1615.3 Multiple vulnerabilities found in Cisco Adaptive Security Appliance and Firepower Threat Defence 18 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defence Cisco Adaptive Security Appliance Software Publisher: Cisco Systems Operating System: Cisco Impact/Access: Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-3306 CVE-2020-3305 CVE-2020-3303 CVE-2020-3298 CVE-2020-3259 CVE-2020-3254 CVE-2020-3196 CVE-2020-3195 CVE-2020-3191 CVE-2020-3187 CVE-2020-3125 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-BqYFRJt9 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-qk8cTGLz https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-P43GCE5j https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgcp-SUqB8VKH https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-dos-RhMQY8qx https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB Comment: This bulletin contains twelve (12) security advisories. Revision History: May 18 2020: Vendor released minor update May 12 2020: Vendor released update 1.2 to clarify fixed release table May 7 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Path Traversal Vulnerability Priority: High Advisory ID: cisco-sa-asaftd-path-JE3azWw43 First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:52 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr55825 CVE-2020-3187 CWE-22 CVSS Score: 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability can not be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. Reloading the affected device will restore all files within the web services file system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-path-JE3azWw43 This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration. ASA Software In the following table, the left column lists the Cisco ASA features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable. Cisco ASA Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) client-services port <port #> AnyConnect SSL VPN webvpn enable <interface_name> Clientless SSL VPN webvpn enable <interface_name> FTD Software In the following table, the left column lists the Cisco FTD features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable. Cisco FTD Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) ^1,2 client-services port <port #> AnyConnect SSL VPN ^1,2 webvpn enable <interface_name> 1. Remote Access VPN features are enabled via Devices > VPN > Remote Access in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). 2. Remote Access VPN features are first supported as of Cisco FTD Software Release 6.2.2. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Details o The attacker can view and delete files within the web services file system only. The web services file system is enabled for the WebVPN and AnyConnect features outlined in the Vulnerable Products section of this advisory; therefore, this vulnerability does not apply to the ASA and FTD system files or underlying operating system (OS) files. The Web Services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.5 ^1 release. 9.6 9.6.4.40 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.15 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.37 9.10.1.40 9.12 9.12.3.2 9.12.3.9 9.13 9.13.1.7 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier than Migrate to a fixed release. Migrate to a fixed release. 6.2.3 ^1 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 6.4.0.8 and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 6.5.0.4 and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Mikhail Klyuchnikov of Positive Technologies for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-path-JE3azWw43 Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability Priority: High Advisory ID: cisco-sa-asaftd-info-disclose-9eJtycMB First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:21 GMT Version 1.3: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvt15163 CVE-2020-3259 CWE-200 CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-info-disclose-9eJtycMB This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration. Cisco ASA Software In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable. Cisco ASA Software Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) client-services port <port #> AnyConnect SSL VPN webvpn enable <interface_name> Clientless SSL VPN webvpn enable <interface_name> Cisco FTD Software In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable. Cisco FTD Software Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) ^1,2 client-services port <port #> AnyConnect SSL VPN ^1,2 webvpn enable <interface_name> 1. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). 2. Remote Access VPN features are first supported in Cisco FTD Software Release 6.2.2. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Details o The confidential information that could be disclosed is memory on the system heap. The contents of this memory can be different on each system and at different times but can include web cookies for the AnyConnect and WebVPN features, usernames, email addresses, certificates, and actual heap addresses. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.5 ^1 release. 9.5 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.6 9.6.4.41 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.20 9.8.4.20 9.9 9.9.2.67 9.9.2.67 9.10 9.10.1.40 9.10.1.40 9.12 9.12.3.9 9.12.3.9 9.13 9.13.1.10 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier Migrate to a fixed release. than Migrate to a fixed release. 6.2.3 ^1 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 and later and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later later 6.5.0.5 (future release) 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 and later and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-info-disclose-9eJtycMB Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.3 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated ASA Fixed Releases | Fixed | Final | 2020-MAY-11 | | | table with 9.6 release. | Software | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Releases | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Software | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asa-ssl-vpn-dos-qY7BHpjN First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 13:55 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvp49481CSCvp93468 CVE-2020-3196 CWE-400 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust memory resources on the affected device, leading to a denial of service (DoS) condition. The vulnerability is due to improper resource management for inbound SSL/ TLS connections. An attacker could exploit this vulnerability by establishing multiple SSL/TLS connections with specific conditions to the affected device. A successful exploit could allow the attacker to exhaust the memory on the affected device, causing the device to stop accepting new SSL/TLS connections and resulting in a DoS condition for services on the device that process SSL/TLS traffic. Manual intervention is required to recover an affected device. Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ssl-vpn-dos-qY7BHpjN This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software and have a feature enabled that causes the device to process SSL/TLS messages. These features include, but are not limited to, the following: AnyConnect SSL VPN Clientless SSL VPN HTTP server used for the management interface For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether a Device Could Process SSL or TLS Messages To verify whether a device that is running Cisco ASA Software or Cisco FTD Software could process SSL or TLS packets, use the show asp table socket | include SSL|DTLS command and verify that it returns output. When this command returns any output, the device is vulnerable. When this command returns empty output, the device is not affected by the vulnerability described in this advisory. The following example shows the output of the show asp table socket | include SSL|DTLS command from a device that is vulnerable: ftd# show asp table socket | include SSL|DTLS SSL 0005aa68 LISTEN x.x.x.x:443 0.0.0.0:* SSL 002d9e38 LISTEN x.x.x.x:8443 0.0.0.0:* DTLS 0018f7a8 LISTEN 10.0.0.250:443 0.0.0.0:* Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Details o An affected device could stop accepting new SSL/TLS connections. Manual intervention would be required to recover the device. To do so, an administrator can log in to the CLI of the device and clear connections by using the following command: clear conn all If multiple connections are seen from specific IP addresses, the administrator can use the following command: clear conn all address ip-address Caution: The clear conn all command will clear all connections to or traversing through the device, regardless of whether they are SSL/TLS connections or whether they are improperly using system memory. Administrators are advised to use this command with care. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.6 ^1 release. 9.6 9.6.4.40 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.20 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.37 9.10.1.40 9.12 9.12.3.2 9.12.3.9 9.13 9.13.1.7 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier than Migrate to a fixed release. Migrate to a fixed release. 6.1.0 ^1 6.1.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.1 Migrate to a fixed release. Migrate to a fixed release. 6.2.2 Migrate to a fixed release. Migrate to a fixed release. 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 and later and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later later 6.5.0.5 (future release) 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 and later and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ssl-vpn-dos-qY7BHpjN Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPF Packets Processing Memory Leak Vulnerability Priority: High Advisory ID: cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:05 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr92168 CVE-2020-3195 CWE-400 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Open Shortest Path First (OSPF) implementation in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. The vulnerability is due to incorrect processing of certain OSPF packets. An attacker could exploit this vulnerability by sending a series of crafted OSPF packets to be processed by an affected device. A successful exploit could allow the attacker to continuously consume memory on an affected device and eventually cause it to reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products that are running a vulnerable release of Cisco ASA Software or Cisco FTD Software that is configured to support OSPF routing with the capability of processing Link-Local Signaling (LLS) blocks enabled. The LLS block processing is enabled by default. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether OSPF Routing Is Configured on an ASA Device To determine whether OSPF routing is configured on an ASA device, administrators can use the show ospf privileged mode command. If no output is returned, OSPF routing is not configured. In the following example, the device is configured for OSPF routing: asa# show ospf Routing Process "ospf 2" with ID 10.1.89.2 and Domain ID 0.0.0.2 Supports only single TOS(TOS0) routes Supports opaque LSA . . . Determine Whether OSPF Routing Is Configured on an FTD Device To determine whether OSPF routing is configured on an FTD device, administrators can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), choose Devices > Device Management , select the device of interest, and then choose Routing > OSPF . If either Process 1 or Process 2 has a check mark, OSPF is enabled on the device. For devices that are managed by using Cisco Firepower Device Manager (FDM), choose Device > Advanced Configuration > View Configuration > Smart CLI > Routing . If there is an object with the type of OSPF , then OSPF is enabled on the device. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Not Vulnerable. Migrate to a fixed release. 9.4 ^1 9.4 ^1 Not Vulnerable. Migrate to a fixed release. 9.5 ^1 Not Vulnerable. Migrate to a fixed release. 9.6 Not Vulnerable. Migrate to a fixed release. 9.7 ^1 Not Vulnerable. Migrate to a fixed release. 9.8 Not Vulnerable. 9.8.4.20 9.9 Not Vulnerable. 9.9.2.67 9.10 Not Vulnerable. 9.10.1.40 9.12 9.12.3.2 9.12.3.9 9.13 9.13.1.7 9.13.1.10 9.14 Not Vulnerable. Not Vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier than Not Vulnerable. Migrate to a fixed release. 6.1.0 ^1 6.1.0 Not Vulnerable. Migrate to a fixed release. 6.2.0 Not Vulnerable. Migrate to a fixed release. 6.2.1 Not Vulnerable. Migrate to a fixed release. 6.2.2 Not Vulnerable. Migrate to a fixed release. 6.2.3.16 (June 2020) 6.2.3 Not Vulnerable. Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0 Not Vulnerable. Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later 6.4.0 and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later later 6.5.0.5 (future release) 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 and later and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later later 6.6.0 Not Vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Media Gateway Control Protocol Denial of Service Vulnerabilities Priority: High Advisory ID: cisco-sa-asaftd-mgcp-SUqB8VKH First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:31 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvp16945CSCvp16949 CVE-2020-3254 CWE-400 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP) inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerabilities are due to inefficient memory management. An attacker could exploit these vulnerabilities by sending crafted MGCP packets through an affected device. An exploit could allow the attacker to cause memory exhaustion resulting in a restart of an affected device, causing a DoS condition for traffic traversing the device. Cisco has released software updates that address the vulnerabilities described in this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-mgcp-SUqB8VKH This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products These vulnerabilities affect Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software and they are configured to inspect MGCP traffic. MGCP inspection is not enabled in the default inspection policy. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determining if MGCP Inspection Is Enabled To determine whether MGCP inspection is enabled, administrators can use the show running-config policy-map command, followed by the show running-config service-policy command. Use the show running-config policy-map command, and check whether the inspect mgcp <map_name> command is present in at least one policy map. In the following output, the global-policy policy map includes the inspect mgcp <map_name> command: asa# show running-config policy-map ! policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect mgcp <map_name> inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 Use the show running-config service-policy command, and check whether the policy map is applied, either globally or to a single interface. The following output shows the global-policy policy map applied globally: asa# show running-config service-policy service-policy global_policy global If the policy map that contains the inspect mgcp <map_name> command is applied globally or to an interface, MGCP inspection is enabled. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect Cisco Firepower Management Center (FMC). Workarounds o There are no workarounds that address these vulnerabilities. To reduce the attack surface for exploitation of these vulnerabilities, administrators could implement an access control policy that denies MGCP traffic on untrusted interfaces. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following tables, the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release that includes the fix for these vulnerabilities. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Major for These Vulnerabilities Described in the Bundle Release Vulnerabilities of Advisories Earlier Migrate to a fixed Migrate to a fixed release. than 9.5 ^1 release. 9.5 Migrate to a fixed Migrate to a fixed release. release. 9.6 9.6.4.34 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.7 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.27 9.10.1.40 9.12 9.12.2.1 9.12.3.9 9.13 Not vulnerable. 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for these vulnerabilities. Cisco FTD Software Cisco First Fixed Release for These Vulnerabilities First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Major Release Earlier than Migrate to a fixed release. Migrate to a fixed release. 6.1.0 ^ 1 6.1.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.1 Migrate to a fixed release. Migrate to a fixed release. 6.2.2 Migrate to a fixed release. Migrate to a fixed release. 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0 6.3.0.4 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 6.4.0.4 and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 Not vulnerable. and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for these vulnerabilities. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-mgcp-SUqB8VKH Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Malformed OSPF Packets Processing Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asa-ftd-ospf-dos-RhMQY8qx First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:10 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvs50459 CVE-2020-3298 CWE-125 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Open Shortest Path First (OSPF) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper memory protection mechanisms while processing certain OSPF packets. An attacker could exploit this vulnerability by sending a series of malformed OSPF packets in a short period of time to an affected device. A successful exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition for client traffic that is traversing the device. Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ftd-ospf-dos-RhMQY8qx This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products that are running a vulnerable release of Cisco ASA Software or Cisco FTD Software that is configured to support OSPF routing with LLS block processing enabled. Note: LLS block processing is enabled by default. Determine Whether OSPF Routing Is Configured on an ASA Device To determine whether OSPF routing is configured on an ASA device, administrators can use the show ospf privileged mode command. If no output is returned, OSPF routing is not configured. In the following example, the device is configured for OSPF routing: asa# show ospf Routing Process "ospf 2" with ID 10.1.89.2 and Domain ID 0.0.0.2 Supports only single TOS(TOS0) routes Supports opaque LSA . . . Determine Whether OSPF Routing Is Configured on an FTD Device To determine whether OSPF routing is configured on an FTD device, administrators can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), choose Devices > Device Management , select the device of interest, and then choose Routing > OSPF . If either Process 1 or Process 2 has a check mark, OSPF is enabled on the device. For devices that are managed by using Cisco Firepower Device Manager (FDM), choose Device > Advanced Configuration > View Configuration > Smart CLI > Routing . If there is an object with the type of OSPF , then OSPF is enabled on the device. For information about which Cisco ASA Software and FTD Software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following tables, the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Not vulnerable. Migrate to a fixed release. 9.5 ^1 9.5 ^1 Not vulnerable. Migrate to a fixed release. 9.6 9.6.4.40 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.17 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.37 9.10.1.40 9.12 9.12.3.7 9.12.3.9 9.13 9.13.1.7 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier than Not vulnerable. Migrate to a fixed release. 6.1.0 ^1 6.1.0 Not vulnerable. Migrate to a fixed release. 6.2.0 Not vulnerable. Migrate to a fixed release. 6.2.1 Not vulnerable. Migrate to a fixed release. 6.2.2 Not vulnerable. Migrate to a fixed release. 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 and later and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later later 6.5.0.5 (future release) 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 and later and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Santosh Krishnamurthy of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-ftd-ospf-dos-RhMQY8qx Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPv6 DNS Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asaftd-ipv6-67pA658k First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 15 14:36 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr07419 CVE-2020-3191 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper length validation of a field in an IPv6 DNS packet. An attacker could exploit this vulnerability by sending a crafted DNS query over IPv6, which traverses the affected device. An exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. This vulnerability is specific to DNS over IPv6 traffic only. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-ipv6-67pA658k This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects vulnerable releases of Cisco ASA Software or FTD Software when configured with the IPv6 protocol. Determining Whether IPv6 Routes Are Present Administrators can use the show ipv6 route summary CLI command to determine if there are IPv6 routes present over which DNS can traverse. If the command returns the presence of at least two nonlocal routes in the output, the device is considered vulnerable. ciscoasa# show ipv6 route summary IPv6 Routing Table Summary - 6 entries 3 local, 1 connected, 2 static, 0 BGP, 0 IS-IS, 0 OSPF Number of prefixes: /0: 1, /3: 1, /8: 1, /10: 1, /64: 1, /128: 1 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC). Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.5 ^1 release. 9.6 9.6.4.36 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.12 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.37 9.10.1.40 9.12 9.12.2.9 9.12.3.9 9.13 Not vulnerable. 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier than Migrate to a fixed release. Migrate to a fixed release. 6.1.0 ^1 6.1.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.0 Migrate to a fixed release. Migrate to a fixed release. 6.2.1 Migrate to a fixed release. Migrate to a fixed release. 6.2.2 Migrate to a fixed release. Migrate to a fixed release. 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar 6.4.0 6.4.0.6 and later Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar 6.5.0 Not vulnerable. and later Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar and later Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and later 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Sanmith Prakash of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-ipv6-67pA658k Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated Hot Fixes for FTD | Fixed | Final | 2020-MAY-15 | | | releases 6.4.0 and 6.5.0. | Releases | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Release | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Releases | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IKEv1 Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-asa-dos-BqYFRJt9 First Published: 2020 May 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq66080 CVE-2020-3303 CWE-399 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of system memory. An attacker could exploit this vulnerability by sending malicious IKEv1 traffic to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-dos-BqYFRJt9 Affected Products o Vulnerable Products At the time of publication, this vulnerability affected vulnerable releases of Cisco ASA Software and FTD Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC). Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release First Fixed Release for This Vulnerability Earlier than 9.5^1 Migrate to a fixed release. 9.6 9.6.4.36 9.7^1 Migrate to a fixed release. 9.8 9.8.4.10 9.9 Migrate to a fixed release. 9.10 9.10.1.30 9.12 9.12.2.9 9.13 Not vulnerable. 9.14 Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Software Release First Fixed Release for This Vulnerability Earlier than 6.1.0^1 Migrate to a fixed release. 6.1.0 Migrate to a fixed release. 6.2.0 Migrate to a fixed release. 6.2.1 Migrate to a fixed release. 6.2.2 Migrate to a fixed release. 6.2.3 Migrate to a fixed release. 6.3.0 6.3.0.5 6.4.0 6.4.0.6 6.5.0 Not vulnerable. 6.6.0 Not vulnerable. 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-dos-BqYFRJt9 Revision History o +----------+----------------------------+----------+---------+---------------+ | Version | Description | Section | Status | Date | +----------+----------------------------+----------+---------+---------------+ | 1.0 | Initial public release. | -- | Final | 2020-MAY-06 | +----------+----------------------------+----------+---------+---------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DHCP Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-asaftd-dos-qk8cTGLz First Published: 2020 May 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq41939 CVE-2020-3306 CWE-400 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the DHCP module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. The vulnerability is due to incorrect processing of certain DHCP packets. An attacker could exploit this vulnerability by sending a crafted DHCP packet to the affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-dos-qk8cTGLz Affected Products o Vulnerable Products This vulnerability affects Cisco products that are running a vulnerable release of Cisco ASA Software or Cisco FTD Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC). Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release First Fixed Release for This Vulnerability Earlier than 9.5^1 Migrate to a fixed release. 9.6 9.6.4.34 9.7^1 Migrate to a fixed release. 9.8 9.8.4.10 9.9 Migrate to a fixed release. 9.10 9.10.1.30 9.12 9.12.3 9.13 Not vulnerable. 9.14 Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Software Release First Fixed Release for This Vulnerability Earlier than 6.1.0^1 Migrate to a fixed release. 6.1.0 Migrate to a fixed release. 6.2.0 Migrate to a fixed release. 6.2.1 Migrate to a fixed release. 6.2.2 Migrate to a fixed release. 6.2.3 Migrate to a fixed release. 6.3.0 6.3.0.5 6.4.0 6.4.0.4 6.5.0 Not vulnerable. 6.6.0 Not vulnerable. 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-dos-qk8cTGLz Revision History o +----------+----------------------------+----------+---------+---------------+ | Version | Description | Section | Status | Date | +----------+----------------------------+----------+---------+---------------+ | 1.0 | Initial public release. | -- | Final | 2020-MAY-06 | +----------+----------------------------+----------+---------+---------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software BGP Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-asa-dos-P43GCE5j First Published: 2020 May 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq66092 CVE-2020-3305 CWE-400 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the implementation of the Border Gateway Protocol (BGP) module in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain BGP packets. An attacker could exploit this vulnerability by sending a crafted BGP packet. A successful exploit could allow the attacker to cause a DoS condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-dos-P43GCE5j Affected Products o Vulnerable Products At the time of publication, this vulnerability affected vulnerable releases of Cisco ASA Software and Cisco FTD Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC). Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability. Cisco ASA Software Cisco ASA Software Release First Fixed Release for This Vulnerability Earlier than 9.5^1 Migrate to a fixed release. 9.6 9.6.4.36 9.7^1 Migrate to a fixed release. 9.8 9.8.4.10 9.9 Migrate to a fixed release. 9.10 9.10.1.30 9.12 9.12.2.9 9.13 Not vulnerable. 9.14 Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco FTD Software Release First Fixed Release for This Vulnerability Earlier than 6.1.0^1 Migrate to a fixed release. 6.1.0 Migrate to a fixed release. 6.2.0 Migrate to a fixed release. 6.2.1 Migrate to a fixed release. 6.2.2 Migrate to a fixed release. 6.2.3 Migrate to a fixed release. 6.3.0 6.3.0.5 6.4.0 6.4.0.6 6.5.0 Not vulnerable. 6.6.0 Not vulnerable. 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asa-dos-P43GCE5j Revision History o +----------+----------------------------+----------+---------+---------------+ | Version | Description | Section | Status | Date | +----------+----------------------------+----------+---------+---------------+ | 1.0 | Initial public release. | -- | Final | 2020-MAY-06 | +----------+----------------------------+----------+---------+---------------+ - -------------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability Priority: High Advisory ID: cisco-asa-kerberos-bypass-96Gghe2sS First Published: 2020 May 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq73534 CVE-2020-3125 CWE-287 CVSS Score: 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Note: Configuration changes after the software upgrade are necessary to address this vulnerability. See the Details section of this advisory for additional information. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-asa-kerberos-bypass-96Gghe2sS This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running Cisco ASA Software with Kerberos authentication configured for VPN or local device access. Determine Whether Kerberos Authentication Is Configured Administrators can use the show running-config aaa-server | include kerberos command to determine whether a Kerberos server is configured. The following example shows the output of the command for a device that has one Kerberos server configured that is named asaKerberosTestServer: device(config)# show running-config aaa-server | include kerberos aaa-server asaKerberosTestServer protocol kerberos kerberos-realm DEV.ASA.TEST If the Kerberos server name that is returned in the output is referenced elsewhere in the configuration^1, that Kerberos server is being used for authentication. Administrators can use the show running-config all | include <kerberos server name> command to verify whether Kerberos authentication is configured. In the following example, the Kerberos server name asaKerberosTestServer is configured for Secure Shell (SSH) console authentication (Kerberos authentication can also be configured for VPN access): device(config)# show running-config all | include asaKerberosTestServer aaa-server asaKerberosTestServer protocol kerberos aaa-server asaKerberosTestServer (inside) host DEV.ASA.TEST aaa authentication ssh console asaKerberosTestServer 1. The kcd-server <kerberos server name> CLI command is an exception. If the only instance of the Kerberos server name is this command, the device is not vulnerable. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software or Cisco Firepower Threat Defense (FTD) Software. Details o Configuration changes after the software upgrade are necessary to address this vulnerability. Cisco ASA devices are vulnerable and can still be exploited unless the CLI commands validate-kdc and aaa kerberos import-keytab are configured. These new configuration commands ensure that the ASA validates the KDC during every user authentication transaction, which prevents the vulnerability that is described in this security advisory. Administrators can configure the new commands by entering the validate-kdc command and then the aaa kerberos import-keytab command in the device CLI. When the validate-kdc command is enabled, the ASA will validate the Kerberos server (KDC) during every user authentication transaction with that server by requesting a service ticket for the user and verifying the response against a previously stored key table (keytab). The aaa kerberos import-keytab command imports a Kerberos keytab file to the ASA. The following output shows the configuration of the validate-kdc and aaa kerberos import-keytab commands: device(config)# validate-kdc device(config)# aaa kerberos import-keytab disk0:mykeytab device# show aaa kerberos keytab Principal: host/testing@DEV.ASA.TEST Key version: 10 Key type: arcfour (23) For more information about the new commands, see the Cisco ASA Series Command Reference, A - H Commands (aaa kerberos import-keytab command) and the Cisco ASA Series Command Reference, T - Z Commands (validate-kdc command). Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerability Vulnerabilities Described in the Bundle Release of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.6^1 release. 9.6 Migrate to a fixed Migrate to a fixed release. release. 9.7^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.15 9.8.4.20 9.9 9.9.2.66 9.9.2.67 9.10 9.10.1.37 9.10.1.39 9.12 9.12.3.2 9.12.3.9 9.13 9.13.1.7 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Note 1: This vulnerability is fixed in Cisco ASA Software releases 9.8 and later through a new set of configuration commands. Cisco ASA devices are vulnerable and can still be exploited unless the CLI commands validate-kdc and aaa kerberos import-keytab are configured. For more information, see the Details section of this advisory. Note 2: Cisco does not recommend that customers use Kerberos authentication if the Kerberos authentication server is outside of the known, trusted network for any Cisco ASA Software release unless the validate-kdc and aaa kerberos import-keytab commands have been configured. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Yoav Iellin, Yaron Kassner, Dor Segal, and Rotem Zach of Silverfort for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-asa-kerberos-bypass-96Gghe2sS Revision History o +----------+----------------------------+----------+---------+---------------+ | Version | Description | Section | Status | Date | +----------+----------------------------+----------+---------+---------------+ | 1.0 | Initial public release. | -- | Final | 2020-MAY-06 | +----------+----------------------------+----------+---------+---------------+ - ----------------------------------------------------------------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability Priority: High Advisory ID: cisco-sa-asaftd-info-disclose-9eJtycMB First Published: 2020 May 6 16:00 GMT Last Updated: 2020 May 11 23:00 GMT Version 1.2: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvt15163 CVE-2020-3259 CWE-200 CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-info-disclose-9eJtycMB This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration. Cisco ASA Software In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable. Cisco ASA Software Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) client-services port <port #> AnyConnect SSL VPN webvpn enable <interface_name> Clientless SSL VPN webvpn enable <interface_name> Cisco FTD Software In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is running a vulnerable release and is configured for one of these features, it is vulnerable. Cisco FTD Software Feature Vulnerable Configuration AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (with client services) ^1,2 client-services port <port #> AnyConnect SSL VPN ^1,2 webvpn enable <interface_name> 1. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). 2. Remote Access VPN features are first supported in Cisco FTD Software Release 6.2.2. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Details o The confidential information that could be disclosed is memory on the system heap. The contents of this memory can be different on each system and at different times but can include web cookies for the AnyConnect and WebVPN features, usernames, email addresses, certificates, and actual heap addresses. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Cisco ASA Software Cisco ASA First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 9.5 ^1 release. 9.5 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.6 9.6.4.41 Migrate to a fixed release. 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.20 9.8.4.20 9.9 9.9.2.67 9.9.2.67 9.10 9.10.1.40 9.10.1.40 9.12 9.12.3.9 9.12.3.9 9.13 9.13.1.10 9.13.1.10 9.14 Not vulnerable. Not vulnerable. 1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. Cisco FTD Software Cisco First Fixed Release for This Vulnerability First Fixed Release for All Vulnerabilities FTD Described in the Bundle of Advisories Software Release Earlier Migrate to a fixed release. than Migrate to a fixed release. 6.2.3 ^1 6.2.3.16 (June 2020) 6.2.3.16 (June 2020) 6.2.3 Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar 6.3.0.6 (future release) 6.3.0.6 (future release) 6.3.0 Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar 6.4.0.9 (May 2020) 6.4.0.9 (May 2020) Cisco_FTD_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_Hotfix_AY-6.4.0.9-2.sh.REL.tar 6.4.0 Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-2.sh.REL.tar 6.5.0.5 (future release) 6.5.0.5 (future release) Cisco_FTD_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_Hotfix_H-6.5.0.5-1.sh.REL.tar 6.5.0 Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_Hotfix_H-6.5.0.5-1.sh.REL.tar Cisco_FTD_SSP_Hotfix_H-6.5.0.5-1.sh.REL.tar 6.6.0 Not vulnerable. 6.6.0 1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following: For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy. For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-asaftd-info-disclose-9eJtycMB Revision History o +---------+-----------------------------+----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------------+----------+--------+-------------+ | 1.2 | Updated ASA Fixed Releases | Fixed | Final | 2020-MAY-11 | | | table with 9.6 release. | Software | | | +---------+-----------------------------+----------+--------+-------------+ | | Updated ASA Fixed Releases | | | | | | table to indicate 9.10.1.40 | Fixed | | | | 1.1 | as the correct fixed | Software | Final | 2020-MAY-06 | | | release instead of | | | | | | 9.10.1.39. | | | | +---------+-----------------------------+----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-MAY-06 | +---------+-----------------------------+----------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXsHyoONLKJtyKPYoAQjPWhAAo0hC417ao5LwgupzIRDlnwf/OxY5s70p bl8QSlrMj2MgnTbxCHcpCS9lo6bDPLfSlnBm6VhBtvwXEYBrXH79TKBpQ/gEYXhh RUT2QDLhQd8JembmoL1JjsR4z9U16mlr5DUrLYapHXhRtvDNzf31hBb50Bp1ele9 W5BHNhUyvJ1cmgGr8iDLDaSEOxcxZ2vDzVD6eacdEgnY/mjFYirZInNohU7m8tGW qECSsYYRacaXOnj+Rh20wSyjEXdXEpH3A1snbvlJxEsDqynC8xAxf7mMWnSb0dDA T8+mJeZ/g1eADnU4yfsxqG89nwUBJvgGGCeM2pblPHFdnivIDEjTWkixjmEqCFey Ve/LETg9sslcNRw3lZ+zEq908OHgmVSlP5VyFFAUaRlTWP2QtsLtEvlWRnDg59EN h4r6LiZZ6RUfCek9LP97Q6jRh7afh9dNmukkhpbFMxVYAllWQZNyHTHRADxUS6sT EYH9rx2EdHzvq5lTvSyAi2NsncA3u15xT/60INc949hkMlJJCkWg0ghwFiXjCl/D I8zhx0zu9N/y3Vd+lWGsWJ2cdEkVqMBbf1BJ4/N+cXjPq0qbOaciNerriGZAQg6s xQET/xtaH/ITxDIoSLst/77ehYoNF7qess4dgzsGWOKNUQwe09eDcicBELrlXNoQ 70FYoyfbW4s= =Gcn9 -----END PGP SIGNATURE-----