Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0242 Cisco Firepower Management Center Lightweight Directory Access Protocol Authentication Bypass Vulnerability 24 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Management Center (FMC) Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16028 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center Lightweight Directory Access Protocol Authentication Bypass Vulnerability Priority: Critical Advisory ID: cisco-sa-20200122-fmc-auth First Published: 2020 January 22 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr95287 CVE-2019-16028 CWE-287 CVSS Score: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200122-fmc-auth Affected Products o Vulnerable Products This vulnerability affects Cisco FMC Software if it is configured to authenticate users of the web-based management interface through an external LDAP server. For information about which Cisco FMC Software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether External Authentication Through LDAP Is Enabled To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software. Workarounds o There are no workarounds that address this vulnerability. However, customers who cannot immediately apply a software fix may evaluate the possibility of disabling LDAP authentication for FMC access and using other authentication methods until a software fix can be applied. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table, the left column lists releases of Cisco FMC Software. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a hotfix patch is available for an affected release. Cisco First Hotfix Patch FMC Fixed Software Release Release Earlier Migrate than to a Not available. 6.1.0 ^1 fixed release. Migrate 6.1.0 to a Sourcefire_3D_Defense_Center_S3_Hotfix_ES-6.1.0.8-2.sh fixed release. Migrate 6.2.0 ^2 to a Not available. fixed release. Migrate 6.2.1 ^2 to a Not available. fixed release. Migrate 6.2.2 ^2 to a Not available. fixed release. 6.2.3.16 6.2.3 (February Sourcefire_3D_Defense_Center_S3_Hotfix_DO-6.2.3.16-3.sh.REL.tar 2020) 6.3.0.6 6.3.0 (May Cisco_Firepower_Mgmt_Center_Hotfix_AI-6.3.0.6-2.sh.REL.tar 2020) Cisco_Firepower_Mgmt_Center_Hotfix_U-6.4.0.7-2.sh.REL.tar (for 6.4.0 6.4.0.7 releases 6.4.0.5 and later) Cisco_Firepower_Mgmt_Center_Hotfix_T-6.4.0.5-1.sh.REL.tar (for releases 6.4.0.4 and earlier) 6.5.0 6.5.0.2 ^ Not available. 3 1. Cisco FMC Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability. 2. Customers who are running a 6.2.0, 6.2.1, or 6.2.2 release should migrate either to a release that integrates the fix or to a release for which a hotfix patch is available. For example, customers could migrate to Release 6.2.3 and then install the hotfix patch, which is Sourcefire_3D_Defense_Center_S3_Hotfix_DO-6.2.3.16-3.sh.REL.tar. 3. Cisco FMC Software Release 6.5.0.1 integrates a fix for this vulnerability; however, it is no longer available for download. Customers who are running the following Cisco FMC Software releases can remediate by doing the following: Releases earlier than 6.1.0: Migrate to a 6.2.3 release and apply available hotfixes. 6.1.0: Apply the hotfix listed in the preceding table or migrate to a 6.2.3 release and apply available hotfix. 6.2.0 through 6.2.2: Migrate to a 6.2.3 release and apply available hotfix. 6.2.3 or 6.3.0: Apply available hotfixes; maintenance releases will be available later this year. 6.4.0: Apply available hotfixes or upgrade to Release 6.4.0.7. 6.5.0: Upgrade to 6.5.0.2. Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch. The availability of each option for all the supported software releases is documented in the preceding table. To upgrade to a release that includes a fix for this vulnerability or to install a hotfix patch, customers are advised to follow the Cisco Firepower Management Center Upgrade Guide and then review the appropriate release notes or, if applicable, review the Firepower Hotfix Release Notes . Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Michael J. Venema of Family Care Network and Johan Anderstrom of QLS for independently reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200122-fmc-auth Revision History o +---------+--------------------------+---------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+-----------------+ | 1.0 | Initial public release. | - | Final | 2020-January-22 | +---------+--------------------------+---------+--------+-----------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXiozEmaOgq3Tt24GAQhdGA//RVsIAqvllgwmEDIZE+pnnWZdqXgYCAJF QBYEVE2MUnirz/Bi2v/W6DFz82HwDRhol/DvHNVWpcxCH8ubcpVLXUo2zeyCf9U2 psfUltBwk9/gvPR3CQJ8DyREPf/ygqun0gzF1khjoNulzEo5Cj4UrxizC5fDZMpL XY700ZW/OwdWRYKQnK4REdImCIDe6oqijhKGzu4qN3lVhNKYpdZWlI91j9DemI4f TRZ+cqjl7jVi13Fz2U9Ka4OcUIF0qK8NEcJS6zTWaMaKIa5mTr58S8XtIyBd53L1 uWS2S7j1xQZePPgkNIaO8Xh/ZLaogeikVu3D5RbMKdI2lsSdAvtj0UnYMkVTnUCV afEH54y4t2D7lblA55ryl8AYz99QaI8C3A8L9rZM5I04Tu89NVzakGPiFJI7bk2+ d3wQQ3Y6gbbTxKRk9mAisNDdKU7fqy1DqEHDrpOl4/Kz3sBZJgSCcNavuDrMOjAU FZDWPOq5ONEcc5vGQ72pYwp0apJJV8FrRiGqEPEsg/oXBpMs+fJZbxonVsf321Ix S9XW+CVIOKS31NoW6Nzrjr9HhcFbOlOEf+5LHpbiw4Wkg++UPKqs/h2fgXA78dtx g9goP6eJKXU/0FAftDLJm775eiFokKkG/d/0nJ9YEuVnK/fiHpLQVa8279stkEiX /lW3BH3gbrI= =EIU4 -----END PGP SIGNATURE-----