Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching

Cisco has fixes for a dozen high-severity flaws in Adaptive Security Appliance and Firepower Threat Defense software.

Cisco's SSM On-Prem has a 9.8/10 severity flaw, patch now

Cisco has disclosed a dozen high-severity flaws affecting its Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software. 

The updates address eight denial-of-service issues affecting its security software, an information disclosure vulnerability, a memory-leak flaw, a path-traversal vulnerability, and an authentication bypass. 

The bug with the highest CVSS score of 9.1 in this ASA and FTD disclosure bundle is a path-traversal vulnerability in ASA and FTD software, which is tracked as CVE-2020-3187 and was reported by Mikhail Klyuchnikov of security company Positive Technologies. 

SEE: Six in-demand programming languages: Getting started (free PDF)

An attacker can exploit the issue by sending a crafted HTTP request containing directory traversal character sequences, allowing the attacker to view or delete files on the system. 

However, Cisco notes that when the device is reloaded after exploitation, any files that were deleted are restored. Also, the attacker can only view and delete files with the web services file system, which is enabled when the device is configured with WebVPN or AnyConnect features

The authentication bypass, tracked as CVE-2020-3125, is because Cisco's ASA doesn't properly verify the identity of the Kerberos authentication protocol key distribution center (KDC) when it successfully receives an authentication response.

"An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication," Cisco warns. 

The issue affects ASA with Kerberos authentication configured for VPN or local device access. 

Cisco notes that after installing the fixed upgrade, admins still need to make configuration changes to address the vulnerability. ASA devices can still be exploited unless the command-line interface commands 'alidate-kdc' and 'aaa kerberos import-keytab' are configured. 

Yoav Iellin, Yaron Kassner, Dor Segal, and Rotem Zach of Israeli security firm, Silverfort, reported the bug to Cisco.

The memory-leak issue, tracked as CVE-2020-3195, is because ASA and FTD incorrectly process some Open Shortest Path First (OSPF) packets, which an attacker can exploit with specially crafted OSPF packets to an affected device. The attacker could then continuously use up a device's memory until it reloads, triggering a denial of service.

SEE: Cisco tackles root privilege vulnerability in SD-WAN software

The vulnerability affects ASA or FTD configured to support OSPF routing with the capability to process Link-Local Signaling (LLS) blocks. LLS block processing is enabled by default, Cisco notes. 

ASA and FTD software configured with the DNS over IPv6 protocol are also vulnerable to a denial-of-service vulnerability that's tracked as CVE-2020-3191. 

A remote attacker without credentials can exploit this bug by sending a crafted DNS query over IPv6, which traverses the affected device, according to Cisco. This could allow the attacker to trigger a device reload, causing a DoS. 

Besides the dozen ASA and FTD high-severity bugs, Cisco disclosed 22 medium-severity flaws affecting ASA, FTD and other Cisco products.  

More on Cisco and network security

  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET