-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1614.3
                 Cisco Firepower Multiple Vulnerabilities
                                18 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Firepower Management Center
                   Cisco Firepower Threat Defense Software
                   Cisco Firepower Device Manager On-Box Software
                   Cisco Firepower 1000 Series
                   Cisco Firepower 2100 Series
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service         -- Remote/Unauthenticated
                   Root Compromise           -- Existing Account      
                   Read-only Data Access     -- Remote/Unauthenticated
                   Access Confidential Data  -- Remote/Unauthenticated
                   Cross-site Scripting      -- Remote/Unauthenticated
                   Overwrite Arbitrary Files -- Existing Account      
                   Unauthorised Access       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3334 CVE-2020-3318 CVE-2020-3313
                   CVE-2020-3312 CVE-2020-3311 CVE-2020-3310
                   CVE-2020-3309 CVE-2020-3308 CVE-2020-3307
                   CVE-2020-3302 CVE-2020-3301 CVE-2020-3285
                   CVE-2020-3283 CVE-2020-3255 CVE-2020-3253
                   CVE-2020-3189 CVE-2020-3188 CVE-2020-3186
                   CVE-2020-3179  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-dos-4v5nmWtZ
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fp2100-arp-dos-kLdCK8ks
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdmfo-HvPWKxDe
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xpftd-gYDXyN8H
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alfo-tHwFDmTE
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcxss-UT3bMx9k
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcai-z5dQObVN
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-webredirect-TcFgd42y
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcua-statcred-weeCcZct
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-2-sS2h7aWe
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-infodis-kZxGtUJD
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-accesslist-bypass-5dZs5qZp
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-N2vQZASR
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-bypass-O5tGum2n
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-shell-9rhJF68K
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sigbypass-FcvPPCeP
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fp2100-arp-dos-kLdCK8ks

Revision History:  May 18 2020: Vendor released minior updates
                   May 12 2020: Vendor released update 1.1 to clarify affected models
                   May  7 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-ftd-tls-dos-4v5nmWtZ

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 15 14:00 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq89361

CVE-2020-3283    

CWE-119

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security
    (TLS) handler of Cisco Firepower Threat Defense (FTD) Software when running
    on the Cisco Firepower 1000 Series platform could allow an unauthenticated,
    remote attacker to trigger a denial of service (DoS) condition on an
    affected device.

    The vulnerability is due to a communication error between internal
    functions. An attacker could exploit this vulnerability by sending a
    crafted SSL/TLS message to an affected device. A successful exploit could
    allow the attacker to cause a buffer underrun, which leads to a crash. The
    crash causes the affected device to reload.

    Cisco has released software updates that address the vulnerability
    described in this advisory. There are no workarounds that address this
    vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-tls-dos-4v5nmWtZ

    This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
    Security Advisory Bundled Publication, which includes 12 Cisco Security
    Advisories that describe 12 vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA,
    FMC, and FTD Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Firepower 1000 Series appliances if they
    are running a vulnerable release of Cisco FTD Software and have a feature
    enabled that causes the device to process SSL/TLS messages. These features
    include, but are not limited to, the following:

       AnyConnect SSL VPN
       Clientless SSL VPN

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Determine Whether a Device Could Process SSL or TLS Messages

    To verify whether a device that is running Cisco FTD Software could process
    SSL or TLS packets, use the show asp table socket | include SSL|DTLS 
    command and verify that it returns output. When this command returns any
    output, the device is vulnerable. When this command returns empty output,
    the device is not affected by the vulnerability described in this advisory.
    The following example shows the output of the show asp table socket |
    include SSL|DTLS command from a device that is vulnerable:

        ftd# show asp table socket | include SSL|DTLS
        SSL       0005aa68  LISTEN     x.x.x.x:443      0.0.0.0:*
        SSL       002d9e38  LISTEN     x.x.x.x:8443     0.0.0.0:*
        DTLS      0018f7a8  LISTEN     10.0.0.250:443   0.0.0.0:*

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Adaptive Security Appliance (ASA) Software
       Firepower Management Center (FMC) Software
       FTD Software running on any platform other than the Cisco Firepower
        1000 Series

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by any of the vulnerabilities described in this
    bundle and which release includes fixes for those vulnerabilities.

    Cisco    First Fixed Release for This Vulnerability        First Fixed Release for All Vulnerabilities
    FTD                                                        Described in the Bundle of Advisories
    Software
    Release
    Earlier
    than     Not applicable ^2                                 Not applicable ^2
    6.1.0 ^1
    6.1.0    Not applicable ^2                                 Not applicable ^2
    6.2.0    Not applicable ^2                                 Not applicable ^2
    6.2.1    Not applicable ^2                                 Not applicable ^2
    6.2.2    Not applicable ^2                                 Not applicable ^2
    6.2.3    Not applicable ^2                                 Not applicable ^2
    6.3.0    Not applicable ^2                                 Not applicable ^2
             6.4.0.9 (May 2020)                                6.4.0.9 (May 2020)
             Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and      Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
             later                                             later
             Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
    6.4.0    and later                                         and later
             Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
             and later                                         and later
             Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and  Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
             later                                             later
                                                               6.5.0.5 (future release)
                                                               Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
                                                               Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
    6.5.0    Not vulnerable                                    and later
                                                               Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
                                                               and later
                                                               Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
                                                               later
    6.6.0    Not vulnerable                                    Not vulnerable

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.
    2. Only Cisco FTD Software releases 6.4.0 and later support the Cisco
    Firepower 1000 Series.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found by Ilkin Gasimov of Cisco during internal
    security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
    Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-tls-dos-4v5nmWtZ

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.1     | Updated Hot Fixes for FTD   | Fixed    | Final  | 2020-MAY-15 |
    |         | releases 6.4.0 and 6.5.0.   | Releases |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2020-MAY-06 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Firepower 2100 Series Security Appliances ARP Denial of Service
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fp2100-arp-dos-kLdCK8ks

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvq20910
                 CSCvr43476
                 CSCvr49833

CVE-2020-3334    

CWE-399

CVSS Score:
7.4  AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the ARP packet processing of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    for Cisco Firepower 2100 Series Security Appliances could allow an
    unauthenticated, adjacent attacker to cause an affected device to reload,
    resulting in a denial of service (DoS) condition on an affected device.

    The vulnerability is due to incorrect processing of ARP packets received
    by the management interface of an affected device. An attacker could
    exploit this vulnerability by sending a series of unicast ARP packets in a
    short timeframe that would reach the management interface of an affected
    device. A successful exploit could allow the attacker to consume resources
    on an affected device, which would prevent the device from sending
    internal system keepalives and eventually cause the device to reload,
    resulting in a denial of service (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fp2100-arp-dos-kLdCK8ks

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Adaptive
    Security Appliance (ASA) Software releases earlier than releases
    9.10.1.37, 9.12.3, and 9.13.1.2.

    At the time of publication, this vulnerability affected Cisco Firepower
    Threat Defense (FTD) Software releases earlier than Release 6.6.0, if the
    software is running on a Cisco Firepower 2100 Series Security Appliance.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco FTD
    Software running on Cisco Adaptive Security Appliances and Cisco
    Integrated Services Routers.

    Cisco has confirmed that this vulnerability does not affect Cisco
    Firepower Management Center (FMC) Software.

Details

  o This vulnerability can be only be exploited on the Cisco Firepower 2100
    Series Security Appliances management interface and the attacker would
    need to have L2 adjacency, which greatly decreases the attack surface.
    This is why the Security Impact Rating is Medium.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco ASA Software releases 9.10.1.37, 9.12.3,
    9.13.1.2, and later contained the fix for this vulnerability.

    At the time of publication, Cisco FTD Software 6.4.0.9 (May 2020), 6.5.0.5
    (future release), 6.6.0 and later contained the fix for this
    vulnerability.^1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fp2100-arp-dos-kLdCK8ks

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Device Manager On-Box Software Arbitrary File Overwrite
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fdmfo-HvPWKxDe

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvg48913

CVE-2020-3309    

CWE-20

CVSS Score:
6.5  AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in Cisco Firepower Device Manager (FDM) On-Box software
    could allow an authenticated, remote attacker to overwrite arbitrary files
    on the underlying operating system of an affected device.

    The vulnerability is due to improper input validation. An attacker could
    exploit this vulnerability by uploading a malicious file to an affected
    device. A successful exploit could allow the attacker to overwrite
    arbitrary files on as well as modify the underlying operating system of an
    affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fdmfo-HvPWKxDe

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FDM On-Box
    software releases earlier than Release 6.2.3.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FDM On-Box software releases 6.2.3 and
    later contained the fix for this vulnerability.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fdmfo-HvPWKxDe

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Device Manager On-Box Software XML Parsing Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-xpftd-gYDXyN8H

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvg48900

CVE-2020-3310    

CWE-119

CVSS Score:
5.5  AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L/E:X/RL:X/RC:X

Summary

  o A vulnerability in the XML parser code of Cisco Firepower Device Manager
    On-Box software could allow an authenticated, remote attacker to cause an
    affected system to become unstable or reload.

    The vulnerability is due to insufficient hardening of the XML parser
    configuration. An attacker could exploit this vulnerability in multiple
    ways using a malicious file:

       An attacker with administrative privileges could upload a malicious
        XML file on the system and cause the XML code to parse the malicious
        file.
       An attacker with Clientless Secure Sockets Layer (SSL) VPN access
        could exploit this vulnerability by sending a crafted XML file.

    A successful exploit would allow the attacker to crash the XML parser
    process, which could cause system instability, memory exhaustion, and in
    some cases lead to a reload of the affected system.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-xpftd-gYDXyN8H

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FDM On-Box
    software releases earlier than Release 6.2.3.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FDM On-Box software releases 6.2.3 and
    later contained the fix for this vulnerability.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-xpftd-gYDXyN8H

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Management Center Arbitrary Log File Write Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-alfo-tHwFDmTE

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvh20053

CVE-2020-3307    

CWE-20

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web UI of Cisco Firepower Management Center (FMC)
    Software could allow an unauthenticated, remote attacker to write
    arbitrary entries to the log file on an affected device.

    The vulnerability is due to insufficient input validation. An attacker
    could exploit this vulnerability by sending a crafted HTTP request to an
    affected device. A successful exploit could allow the attacker to send
    incorrect information to the system log on the affected system.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-alfo-tHwFDmTE

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FMC Software
    releases earlier than Release 6.3.0.2.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
    Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FMC Software releases 6.3.0.2 and later
    contained the fix for this vulnerability.^1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-alfo-tHwFDmTE

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fmcxss-UT3bMx9k

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvh20060

CVE-2020-3313    

CWE-79

CVSS Score:
6.5  AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web UI of Cisco Firepower Management Center (FMC)
    Software could allow an unauthenticated, remote attacker to conduct a
    cross-site scripting (XSS) attack against a user of the web-based
    management interface of the FMC Software.

    The vulnerability is due to insufficient validation of user-supplied input
    by the web-based management interface. An attacker could exploit this
    vulnerability by persuading a user of the interface to click a crafted
    link. A successful exploit could allow the attacker to execute arbitrary
    script code in the context of the interface or to access sensitive,
    browser-based information.

    Cisco has released software updates that address the vulnerability
    described in this advisory. There are no workarounds that address this
    vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcxss-UT3bMx9k

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Firepower
    Management Center (FMC) releases earlier than Release 6.2.2.3.

    For information about which Cisco software releases are vulnerable, see
    the Fixed Software section of this advisory. See the Details section in
    the bug ID(s) at the top of this advisory for the most complete and
    current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
    Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Cisco FMC Software

    Cisco FMC Software Release    First Fixed Release for This Vulnerability
    Earlier than 6.1.0^1          Migrate to a fixed release.
    6.1.0                         Migrate to a fixed release.
    6.2.0                         Migrate to a fixed release.
    6.2.1                         Migrate to a fixed release.
    6.2.2                         6.2.2.3
    6.2.3                         6.2.3
    6.3.0                         Not vulnerable.
    6.4.0                         Not vulnerable.
    6.5.0                         Not vulnerable.
    6.6.0                         Not vulnerable.

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
    software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcxss-UT3bMx9k

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Management Center File Overwrite Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fmcai-z5dQObVN

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvh03970

CVE-2020-3302    

CWE-20

CVSS Score:
6.8  AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web UI of Cisco Firepower Management Center (FMC)
    Software could allow an authenticated, remote attacker to overwrite files
    on the file system of an affected device.

    The vulnerability is due to insufficient input validation. An attacker
    could exploit this vulnerability by uploading a crafted file to the web UI
    on an affected device. A successful exploit could allow the attacker to
    overwrite files on the file system of the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcai-z5dQObVN

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FMC Software
    releases earlier than Release 6.2.2.2.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
    Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FMC Software releases 6.2.2.2 and later
    contained the fix for this vulnerability.^1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcai-z5dQObVN

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Management Center Open Redirect Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fmc-webredirect-TcFgd42y

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvh03964

CVE-2020-3311    

CWE-601

CVSS Score:
4.3  AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web interface of Cisco Firepower Management Center
    (FMC) Software could allow an unauthenticated, remote attacker to redirect
    a user to a malicious web page.

    The vulnerability is due to improper input validation of HTTP request
    parameters. An attacker could exploit this vulnerability by intercepting
    and modifying an HTTP request from a user. A successful exploit could
    allow the attacker to redirect the user to a specific malicious web page.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmc-webredirect-TcFgd42y

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FMC Software
    releases earlier than Release 6.3.0.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
    Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FMC Software releases 6.3.0 and later
    contained the fix for this vulnerability.^1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmc-webredirect-TcFgd42y

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Management Center Static Credential Vulnerabilities

Priority:        Medium

Advisory ID:     cisco-sa-fmcua-statcred-weeCcZct

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvo08211
                 CSCvq50674

CVE-2020-3301    
CVE-2020-3318    

CWE-798

CVSS Score:
8.1  AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o Multiple vulnerabilities in Cisco Firepower Management Center (FMC)
    Software and Cisco Firepower User Agent Software could allow an attacker
    to access a sensitive part of an affected system with a high-privileged
    account.

    For more information about these vulnerabilities, see the Details section
    of this advisory.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcua-statcred-weeCcZct

Affected Products

  o Vulnerable Products

    At the time of publication, these vulnerabilities affected Cisco FMC
    Software releases earlier than Release 6.5.0 if they had a Firepower User
    Agent Software release earlier than Release 2.5.0 enabled.

    Note: This vulnerability also affected Cisco Adaptive Security Appliances
    (ASAs) that were being managed by the Adaptive Security Device Manager
    (ASDM). Customers are advised to upgrade to Cisco Firepower Services
    Release 6.5.0 or upgrade to Cisco FMC Software to manage ASAs.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Determine Whether Firepower User Agent Is Enabled

    To determine whether Cisco Firepower User Agent is enabled, do the
    following from the web UI:

     1. Choose System > Integration > Identity Sources.
     2. Check whether User Agent is selected.
     3. Confirm which IP addresses are configured to allow access to FMC.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
    Software.

Details

  o Two vulnerabilities in Cisco FMC Software and Cisco Firepower User Agent
    Software could allow an attacker to access a sensitive part of the system
    with a high-privileged account.
   
    Details about the vulnerabilities are as follows:

    Cisco Firepower Management Center Static Credential Vulnerability

    A vulnerability in Cisco FMC Software could allow an unauthenticated,
    remote attacker to access a sensitive part of an affected system with a
    high-privileged account.

    This vulnerability is due to a system account that has a default and
    static password and that is not controlled by the system administrator. An
    attacker could exploit this vulnerability by using this default account to
    connect to the affected system. A successful exploit could allow the
    attacker to obtain read and write access to user agent data. The attacker
    would gain access to a sensitive portion of the system, but the attacker
    would not have full administrative rights to control the device.

    Bug ID(s): CSCvq50674
    CVE ID: CVE-2020-3318
    Security Impact Rating (SIR): Medium
    CVSS Base Score: 8.1
    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

    Cisco Firepower User Agent Static Credential Vulnerability

    A vulnerability in the Cisco Firepower User Agent software could allow an
    authenticated, local attacker to access a sensitive part of an affected
    system with a high-privileged account.

    This vulnerability is due to a system account that has a default and
    static password and is not controlled by the system administrator. An
    attacker could exploit this vulnerability by using this default account to
    connect to the affected system. A successful exploit could allow the
    attacker to obtain read and write access to user agent data. The attacker
    would gain access to a sensitive portion of the system, but the attacker
    would not have full administrative rights to control the device.

    Bug ID(s): CSCvo08211
    CVE ID: CVE-2020-3301
    Security Impact Rating (SIR): Medium
    CVSS Base Score: 7.1
    CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Workarounds

  o There are no workarounds that addresses this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FMC Software releases 6.5.0 and later
    and Firepower User Agent Software releases 2.5.0 and later contained the
    fixes for these vulnerabilities.^1 To address these vulnerabilities,
    customers must upgrade both Cisco FMC Software and Cisco Firepower User
    Agent Software.

    Note: Customers who have ASAs that are managed by ASDMs are advised to
    upgrade to Cisco Firepower Services Release 6.5.0 or upgrade to Cisco FMC
    Software.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmcua-statcred-weeCcZct

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------


Cisco Firepower Threat Defense Software Generic Routing Encapsulation Tunnel
IPv6 Denial of Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-ftd-dos-2-sS2h7aWe

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 15 13:47 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq78828

CVE-2020-3179    

CWE-415

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the generic routing encapsulation (GRE) tunnel
    decapsulation feature of Cisco Firepower Threat Defense (FTD) Software
    could allow an unauthenticated, remote attacker to cause a denial of
    service (DoS) condition on an affected device.

    The vulnerability is due to a memory handling error when GRE over IPv6
    traffic is processed. An attacker could exploit this vulnerability by
    sending crafted GRE over IPv6 packets with either IPv4 or IPv6 payload
    through an affected device. A successful exploit could allow the attacker
    to cause the device to crash, resulting in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-2-sS2h7aWe

    This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
    Security Advisory Bundled Publication, which includes 12 Cisco Security
    Advisories that describe 12 vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA,
    FMC, and FTD Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco FTD Software releases 6.3.0 and 6.4.0.

    Note: GRE tunnel decapsulation in the LINA engine was introduced in Cisco
    FTD Software Release 6.3.0. This feature is enabled by default and cannot
    be disabled.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

    However, as a mitigation, customers can choose to bypass decapsulation for
    GRE-tunneled flows. To bypass decapsulation, do the following from the FMC
    GUI:

     1. Click Policies and choose Prefilter under Access Control .
     2. Click Edit under the Prefilter Policy that is associated with the
        access policy assigned to the device.
     3. Change the GRE tunnel rule type action to Fastpath .
     4. Click Save .
     5. Click Deploy .

    Note: This configuration will bypass the detection engine for GRE-tunneled
    traffic.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by any of the vulnerabilities described in this
    bundle and which release includes fixes for those vulnerabilities.

    Cisco FTD Software

    Cisco FTD First Fixed    First Fixed Release for All Vulnerabilities
    Software  Release for    Described in the Bundle of Advisories
    Release   This
              Vulnerability
    Earlier   Not
    than      applicable.    Migrate to a fixed release.
    6.1.0 ^1
    6.1.0     Not            Migrate to a fixed release.
              applicable.
    6.2.0     Not            Migrate to a fixed release.
              applicable.
    6.2.1     Not            Migrate to a fixed release.
              applicable.
    6.2.2     Not            Migrate to a fixed release.
              applicable.
                             6.2.3.16 (June 2020)
    6.2.3     Not            Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
              applicable.    Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
                             Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
                             6.3.0.6 (future release)
    6.3.0     6.3.0.5        Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
                             Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
                             Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
                             6.4.0.9 (May 2020)
                             Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
                             Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
    6.4.0     6.4.0.6        and later
                             Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
                             and later
                             Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
                             later
                             6.5.0.5 (future release)
                             Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
                             Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
    6.5.0     Not            and later
              vulnerable.    Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
                             and later
                             Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
                             later
    6.6.0     Not            6.6.0
              vulnerable.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found by Sanmith Prakash of Cisco during internal
    security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
    Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-2-sS2h7aWe

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.1     | Updated Hot Fixes for       | Fixed    | Final  | 2020-MAY-15 |
    |         | releases 6.4.0 and 6.5.0.   | Releases |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2020-MAY-06 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Information Disclosure  Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ftd-infodis-kZxGtUJD

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvq87923

CVE-2020-3312    

CWE-284

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the application policy configuration of Cisco Firepower
    Threat Defense (FTD) Software could allow an unauthenticated, remote
    attacker to gain unauthorized read access to sensitive data on an affected
    device.

    The vulnerability is due to insufficient application identification. An
    attacker could exploit this vulnerability by sending crafted traffic to an
    affected device. A successful exploit could allow the attacker to gain
    unauthorized read access to sensitive data.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-infodis-kZxGtUJD

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    releases earlier than releases 6.2.3.15, 6.3.0.5, and 6.4.0.6.

    For information about which Cisco software releases are vulnerable, see
    the Fixed Software section of this advisory. See the Details section in
    the bug ID(s) at the top of this advisory for the most complete and
    current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Cisco FTD Software

    Cisco FTD Software Releases    First Fixed Release for This Vulnerability
    Earlier than 6.1.0^1           Migrate to a fixed release.
    6.1.0                          Migrate to a fixed release.
    6.2.0                          Migrate to a fixed release.
    6.2.1                          Migrate to a fixed release.
    6.2.2                          Migrate to a fixed release.
    6.2.3                          6.2.3.15
    6.3.0                          6.3.0.5
    6.4.0                          6.4.0.6
    6.5.0                          Not vulnerable.
    6.6.0                          Not vulnerable.

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
    software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-infodis-kZxGtUJD

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Management Access List Bypass
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ftd-accesslist-bypass-5dZs5qZp

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvr13823

CVE-2020-3186    

CWE-284

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the management access list configuration of
    Cisco Firepower Threat Defense (FTD) Software could allow an
    unauthenticated, remote attacker to bypass a configured management
    interface access list on an affected system.

    The vulnerability is due to the configuration of different management
    access lists, with ports allowed in one access list and denied in another.
    An attacker could exploit this vulnerability by sending crafted remote
    management traffic to the local IP address of an affected system. A
    successful exploit could allow the attacker to bypass the configured
    management access list policies, and traffic to the management interface
    would not be properly denied.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-accesslist-bypass-5dZs5qZp

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    code trains 6.3.0, 6.4.0, and 6.5.0.

    For information about which Cisco software releases are vulnerable, see
    the Fixed Software section of this advisory. See the Details section in
    the bug ID(s) at the top of this advisory for the most complete and
    current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Release

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Cisco FTD Software

    Cisco FTD Software Release    First Fixed Release for This Vulnerability
    Earlier than 6.1.0^1          Not vulnerable.
    6.1.0                         Not vulnerable.
    6.2.0                         Not vulnerable.
    6.2.1                         Not vulnerable.
    6.2.2                         Not vulnerable.
    6.2.3                         Not vulnerable.
    6.3.0                         6.3.0.6 (future release)
    6.4.0                         6.4.0.7
    6.5.0                         6.5.0.2
    6.6.0                         Not vulnerable.

1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end of
    software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-accesslist-bypass-5dZs5qZp

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Management Interface Denial of Service
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 15 14:56 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvo31790

CVE-2020-3188    

CWE-399

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X

Summary

  o A vulnerability in how Cisco Firepower Threat Defense (FTD) Software
    handles session timeouts for management connections could allow an
    unauthenticated, remote attacker to cause a buildup of remote management
    connections to an affected device, which could result in a denial of
    service (DoS) condition.

    The vulnerability exists because the default session timeout period for
    specific to-the-box remote management connections is too long. An attacker
    could exploit this vulnerability by sending a large and sustained number of
    crafted remote management connections to an affected device, resulting in a
    buildup of those connections over time. A successful exploit could allow
    the attacker to cause the remote management interface or Cisco Firepower
    Device Manager (FDM) to stop responding and cause other management
    functions to go offline, resulting in a DoS condition. The user traffic
    that is flowing through the device would not be affected, and the DoS
    condition would be isolated to remote management only.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    releases earlier than Release 6.4.0.9 and Release 6.5.0.5.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory. See the Details section in the bug
    ID(s) at the top of this advisory for the most complete and current
    information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Indicators of Compromise

  o If this vulnerability is being exploited, administrators may see the
    following system error logging message on the console or in the logging
    file:

        HTTP: [mpm_worker:error] server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

    Administrators are advised to contact the Cisco Technical Assistance Center
    (TAC) to review the device logs to determine if this vulnerability is being
    exploited.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Cisco FTD Software

    Cisco FTD Software      First Fixed Release for This Vulnerability
    Release
    Earlier than 6.1.0 ^1   Migrate to a fixed release.
    6.1.0                   Migrate to a fixed release.
    6.2.0                   Migrate to a fixed release.
    6.2.1                   Migrate to a fixed release.
    6.2.2                   Migrate to a fixed release.
    6.2.3                   Migrate to a fixed release.
    6.3.0                   Migrate to a fixed release.
                            6.4.0.9 (May 2020)
                            Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
                            Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
    6.4.0                   and later
                            Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
                            and later
                            Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
                            later
                            6.5.0.5 (future release)
                            Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
                            Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
    6.5.0                   and later
                            Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
                            and later
                            Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
                            later
    6.6.0                   Not vulnerable.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found by Santosh Krishnamurthy of Cisco during
    internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.1     | Updated Hot Fixes for FTD   | Fixed    | Final  | 2020-MAY-15 |
    |         | releases 6.4.0 and 6.5.0.   | Releases |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2020-MAY-06 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Packet Flood Denial of Service
Vulnerability

Priority:        High

Advisory ID:     cisco-sa-ftd-dos-N2vQZASR

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 15 14:47 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvo80853

CVE-2020-3255    

CWE-400

CVSS Score:
7.5  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the packet processing functionality of Cisco Firepower
    Threat Defense (FTD) Software could allow an unauthenticated, remote
    attacker to cause a denial of service (DoS) condition on an affected
    device.

    The vulnerability is due to inefficient memory management. An attacker
    could exploit this vulnerability by sending a high rate of IPv4 or IPv6
    traffic through an affected device. This traffic would need to match a
    configured block action in an access control policy. An exploit could allow
    the attacker to cause a memory exhaustion condition on the affected device,
    which would result in a DoS for traffic transiting the device, as well as
    sluggish performance of the management interface. Once the flood is
    stopped, performance should return to previous states.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-N2vQZASR

    This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
    Security Advisory Bundled Publication, which includes 12 Cisco Security
    Advisories that describe 12 vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA,
    FMC, and FTD Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco products if they are running a vulnerable
    release of Cisco FTD Software and are configured with an access control
    policy to block certain types of traffic.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by any of the vulnerabilities described in this
    bundle and which release includes fixes for those vulnerabilities.

    Cisco FTD Software

    Cisco    First Fixed Release for This Vulnerability         First Fixed Release for All Vulnerabilities
    FTD                                                         Described in the Bundle of Advisories
    Software
    Release
    Earlier
    than     Migrate to a fixed release.                        Migrate to a fixed release.
    6.1.0 ^1
    6.1.0    Migrate to a fixed release.                        Migrate to a fixed release.
    6.2.0    Migrate to a fixed release.                        Migrate to a fixed release.
    6.2.1    Migrate to a fixed release.                        Migrate to a fixed release.
    6.2.2    Migrate to a fixed release.                        Migrate to a fixed release.
             6.2.3.16 (June 2020)                               6.2.3.16 (June 2020)
    6.2.3    Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar          Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
             Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
             Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar      Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
             6.3.0.6 (future release)                           6.3.0.6 (future release)
    6.3.0    Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar           Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
             Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
             Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar      Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
             6.4.0.9 (May 2020)                                 6.4.0.9 (May 2020)
             Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
             Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar  Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
    6.4.0    and later                                          and later
             Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar  Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
             and later                                          and later
             Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and   Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
             later                                              later
                                                                6.5.0.5 (future release)
                                                                Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
                                                                Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
    6.5.0    Not vulnerable.                                    and later
                                                                Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
                                                                and later
                                                                Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
                                                                later
    6.6.0    Not vulnerable.                                    6.6.0

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
    Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-N2vQZASR

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.1     | Updated Hot Fixes for FTD   | Fixed    | Final  | 2020-MAY-15 |
    |         | releases 6.4.0 and 6.5.0.   | Releases |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2020-MAY-06 |
    +---------+-----------------------------+----------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software SSL/TLS URL Category Bypass
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ssl-bypass-O5tGum2n

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvq93669

CVE-2020-3285    

CWE-693

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Transport Layer Security version 1.3 (TLS 1.3)
    policy with URL category functionality for Cisco Firepower Threat Defense
    (FTD) Software could allow an unauthenticated, remote attacker to bypass a
    configured TLS 1.3 policy to block traffic for a specific URL.

    The vulnerability is due to a logic error with Snort handling of the
    connection with the TLS 1.3 policy and URL category configuration. An
    attacker could exploit this vulnerability by sending crafted TLS 1.3
    connections to an affected device. A successful exploit could allow the
    attacker to bypass the TLS 1.3 policy and access URLs that are outside the
    affected device and normally would be dropped.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ssl-bypass-O5tGum2n

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    releases 6.4.0 through 6.4.0.8 with an SSL/TLS policy with URL category
    configured.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Release

    At the time of publication, Cisco expected to fix this vulnerability in
    Cisco FTD Software Release 6.4.0.9, scheduled for May 2020.^1 Cisco FTD
    Software releases earlier than Release 6.4.0 are not vulnerable.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ssl-bypass-O5tGum2n

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Shell Access Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ftd-shell-9rhJF68K

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvp16933

CVE-2020-3253    

CWE-284

CVSS Score:
6.7  AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the support tunnel feature of Cisco Firepower Threat
    Defense (FTD) Software could allow an authenticated, local attacker to
    access the shell of an affected device even though expert mode is
    disabled.

    The vulnerability is due to improper configuration of the support tunnel
    feature. An attacker could exploit this vulnerability by enabling the
    support tunnel, setting a key, and deriving the tunnel password. A
    successful exploit could allow the attacker to run any system command with
    root access on an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-shell-9rhJF68K

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    releases earlier than Release 6.5.0.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco FTD Software releases 6.5.0 and later
    contained the fix for this vulnerability.^1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-shell-9rhJF68K

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software Signature Verification Bypass
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-sigbypass-FcvPPCeP

First Published: 2020 May 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvg16015

CVE-2020-3308    

CWE-347

CVSS Score:
4.9  AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Image Signature Verification feature of Cisco
    Firepower Threat Defense (FTD) Software could allow an authenticated,
    remote attacker with administrator-level credentials to install a
    malicious software patch on an affected device.

    The vulnerability is due to improper verification of digital signatures
    for patch images. An attacker could exploit this vulnerability by crafting
    an unsigned software patch to bypass signature checks and loading it on an
    affected device. A successful exploit could allow the attacker to boot a
    malicious software patch image.

    Cisco has released software updates that address the vulnerability
    described in this advisory. There are no workarounds that address this
    vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-sigbypass-FcvPPCeP

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco FTD Software
    releases earlier than Release 6.2.2.1.

    For information about which Cisco software releases were vulnerable at the
    time of publication, see the Fixed Software section of this advisory. See
    the Details section in the bug ID(s) at the top of this advisory for the
    most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has determined that this vulnerability does not affect Cisco
    Adaptive Security Appliance (ASA) Software or Cisco Firepower Management
    Center (FMC) Software. 

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    Cisco FTD Software

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    +-----------------------+------------------------------------------+
    |Cisco FTD Major Release|First Fixed Release for This Vulnerability|
    +-----------------------+------------------------------------------+
    |Earlier than 6.1.0^1   |Migrate to a fixed release.               |
    +-----------------------+------------------------------------------+
    |6.1.0                  |Migrate to a fixed release.               |
    +-----------------------+------------------------------------------+
    |6.2.0                  |Migrate to a fixed release.               |
    +-----------------------+------------------------------------------+
    |6.2.1                  |Migrate to a fixed release.               |
    +-----------------------+------------------------------------------+
    |6.2.2                  |6.2.2.1                                   |
    +-----------------------+------------------------------------------+
    |6.2.3                  |Not Vulnerable.                           |
    +-----------------------+------------------------------------------+
    |6.3.0                  |Not vulnerable.                           |
    +-----------------------+------------------------------------------+
    |6.4.0                  |Not vulnerable.                           |
    +-----------------------+------------------------------------------+
    |6.5.0                  |Not vulnerable.                           |
    +-----------------------+------------------------------------------+
    |6.6.0                  |Not vulnerable.                           |
    +-----------------------+------------------------------------------+

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management
        Center (FMC), use the FMC interface to install the upgrade. After
        installation is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After
        installation is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-sigbypass-FcvPPCeP

Revision History

  o 
    +----------+----------------------------+----------+---------+---------------+
    | Version  |        Description         | Section  | Status  |     Date      |
    +----------+----------------------------+----------+---------+---------------+
    | 1.0      | Initial public release.    | --        | Final   | 2020-MAY-06   |
    +----------+----------------------------+----------+---------+---------------+

- --------------------------------------------------------------------------------

Cisco Firepower Threat Defense Software VPN System Logging Denial of Service
Vulnerability

Priority:        High

Advisory ID:     cisco-sa-ftd-dos-Rdpe34sd8

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 15 14:14 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvo62077

CVE-2020-3189    

CWE-400

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the VPN System Logging functionality for Cisco Firepower
    Threat Defense (FTD) Software could allow an unauthenticated, remote
    attacker to cause a memory leak that can deplete system memory over time,
    which can cause unexpected system behaviors or device crashes.

    The vulnerability is due to the system memory not being properly freed for
    a VPN System Logging event generated when a VPN session is created or
    deleted. An attacker could exploit this vulnerability by repeatedly
    creating or deleting a VPN tunnel connection, which could leak a small
    amount of system memory for each logging event. A successful exploit could
    allow the attacker to cause system memory depletion, which can lead to a
    systemwide denial of service (DoS) condition. The attacker does not have
    any control of whether VPN System Logging is configured or not on the
    device, but it is enabled by default.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-Rdpe34sd8

    This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software
    Security Advisory Bundled Publication, which includes 12 Cisco Security
    Advisories that describe 12 vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA,
    FMC, and FTD Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco FTD Software releases 6.2.3.12, 6.2.3.13,
    6.2.3.14, and 6.2.3.15 if VPN System Logging is configured.

    Determining if VPN System Logging Is Configured

    The administrator can check if VPN System Logging is configured on the
    Firepower Management Center (FMC) by clicking the System Status icon and
    navigating to VPN Logging Settings under Platform Settings > Syslog >
    Logging Setup .

    Please refer to VPN System Logs for additional information.

    Note : VPN System Logging is automatically enabled to be sent to the FMC by
    default whenever a device is configured with site-to-site or remote access
    VPNs.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
    Security Appliance (ASA) Software or Cisco Firepower Management Center
    (FMC).

Workarounds

  o Disabling the VPN System Logging feature eliminates the attack vector for
    this vulnerability and may be a suitable mitigation until affected devices
    can be upgraded. Administrator can disable VPN System Logging on the
    Firepower Management Center (FMC) by clicking the System Status icon and
    navigating to VPN Logging Settings under Platform Settings > Syslog >
    Logging Setup .

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The center column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. The right column indicates whether
    a release is affected by any of the vulnerabilities described in this
    bundle and which release includes fixes for those vulnerabilities.

    Cisco FTD Software

    Cisco    First Fixed Release for This Vulnerability         First Fixed Release for All Vulnerabilities
    FTD                                                         Described in the Bundle of Advisories
    Software
    Release
    Earlier
    than     Not vulnerable.                                    Migrate to a fixed release.
    6.1.0 ^1
    6.1.0    Not vulnerable.                                    Migrate to a fixed release.
    6.2.0    Not vulnerable.                                    Migrate to a fixed release.
    6.2.1    Not vulnerable.                                    Migrate to a fixed release.
    6.2.2    Not vulnerable.                                    Migrate to a fixed release.
             6.2.3.16 (June 2020)                               6.2.3.16 (June 2020)
    6.2.3    Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar          Cisco_FTD_Hotfix_DT-6.2.3.16-3.sh.REL.tar
             Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3.sh.REL.tar
             Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar      Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3.sh.REL.tar
                                                                6.3.0.6 (future release)
                                                                Cisco_FTD_Hotfix_AO-6.3.0.6-2.sh.REL.tar
    6.3.0    Not vulnerable.                                    Cisco_FTD_SSP_FP2K_Hotfix_ AO-6.3.0.6-2.sh.REL.tar
                                                                Cisco_FTD_SSP_Hotfix_ AO-6.3.0.6-2.sh.REL.tar

                                                                6.4.0.9 (May 2020)
                                                                Cisco_FTD_Hotfix_AY-6.4.0.9-3.sh.REL.tar and later
                                                                Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
    6.4.0    Not vulnerable.                                    and later
                                                                Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3.sh.REL.tar
                                                                and later
                                                                Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3.sh.REL.tar and
                                                                later
                                                                6.5.0.5 (future release)
                                                                Cisco_FTD_Hotfix_H-6.5.0.5-2.sh.REL.tar and later
                                                                Cisco_FTD_SSP_FP1K_Hotfix_H-6.5.0.5-2.sh.REL.tar
    6.5.0    Not vulnerable.                                    and later
                                                                Cisco_FTD_SSP_FP2K_Hotfix_H-6.5.0.5-2.sh.REL.tar
                                                                and later
                                                                Cisco_FTD_SSP_Hotfix_H-6.5.0.5-2.sh.REL.tar and
                                                                later
    6.6.0    Not vulnerable.                                    6.6.0

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security
    Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ftd-dos-Rdpe34sd8

Revision History

  o +---------+-----------------------------+----------+--------+-------------+
    | Version |         Description         | Section  | Status |    Date     |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.1     | Updated Hot Fixes for FTD   | Fixed    | Final  | 2020-MAY-15 |
    |         | releases 6.4.0 and 6.5.0.   | Releases |        |             |
    +---------+-----------------------------+----------+--------+-------------+
    | 1.0     | Initial public release.     | -        | Final  | 2020-MAY-06 |
    +---------+-----------------------------+----------+--------+-------------+

- -----------------------------------------------------------------------------


Cisco Firepower 2100 Series Security Appliances ARP Denial of Service
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fp2100-arp-dos-kLdCK8ks

First Published: 2020 May 6 16:00 GMT

Last Updated:    2020 May 11 15:48 GMT

Version 1.1:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvq20910CSCvr43476CSCvr49833

CVE-2020-3334    

CWE-399

CVSS Score:
7.4  AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the ARP packet processing of Cisco Adaptive Security
    Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
    for Cisco Firepower 2100 Series Security Appliances could allow an
    unauthenticated, adjacent attacker to cause an affected device to reload,
    resulting in a denial of service (DoS) condition on an affected device.

    The vulnerability is due to incorrect processing of ARP packets received by
    the management interface of an affected device. An attacker could exploit
    this vulnerability by sending a series of unicast ARP packets in a short
    timeframe that would reach the management interface of an affected device.
    A successful exploit could allow the attacker to consume resources on an
    affected device, which would prevent the device from sending internal
    system keepalives and eventually cause the device to reload, resulting in a
    denial of service (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fp2100-arp-dos-kLdCK8ks

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Adaptive
    Security Appliance (ASA) Software releases earlier than releases 9.10.1.37,
    9.12.3, and 9.13.1.2, if the software is running on a Cisco Firepower 2100
    Series Security Appliance.

    At the time of publication, this vulnerability affected Cisco Firepower
    Threat Defense (FTD) Software releases earlier than Release 6.6.0, if the
    software is running on a Cisco Firepower 2100 Series Security Appliance.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco FTD
    Software running on Cisco Adaptive Security Appliances and Cisco Integrated
    Services Routers.

    Cisco has confirmed that this vulnerability does not affect Cisco Firepower
    Management Center (FMC) Software.

Details

  o This vulnerability can be only be exploited on the Cisco Firepower 2100
    Series Security Appliances management interface and the attacker would need
    to have L2 adjacency, which greatly decreases the attack surface. This is
    why the Security Impact Rating is Medium.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco ASA Software releases 9.10.1.37, 9.12.3,
    9.13.1.2, and later contained the fix for this vulnerability.

    At the time of publication, Cisco FTD Software 6.4.0.9 (May 2020), 6.5.0.5
    (future release), 6.6.0 and later contained the fix for this vulnerability.
    ^ 1

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    1. Cisco FMC and FTD Software releases 6.0.1 and earlier have reached end
    of software maintenance. Customers are advised to migrate to a supported
    release that includes the fix for this vulnerability.

    To upgrade to a fixed release of Cisco FTD Software, customers can do one
    of the following:

       For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade. After installation
        is complete, reapply the access control policy.
       For devices that are managed by using Cisco Firepower Device Manager
        (FDM), use the FDM interface to install the upgrade. After installation
        is complete, reapply the access control policy.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fp2100-arp-dos-kLdCK8ks

Revision History

  o +---------+---------------------------+------------+--------+-------------+
    | Version |        Description        |  Section   | Status |    Date     |
    +---------+---------------------------+------------+--------+-------------+
    |         | Clarified that only       |            |        |             |
    | 1.1     | Firepower 2100 Series     | Vulnerable | Final  | 2020-MAY-11 |
    |         | Security Appliances are   | Products   |        |             |
    |         | affected.                 |            |        |             |
    +---------+---------------------------+------------+--------+-------------+
    | 1.0     | Initial public release.   | -          | Final  | 2020-MAY-06 |
    +---------+---------------------------+------------+--------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXsH1JeNLKJtyKPYoAQgZzRAAml+/XtXGygsk3MZETnvJcZWL6Vn13DrO
6wfX7Fh6XQEQtTDkVxhIsCQhGfA8tjjHOkGizwvlCoHVMgGp4OeWWGrfNiCk9PYH
xyNpYdXPHnIiiP3QX3+tvSUULl79xM2pLat9g9UGh3B9xFm3wOEjP1jgUKmlM8KP
ULsVUYU3w/XP+HDv2uob0t2moA5/cWpFYvhbNWEC0DlUBJcxoFP/uuc/mqcdH+bT
tsU1+uBafGfjCdlkn9hXkYgo+SXKw3HsNJPKdUUBftg0PW+glYY3O+rh38SwicXp
kK/yxmVFRADJbxySw0cm4/GBt4vW4b5SexygUbwL5/EQbbRX5uc+qnX02S40I0Iu
SDRoQbxW3tV+BLnYmIZqd/hbbnHNXLnP/u85XNnz1JTwJ7T+VZXzNK/uaEkIuo8j
65OxwV9BzFk975n8kA/zL5yqBIqdfzThiSUPXqLb98YAFcY09sMcooRTFgB0ZRhP
XocL6+v5q5sMVy631rAcquVyp6iBYVejvl4Gkm1PZtxCpT76OtKUja1TZg19kXm9
NOAzU1kjm36m5qrQA8JG5DT2+6u/iLd3nQYH0MCINK1ib40Zg/rpuEwOm5UNXh2T
nlikH7nNJSkxiXk/I0vZhQCsZrIZBt2VdiJ+YKXs8y2u7V4MXzxwysBf3NUIsUar
aRO4W1eunPI=
=rxgt
-----END PGP SIGNATURE-----