Six advisories are included in the semi-annual Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Securi

Threat ID:CC-4502

Threat Severity:Medium

Published:28 May 2024 3:16 PM

Summary

Six advisories are included in the semi-annual Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Security Advisory bundled publication

Affected platforms

The following platforms are known to be affected:

Cisco FirePower Threat Defense (FTD)

Cisco Adaptive Security Appliance (ASA) Software

Cisco Firepower Management Center (FMC) Software

Threat details

Cisco Software Checker

To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities.

Introduction

Cisco has released six security advisories that cover six vulnerabilities in its semi-annual bundle of Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Advisories.

The one high impact advisory concerns a SQL injection vulnerability, which when exploited, could allow an authenticated, remote attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least 'Read Only' user credentials.

The five medium impact advisories included in the bundle address five bypass vulnerabilities. A remote, unauthenticated attacker could exploit some of these vulnerabilities to access otherwise controlled areas of an affected system.

Exploitation of vulnerabilities connected with sophisticated "ArcaneDoor" campaign

Cisco has confirmed that all of the fixed software releases that are part of this bundle also include the fix for the vulnerabilities that were involved in the ArcaneDoor exploitation campaign, described in CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359.

NHS England released high severity Cyber Alert CC-4483 in April 2024 to address these vulnerabilities.

Remediation advice

Affected organisations are encouraged to review May 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication and the following Cisco Security Advisories and apply the necessary updates or workarounds.

Remediation steps


Patch	Cisco Firepower Management Center Software SQL Injection Vulnerability \| cisco-sa-fmc-sqli-WFFDnNOs https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
Patch	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Inactive-to-Active ACL Bypass Vulnerability \| cisco-sa-asaftd-ogsnsg-aclbyp-3XB8q6jX https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ogsnsg-aclbyp-3XB8q6jX
Patch	Cisco Firepower Management Center Software Object Group Access Control List Bypass Vulnerability \| cisco-sa-fmc-object-bypass-fTH8tDjq https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-object-bypass-fTH8tDjq
Patch	Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability \| cisco-sa-ftd-archive-bypass-z4wQjwcN https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-archive-bypass-z4wQjwcN
Patch	Multiple Cisco Products Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability \| cisco-sa-snort3-ips-bypass-uE69KBMd https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-ips-bypass-uE69KBMd
Patch	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Authorization Bypass Vulnerability \| cisco-sa-asaftd-saml-bypass-KkNvXyKW https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-bypass-KkNvXyKW

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75298

https://tools.cisco.com/security/center/publicationListing.x

CVE Vulnerabilities

StatusPublished

CVE-2024-20360A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.

StatusPublished

CVE-2024-20293A vulnerability in the activation of an access control list (ACL) on Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. This vulnerability is due to a logic error that occurs when an ACL changes from inactive to active in the running configuration of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. The reverse condition is also true;traffic that should be permitted could be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting. Note: This vulnerability applies to both IPv4 and IPv6 traffic as well as dual-stack ACL configurations in which both IPv4 and IPv6 ACLs are configured on an interface.

StatusPublished

CVE-2024-20361A vulnerability in the Object Groups for Access Control Lists (ACLs) feature of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass configured access controls on managed devices that are running Cisco Firepower Threat Defense (FTD) Software. This vulnerability is due to the incorrect deployment of the Object Groups for ACLs feature from Cisco FMC Software to managed FTD devices in high-availability setups. After an affected device is rebooted following Object Groups for ACLs deployment, an attacker can exploit this vulnerability by sending traffic through the affected device. A successful exploit could allow the attacker to bypass configured access controls and successfully send traffic to devices that are expected to be protected by the affected device.

StatusPublished

CVE-2024-20261A vulnerability in the file policy feature that is used to inspect encrypted archive files of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured file policy to block an encrypted archive file. This vulnerability exists because of a logic error when a specific class of encrypted archive files is inspected. An attacker could exploit this vulnerability by sending a crafted, encrypted archive file through the affected device. A successful exploit could allow the attacker to send an encrypted archive file, which could contain malware and should have been blocked and dropped at the Cisco FTD device.

StatusPublished

CVE-2024-20363Multiple Cisco products are affected by a vulnerability in the Snort Intrusion Prevention System (IPS) rule engine that could allow an unauthenticated, remote attacker to bypass the configured rules on an affected system. This vulnerability is due to incorrect HTTP packet handling. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass configured IPS rules and allow uninspected traffic onto the network.

StatusPublished

CVE-2024-20355A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to successfully authenticate using their designated connection profile (tunnel group), intercepting the SAML SSO token that is sent back from the Cisco ASA device, and then submitting the same SAML SSO token to a different tunnel group for authentication. A successful exploit could allow the attacker to establish a remote access VPN session using a connection profile that they are not authorized to use and connect to secured networks behind the affected device that they are not authorized to access. For successful exploitation, the attacker must have valid remote access VPN user credentials.

Last edited: 28 May 2024 3:16 pm