Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability

A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device.

The vulnerability is due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. A successful exploit could allow the attacker to trigger a heap overflow condition and execute arbitrary code with root privileges on the underlying Linux operating system of an affected device.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce

Security Impact Rating: High

CVE: CVE-2019-15992

Related:

  • No Related Posts

Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues

Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers is affected by the following issues:

  • Static certificates and keys
  • Hardcoded password hashes
  • Multiple vulnerabilities in third-party software (TPS) components

Static Certificates and Keys

Two static X.509 certificates with the corresponding public/private key pairs and one static Secure Shell (SSH) host key were found in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. One X.509 certificate was created by the OpenSSL Group for testing purposes and the second certificate is a test certificate created by Cisco.

The X.509 certificates and keys in question are part of the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and were used for their intended testing purpose during the development of that firmware They were never used for live functionality in any shipping version of the product. All shipping versions of this firmware use dynamically created certificates instead.

Cisco bug ID: CSCvq34465

The static SSH host key is part of the tail-f (now part of Cisco) Netconf ConfD package that is included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. It was never used for live functionality in any shipping version of the product. Key-based SSH authentication is not supported in any shipping version of this firmware.

Cisco bug ID: CSCvq34469

The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers.

Hardcoded Password Hashes

The /etc/shadow file included in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers has a hardcoded password hash for the root user.

The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to either the CLI or the web-based management interface of the affected routers.

An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers.

Cisco bug ID: CSCvq34472

Multiple Vulnerabilities in Third-Party Software Components

Third-party software (TPS) components in the firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers contain vulnerabilities. Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool.

Security Impact Rating: Informational

Related:

  • No Related Posts

Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Issues

Cisco firmware for certain Cisco Small Business RV Series Routers is affected by the following issues:

  • Certificate and key issued to QNO Technology
  • Hardcoded password hashes
  • Multiple vulnerabilities in third-party software (TPS) components

Certificate and Key Issued to QNO Technology

An X.509 certificate with a corresponding public/private key pair was initially found in Cisco RV042 Dual WAN VPN Router firmware. This certificate is issued to third-party entity QNO Technology.

The certificate and keys in question are part of the firmware for the following Cisco products:

  • RV016 Multi-WAN VPN Router
  • RV042 Dual WAN VPN Router
  • RV042G Dual Gigabit WAN VPN Router
  • RV082 Dual WAN VPN Router

The certificate and keys were used for testing during the development of the firmware; they were never used for live functionality in any shipping version of the product. All shipping versions of the firmware for the affected products use dynamically created certificates instead.

The inclusion of this certificate and keys in shipping software was an oversight by the development team for these routers.

Cisco bug ID: CSCvq34370

Hardcoded Password Hashes

The /etc/shadow file included in Cisco firmware for the following Cisco products contains hardcoded password hashes for the users root, cisco, and lldpd.

  • RV016 Multi-WAN VPN Router
  • RV042 Dual WAN VPN Router
  • RV042G Dual Gigabit WAN VPN Router
  • RV082 Dual WAN VPN Router

The /etc/shadow file is not consulted during user authentication by the firmware. Instead, a dedicated alternate user database is used to authenticate users who log in to the web-based management interface of the affected routers.

An attacker with access to the base operating system on an affected device could exploit this issue to obtain elevated privileges at the level of the root, cisco, or lldpd user. However, Cisco is not currently aware of a way to access the base operating system on these routers.

Cisco bug ID: CSCvq34376

Multiple Vulnerabilities in Third-Party Software Components

Third-party software (TPS) components in the firmware for the following products contain vulnerabilities:

  • RV016 Multi-WAN VPN Router
  • RV042 Dual WAN VPN Router
  • RV042G Dual Gigabit WAN VPN Router
  • RV082 Dual WAN VPN Router

Cisco will handle these vulnerabilities by using the regular Cisco process for TPS vulnerabilities in accordance with the Cisco Security Vulnerability Policy. For information about known TPS vulnerabilities that affect the firmware for these routers, consult the Cisco Bug Search Tool.

Security Impact Rating: Informational

Related:

  • No Related Posts

WSS recognizing traffic as from ” No User”

I need a solution

Hi guys,

Based on the policy trace made from the ProxySG, we can see that traffic to URL is coming from user’s AD but when it comes to the logs on the WSS it is showing as sourced from “No User” instead of user’s AD. Anyone have an idea why WSS will tag a traffic as sourced from “No User” even though ProxySG recognizes user’s AD as source?

Setup is we have a ProxySG forwarding the traffic to WSS.
There is no configuration to bypass authentication on ProxySG and WSS.

Thanks in advance for your inputs. 🙂

0

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPF LSA Processing Denial of Service Vulnerability

A vulnerability in the Open Shortest Path First (OSPF) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software improperly parses certain options in OSPF link-state advertisement (LSA) type 11 packets. An attacker could exploit this vulnerability by sending a crafted LSA type 11 OSPF packet to an affected device. A successful exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition for client traffic that is traversing the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-ospf-lsa-dos

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12676

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SIP Inspection Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol (SIP) inspection module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to improper parsing of SIP messages. An attacker could exploit this vulnerability by sending a malicious SIP packet through an affected device. A successful exploit could allow the attacker to trigger an integer underflow, causing the software to try to read unmapped memory and resulting in a crash.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-ftd-sip-dos

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12678

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IKEv1 Denial of Service Vulnerability

A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper management of system memory. An attacker could exploit this vulnerability by sending malicious IKEv1 traffic to an affected device. The attacker does not need valid credentials to authenticate the VPN session, nor does the attacker’s source address need to match a peer statement in the crypto map applied to the ingress interface of the affected device. An exploit could allow the attacker to exhaust system memory resources, leading to a reload of an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-ftd-ikev1-dos

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-15256

Related:

  • No Related Posts

Cisco Firepower Management Center Remote Code Execution Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending malicious commands to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-rce-12689

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12689

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability

A vulnerability in the FTP inspection engine of Cisco Adaptive Security (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of FTP data. An attacker could exploit this vulnerability by sending malicious FTP traffic through an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-dos

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12673

Related:

  • No Related Posts

Cisco Adaptive Security Appliance and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability

A vulnerability in the Clientless SSL VPN (WebVPN) portal of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-xss

Security Impact Rating: Medium

CVE: CVE-2019-12695

Related:

  • No Related Posts