ESB-2015.2915

Operating System:

[Cisco]

Published:

24 November 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Resources > Security Bulletins > ESB-2015.2915

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2015.2915
Multiple unresolved vulnerabilities in the Cisco Firepower
9000 switch series
24 November 2015

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Cisco Firepower 9000
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Denial of Service -- Console/Physical
Resolution: None
CVE Names: CVE-2015-6380 CVE-2015-6374 CVE-2015-6373
CVE-2015-6372 CVE-2015-6371 CVE-2015-6370
CVE-2015-6369 CVE-2015-6368

Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-firepower
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower1
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire1
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower2
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower3
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151123-fire

Comment: Cisco has not released patches or workarounds at this stage. However,
where the vulnerability affects the web interface, AusCERT recommends
that administrators restrict external access to the web interface
until Cisco has released patches and/or workarounds.

This bulletin contains eight (8) Cisco security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Firepower 9000 Unauthenticated File Access Vulnerability

Medium

Advisory ID:

cisco-sa-20151116-firepower

Published:

2015 November 16 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 5.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10608

CVE-2015-6368

CWE-264

Summary

A vulnerability in the web interface of the Cisco Firepower 9000 Series
Switches could allow an unauthenticated, remote attacker to view certain files
on the device that should be restricted.

The vulnerability is due to lack of proper authentication checks when a
request to download and view a file is received. An attacker could exploit
this vulnerability by sending a crafted HTTP request to the affected device.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-firepower

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switches version 1.1(1.160).

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

Workarounds are not available.

Fixed Software

When considering software upgrades, customers are advised to consult the Cisco
Security Advisories and Responses archive at http://www.cisco.com/go/psirt and
review subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-firepower

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-16

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability

Medium

Advisory ID:

cisco-sa-20151117-firepower1

Published:

2015 November 17 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 4.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10621

CVE-2015-6371

CWE-200

Summary

A vulnerability in a user script supplied with Cisco Firepower 9000 devices
could allow an authenticated, remote attacker to view any file on the device,
even ones that should be restricted to authenticated users.

The vulnerability is due to lack of input validation of the parameters passed
to certain user scripts. An attacker could exploit this vulnerability by
authenticating to the device and crafting user input to certain script files
to view files that should be restricted.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower1

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switches version 1.1(1.160).

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

There are no workarounds that mitigate this vulnerability.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower1

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Command Injection at Management I/O Command-Line
Interface Vulnerability

Medium

Advisory ID:

cisco-sa-20151116-fire1

Published:

2015 November 17 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 4.3

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10576

CSCux10578

CVE-2015-6370

CWE-78

Summary

A vulnerability in the Management I/O (MIO) command-line interface (CLI)
command execution of Cisco Firepower 9000 devices could allow an
authenticated, local attacker to access the underlying operating system and
execute commands at the root privilege level.

The vulnerability is due to insufficient sanitization of user-supplied input
at the CLI. An attacker could exploit this vulnerability by using crafted user
input to execute commands on the underlying operating system. The user has to
be logged-in to the device with valid admin credentials.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire1

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

There are no workarounds that mitigate this vulnerability.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire1

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

- ------------------------------------------------------------------------------

Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability

Medium

Advisory ID:

cisco-sa-20151116-fire

Published:

2015 November 17 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 4.7

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10531

CVE-2015-6369

CWE-20

Summary

A vulnerability in the USB driver of Cisco Firepower 9000 could allow an
unauthenticated, local attacker with physical access to the device to send
invalid USB commands to the kernel and cause a denial of service (DoS)
condition.

The vulnerability is due to insufficient sanitization of USB input parameters.
An attacker could exploit this vulnerability by using crafted USB user inputs
to send invalid USB commands to the kernel.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

There are no workarounds that mitigate this vulnerability.

Fixed Software

In all cases, customers should ensure that the devices to upgrade contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability

Medium

Advisory ID:

cisco-sa-20151117-firepower2

Published:

2015 November 17 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 4.3

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10614

CVE-2015-6372

CWE-79

Summary

A vulnerability in the HTTP web-based management interface of Cisco Firepower
9000 devices could allow an unauthenticated, remote attacker to conduct a
cross-site scripting (XSS) attack against a user of the affected system.

The vulnerability is due to insufficient input validation of a user-supplied
value. An attacker could exploit this vulnerability by convincing a user to
click on a specific link.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower2

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switch release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

There are no workarounds that mitigate this vulnerability.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower2

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability

Medium

Advisory ID:

cisco-sa-20151117-firepower3

Published:

2015 November 17 21:43 GMT

Version 1.0:

Final

CVSS Score:

Base - 5.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10611

CVE-2015-6373

CWE-352

Summary

A vulnerability in the Cisco Firepower 9000 Series Switch which could allow an
unauthenticated, remote attacker to execute unwanted actions.

The vulnerability is due to a lack of cross-site request forgery (CSRF)
protection. An attacker could exploit this vulnerability by tricking the user
of a web application into executing an adverse action.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower3

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switch release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

Workarounds are not available.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower3

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Series Switch Clickjacking Vulnerability

Medium

Advisory ID:

cisco-sa-20151117-firepower4

Published:

2015 November 17 21:46 GMT

Version 1.0:

Final

CVSS Score:

Base - 5.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10604

CVE-2015-6374

CWE-20

Summary

A vulnerability in the web interface of the Cisco Firepower 9000 Series Switch
could allow an unauthenticated, remote attacker to affect the integrity of the
device though a clickjacking or phishing attack.

The vulnerability is due to the lack of proper input sanitization of iFrame
data in the HTTP requests sent to the device. An attacker could exploit this
vulnerability by sending crafted HTTP packets with malicious iFrame data. An
exploit could allow the attacker to perform a clickjacking or phishing attack
where the user is tricked into clicking a malicious link. Protection
mechanisms should be used to help prevent this type of attack.

Cisco has not released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switch release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

Workarounds are not available.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-17

Legal Disclaimer

- ------------------------------------------------------------------------------

Cisco Firepower 9000 Operating System Command Injection Vulnerability

Medium

Advisory ID:

cisco-sa-20151123-fire

Published:

2015 November 23 00:00 GMT

Version 1.0:

Final

CVSS Score:

Base - 6.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCux10622

CVE-2015-6380

CWE-78

Summary

A vulnerability in a user script supplied with Cisco Firepower 9000 could
allow an authenticated, remote attacker to execute arbitrary commands on the
underlying operating system with the privileges of the authenticated user. The
script can be accessed via the web interface.

The vulnerability is due to lack of input validation of the parameters passed
to the user script. An attacker could exploit this vulnerability by
authenticating to the device and crafting user input to specific script files
to inject arbitrary commands. These commands are at the privilege level of the
authenticated user.

Cisco has not released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151123-fire

Affected Products

Vulnerable Products

Cisco Firepower 9000 Series Switch release 1.1(1.160) is vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151123-fire

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2015-November-23

Legal Disclaimer

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVlPOQn6ZAP0PgtI9AQJhQg/+NkdIxnK/PTMbKv2fFgwDlzJPmHVHXRBn
m7SaNp2HZQjcODK/vBM4pUpMXB2fpmuMGZzL7aIC3plaBIuhcVQaI2zHQoollBhS
RkCLZglNI/CNDK6okCIuEqWcp/r/dJ2vzNh/UBp098fTj2FAUy94q6QJoZuAtt8f
4QdGi8KMTmpo1sWM4ugVs+WiZOqP3Yh7AedT2TxBnrNsSaZ9ot4k3HHQvTCKjodF
Mnl5o+L03DDFKeg6/7pYMynl1I1pzDkij0TnLJSHFrFjR1s2gvcC0AnwssEi2Dov
NaTyM6lOadFWiwDX9y9wpjCsIwKtIIeyk3DlXHV8HcKzLfV7Jj9z3hjh5Af7avmH
W/BX/Sm+5bIN0UluoDzZHCCk/zkgExqu2umJcpLNLSg/yRLTbDrRIOJizfuMhGJ0
bfwi2ENXzbFVe9myEee6cZ66FIOGVBAscSMxpmr9wTrIm0mk5vACZYxEXO30tHnp
UUaU0ou/sD9xk3f+XaqARm+aUUgoErmXvnxyJjknQpVVX1AvgIkDlQ/Y+BVqjkP8
bpbd0IRoNG43V5SoYlO9erC2YzBQ3dDJhalYryfBmeeA1LWcR2Jmcrn9DE/gZfDF
AKr3cxNOfX9niM+LVueLEmTFagTJwWvQxousxyzAPhwfHwBIR+PvsbWlE0dj4UsY
clGPynrNU7g=
=hkeb
-----END PGP SIGNATURE-----