AusCERT - Security Bulletins

Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 9 perc 50 másodperc
ESB-2022.5775 - [Linux] Cortex XSOAR: CVSS (Max): 6.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5775
CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE)
Vulnerability in Cortex XSOAR Engine
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cortex XSOAR
Publisher: Palo Alto Networks
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0031
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/CVE-2022-0031
Comment: CVSS (Max): 6.7 CVE-2022-0031 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Palo Alto Networks Security Advisories / CVE-2022-0031
CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in
Cortex XSOAR Engine
047910
Severity 6.7 . MEDIUM
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON
Published 2022-11-09
Updated 2022-11-09
Reference CRTX-57476
Discovered externally
Description
A local privilege escalation (PE) vulnerability in the Palo Alto Networks
Cortex XSOAR engine software running on a Linux operating system allows a local
attacker with shell access to the engine to execute programs with elevated
privileges.
Product Status
Versions Affected Unaffected
Cortex XSOAR 6.9 6.9.0.130766 on Linux 6.9.0.130766 on Linux
Cortex XSOAR 6.8 all
Cortex XSOAR 6.6 all
Cortex XSOAR 6.5 all
Required Configuration for Exposure
This issue is applicable only to Cortex XSOAR engine software running on a
Linux operating system that was installed through the shell method.
Please see the following link for more Cortex XSOAR engine installation
information:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/
engines/install-deploy-and-configure-demisto-engines
Severity:MEDIUM
CVSSv3.1 Base Score:6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-345 Insufficient Verification of Data Authenticity
Solution
This issue is fixed in Cortex XSOAR engine software available in Cortex XSOAR
6.9.0 build 130766 and all later versions of Cortex XSOAR.
Workarounds and Mitigations
There are no known workarounds for this issue.
Acknowledgments
Palo Alto Networks thanks Olivier Caillault for discovering and reporting this
issue.
Timeline
2022-11-09 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2022 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yFFskNZI30y1K9AQgctg/8D6R+A2Ayujo+3FpfuX5iDlhoIxkJtlM4
P9PvliIseC6tX7i/deZ7nENHf7/U7HFScCbZBsYCfKPDs7DZznbTk84tjR9tyRxK
cgThwbL+HDuZ/wDhcYz18HiY+QFSoWlUTI4HTmK3VINzvW6Gh2bfCjGEG1LKGrG+
e5ACtj4Load6Ob0FXZmJa4Fb6UTDIAFKJj84Y8cQCSgp+7yx1PKTcnOcVCqE1Aq2
U3to5tjjugJ6qMfkXh8ek5a/dxRDI/cY7vzyjpjkX2XsS84jezK481IbIqKeIN7h
pvcz0g8Hsv8c3as8vtEkyMczR9K1wNpN/8ec/d8P41XJguf9uB17qZhTIl+B8wuc
NF2+GdXxCuaS8zG19Kw1ch+zsuBfa/6pjTcta8X4GPb+iBvVPx19fpv6NWO5cOHS
ntE9jezyUe9pcaDZMQpbqAQ1HnAKdY5xvB9F+fumRJJKgRp11gQNBZVKKyggcz5+
NPRTO05e6uIa6bnW5V+V9j+6t2dVMmnbbY7qPkbKCSK6Y6MY38zYSCC7ZR4RDfEZ
gxzNAdidjPQKGtgvFxrIJz85OItd0jVGcTU2+/gMm75g5ATaGYjD3qs+wfOO/T7J
2K2fwrSKkkj1em8V6LXGYsBbIzP12n3H3crJsOuB0toZV+/epe3Yon2cCUleXHda
t5jJDM7RDD0=
=GnHO
-----END PGP SIGNATURE-----
ESB-2022.5774 - [Cisco] Cisco Products : CVSS (Max): 5.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5774
Multiple Cisco Products Snort SMB2 Detection Engine Policy
Bypass and Denial of Service Vulnerabilities
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Server Message Block Version 2
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20943 CVE-2022-20922
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr
Comment: CVSS (Max): 5.8 CVE-2022-20943 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Cisco Products Snort SMB2 Detection Engine Policy Bypass and Denial of
Service Vulnerabilities
Priority: Medium
Advisory ID: cisco-sa-snort-smb-3nfhJtr
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvy97080 CSCwa55404 CSCwb66736 CSCwb78519 CSCwb87762
CSCwb91454 CSCwc37339 CSCwc37518
CVE Names: CVE-2022-20922 CVE-2022-20943
CWEs: CWE-244
Summary
o Multiple vulnerabilities in the Server Message Block Version 2 (SMB2)
processor of the Snort detection engine on multiple Cisco products could
allow an unauthenticated, remote attacker to bypass the configured policies
or cause a denial of service (DoS) condition on an affected device.
These vulnerabilities are due to improper management of system resources
when the Snort detection engine is processing SMB2 traffic. An attacker
could exploit these vulnerabilities by sending a high rate of certain types
of SMB2 packets through an affected device. A successful exploit could
allow the attacker to trigger a reload of the Snort process, resulting in a
DoS condition.
Note : When the snort preserve-connection option is enabled for the Snort
detection engine, a successful exploit could also allow the attacker to
bypass the configured policies and deliver a malicious payload to the
protected network. The snort preserve-connection setting is enabled by
default. See the Details section of this advisory for more information.
Note : Only products that have Snort 3 configured are affected. Products
that are configured with Snort 2 are not affected.
Cisco has released software updates that address these vulnerabilities.
There are workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, these vulnerabilities affected Open Source
Snort 3.
For information about which Snort releases were vulnerable at the time of
publication, see the Fixed Software section of this advisory. For more
information on Snort, see the Snort website .
Impact to Cisco Products
At the time of publication, these vulnerabilities affected the following
Cisco products if they were running a vulnerable release of Cisco software:
Cyber Vision
FirePOWER Services - All platforms
Firepower Threat Defense (FTD) Software - All platforms
Meraki MX Security Appliances ^ 1
Umbrella Secure Internet Gateway (SIG)
1. See the Products Confirmed Not Vulnerable section of this advisory for a
list of Meraki devices that are not affected by these vulnerabilities.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Determine Cisco FTD Software Configuration
On new installations of Cisco FTD Software releases 7.0.0 and later, Snort
3 is running by default. On devices that were running Cisco FTD Software
Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort
2 is running by default.
Determine Cisco FTD Software Configuration Using the FTD Software CLI
To determine whether Snort 3 is configured on a device that is running
Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show
snort3 status command. If the command produces the following output, the
device is running Snort 3 and is affected by these vulnerabilities:
show snort3 status
Currently running Snort 3
Determine Cisco FTD Software Configuration for Cisco Firepower Management
Center Software-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Firepower Management Center (FMC) Software, complete the following
steps:
1. Log in to the Cisco FMC Software web interface.
2. From the Devices menu, choose Device Management .
3. Choose the appropriate Cisco FTD device.
4. Click the Edit pencil icon.
5. Choose the Device tab and look in the Inspection Engine area.
If Snort 2 is listed, the device is not affected by these
vulnerabilities.
If Snort 3 is listed, the device is affected by these
vulnerabilities.
Determine Cisco FTD Software Configuration for Cisco Firepower Device
Manager Software-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Firepower Device Manager (FDM) Software, complete the following
steps:
1. Log in to the Cisco FTD Software web interface.
2. From the main menu, choose Policies .
3. Choose the Intrusion tab.
4. Look for the Inspection Engine version. The version will start with
either a 2 for Snort 2 or a 3 for Snort 3.
If the device is running a Snort 2 version, it is not affected by
these vulnerabilities.
If the device is running a Snort 3 version, it is affected by these
vulnerabilities.
Determine Cisco FTD Software Configuration for Cisco Defense
Orchestrator-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Defense Orchestrator, complete the following steps:
1. Log in to the Cisco Defense Orchestrator web interface.
2. From the Inventory menu, choose the appropriate Cisco FTD device.
3. In the Device Details area, look for Snort Version . The version will
start with either a 2 for Snort 2 or a 3 for Snort 3.
If the device is running a Snort 2 version, it is not affected by
these vulnerabilities.
If the device is running a Snort 3 version, it is affected by these
vulnerabilities.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
products:
Cisco 1000 Series Integrated Services Routers (ISRs)
Cisco 4000 Series Integrated Services Routers (ISRs)
Cisco Adaptive Security Appliance (ASA) Software
Cisco Catalyst 8000V Edge Software
Cisco Catalyst 8200 Series Edge Platforms
Cisco Catalyst 8300 Series Edge Platforms
Cisco Catalyst 8500 Series Edge Platforms
Cisco Catalyst 8500L Series Edge Platforms
Cisco Cloud Services Routers 1000V
Cisco Firepower Management Center (FMC) Software
Cisco Meraki MX64 and MX64w Appliances
Cisco Meraki MX65 and MX65w Appliances
Cisco Integrated Services Virtual Routers (ISRv)
Open Source Snort 2
Details
o snort preserve-connection Settings
The impact of these vulnerabilities can be twofold, depending on whether
the snort preserve-connection setting is enabled or disabled and whether a
traffic flow began before the Snort process went down or began while the
Snort process was down.
The behavior for traffic flows that were established before the Snort
process went down is configuration dependent. The behavior for traffic
flows that begin while the Snort process is down is not configuration
dependent and always results in a DoS condition. For details on the snort
preserve-connection setting, see the Cisco Secure Firewall Threat Defense
Command Reference and the Snort Restart Traffic Behavior section of the
Firepower Management Center Configuration Guide.
snort preserve-connection Is Enabled
When the snort preserve-connection option is enabled for the Snort
detection engine, existing traffic flow are not dropped when the Snort
process goes down. Instead, existing traffic flows bypass the Snort
detection engine. A successful exploit could allow an attacker to bypass
the configured policies and deliver a malicious payload to the protected
network. Traffic flows that begin while the Snort process is down are
dropped, resulting in a DoS condition.
The CVSS score for existing traffic flows is as follows: CVSS:3.1/AV:N/AC:L
/PR:N/UI:N/S:C/C:N/I:L/A:N
The CVSS score for new traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N
/UI:N/S:C/C:N/I:N/A:L
snort preserve-connection Is Disabled
When the snort preserve-connection option is disabled for the Snort
detection engine, existing traffic flows are dropped. A successful exploit
could result in a DoS condition. Traffic flows that begin while the Snort
process is down are also dropped, resulting in a DoS condition.
The CVSS score is the same for both new and existing traffic flows:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Determine the Cisco FTD Software Configuration
The snort preserve-connection setting is enabled by default. To view the
current setting, log in to the Cisco FTD Software CLI and use the s how
running-config | include snort command. There are no GUI options for
viewing the setting.
If the command produces the following output, snort preserve-connection is
enabled on the device:
> show running-config | include snort
snort preserve-connection
>
If the command produces the following output, snort preserve-connection is
disabled on the device:
> show running-config | include snort
no snort preserve-connection
>
Workarounds
o There is a workaround that addresses these vulnerabilities. To remove the
attack vector for these vulnerabilities for Cisco FMC Software-managed
devices and Cisco Defense Orchestrator-managed devices, configure a
fastpath prefilter rule to bypass the Snort detection engine. To remove the
attack vector for these vulnerabilities for Cisco Firepower Device Manager
(FDM)-managed devices, configure an access control rule to bypass the Snort
detection engine.
Workaround for Cisco FMC Software-Managed Devices
To configure a fastpath prefilter rule for SMB traffic for Cisco FMC
Software-managed devices, do the following:
1. Log in to the FMC web interface.
2. From the Policies menu, under the Access Control section, choose
Prefilter .
3. Choose New Policy .
4. Enter the Name and Description and click Save .
5. In the resulting window, ensure that Default Action: Tunnel Traffic is
set to Analyze all tunnel traffic .
6. Click Add Prefilter Rule .
7. In the resulting window, enter a rule Name and ensure the Enabled box
is checked.
8. From the Action drop-down menu, choose Fastpath .
9. Configure the policy under the Interfaces , Networks , and Vlan Tags
tabs for SMB traffic on the affected network.
10. Click the Port tab.
11. Enter the following destination ports for SMB traffic: TCP (6):138, TCP
(6):139, TCP (6):445 and UDP (17):137 .
12. Click Add to add the policy.
13. Click Save to save the policy.
To associate the SMB prefilter policy with the access control policy
deployed on Cisco FMC Software-managed devices, do the following:
1. From the Policies menu, under the Access Control section, choose Access
Control .
2. Find the policy of interest.
3. Click the Edit icon.
4. Click the name next to Prefilter Policy .
5. Choose the name of the newly created SMB prefilter policy from the
drop-down menu.
6. Click OK .
For more information, see the Prefiltering and Prefilter Policies chapter
of the Firepower Management Center Device Configuration Guide.
Workaround for Cisco FDM-Managed Devices
Fastpath is not supported on Cisco FDM-managed devices. Instead, set an
access control policy with an action of trust for the appropriate ports.
To configure an access control policy to bypass SMB traffic for Cisco
FDM-managed devices, do the following:
1. Log in to the Cisco FDM web interface.
2. From the Policies menu, choose Access Control .
3. Create a new policy by clicking the plus ( + ) sign.
4. Enter a name and under the Action drop-down menu, choose Trust .
5. In the Port section, click the plus ( + ) sign.
6. Select Create new Port.
7. Enter a name, protocol type, and port number for each of the following
ports: TCP (6):138 , TCP (6):139 , TCP (6):445 , and UDP (17):137 .
8. Once the ports have been created, select the four ports to be added to
the rule by selecting their names.
9. Click OK when done.
10. Click OK to add the policy.
11. Deploy changes to Cisco FTD Software.
For more information, see the Access Control Chapter of the Cisco Firepower
Threat Defense Configuration Guide for Firepower Device Manager.
Workaround for Cisco Defense Orchestrator-Managed Devices
To configure a fastpath prefilter rule for SMB traffic for Cisco Defense
Orchestrator-managed devices, do the following:
1. Log in to the Cisco Defense Orchestrator web interface.
2. From the Policies menu, choose FTD Policies .
3. From the Policies menu, under the Access Control section, choose
Prefilter .
4. Click New Policy .
5. Enter the Name and Description and click Save .
6. In the resulting window, ensure that Default Action: Tunnel Traffic is
set to Analyze all tunnel traffic .
7. Click Add Prefilter Rule .
8. In the resulting window, enter a rule Name and ensure the Enabled box
is checked.
9. From the Action drop-down menu, select Fastpath .
10. Configure the policy under the Interfaces , Networks , and Vlan Tags
tabs for SMB traffic on the affected network.
11. Click the Port tab.
12. Enter the following destination ports for SMB traffic: TCP (6):138 ,
TCP (6):139 , TCP (6):445 , and UDP (17):137 .
13. Click Add to add the policy.
14. Click Save to save the policy.
To associate the SMB prefilter policy with the access control policy
deployed on Cisco Defense Orchestrator-managed devices, do the following:
1. From the Policies menu, under the Access Control section, choose Access
Control.
2. Find the policy of interest.
3. Click the Edit icon.
4. Click the name next to Prefilter Policy .
5. Choose the name of the newly created SMB prefilter policy from the
drop-down menu.
6. Click OK .
For more information, see the Cisco Defense Orchestrator website .
While this workaround has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software: CSCwb87762 , CSCwb66736 , CSCwa55404 ,
CSCvy97080
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
described in all the advisories that the Software Checker identifies
("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only High
and Critical advisories, or only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform (for Cisco ASA and FTD Software only).
4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Cyber Vision: CSCwc37339 , CSCwc37518 , CSCwb78519
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
Cisco Cyber Vision First Fixed Release for CVE-2022-20922 and
Release CVE-2022-20943
3.x Migrate to a fixed release.
4.0 Migrate to a fixed release.
4.1 4.1.2
Meraki MX Security Appliances
Cisco Meraki MX Security First Fixed Release for First Fixed Release for
Appliances Release CVE-2022-20922 CVE-2022-20943
MX15 and earlier None planned. Migrate to a fixed
release.
MX16 None planned. Hotfix available for
16.6.7 (Nov 22, 2022)
MX17 None planned. Hotfix available for
17.11.1 (Nov 22, 2022)
MX18 None planned. Hotfix available for
18.1.3 (Nov 22, 2022)
Snort: CSCwb87762 , CSCwb66736 , CSCwa55404 , CSCvy97080
Snort First Fixed Release for First Fixed Release for
Release CVE-2022-20922 CVE-2022-20943
2.x Not vulnerable Not vulnerable
3.x 3.1.31.0 Not vulnerable
Umbrella SIG: CSCwb91454
Cisco plans to address these vulnerabilities in Cisco Umbrella SIG, which
is cloud based. No user action is required.
Customers who need additional information are advised to contact Cisco
Umbrella Support at umbrella-support@cisco.com or their contracted
maintenance providers.
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerabilities that are described in this advisory.
Source
o These vulnerabilities were found during the resolution of a Cisco TAC
support case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yDyMkNZI30y1K9AQgKWQ/7BlU89bDBtckQ4ms6YPcWheyNm2Ff/Z/R
AJtkFDL/pbYSFzGmCnQ3QM8yY5Eq9HusU/MAGvYhIg1A4VgbgBsrezoDbB+gO8En
z5v42uuUT+XqyyFdqFBXoFC/yVQt/Ev1E2WByX4k0TITyp5AGocefrxHRjLdCrVI
Yx2dIcJY2yrQND/2uQVZxPFgVKdH7z0/Dexj62dsDCrcdDaxH2IhlSk8EFE1+o/V
6SVKM2V6b1+kTQq0TNfINLkkGOPd0R9oDaB78uTo6MHI+kANefROmMsdnYOzup88
FkMNAkopfPYE2m99bRmYj9MfTvb7DWrAf5L0nCPbQldKhh09Ti6iFxzsuSszOUYW
LXNL/S6V4cWK8VeTlYnu/R0DRY/25hh57LCOq+xXXeBuR2+sRfTDpKNJo8ho4D3q
lDHqWyVggzx3VOfgXRfZbaRjlBGWTzVN4N3lEO5FDSOJkqlYuMHWKHZRghP+q/pm
eF2ctRklci86oKwla2g9BVkCcZnU+pzAeodHEl0gl1tKeZI/VNPh6m3Vl/MAvi1I
79NiT4OII8ajOYk7wQ4UkOzmy+OrvjVL6pggcrxrpg486Ax/SB3Jmkov7NR1WdUT
ICd/eMcMjhETv944lp3ul69MjxkxRKImRTsXN1cETg2iJmIhUatN7f42+U+nqV5o
AGAx8/PA/iY=
=FsN7
-----END PGP SIGNATURE-----
ESB-2022.5773 - [Cisco] Cisco Secure Firewall 3100 Series: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5773
Cisco Secure Firewall 3100 Series Secure Boot Bypass Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Secure Firewall 3100 Series
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20826
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Secure Firewall 3100 Series Secure Boot Bypass Vulnerability
Priority: High
Advisory ID: cisco-sa-fw3100-secure-boot-5M8mUh26
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb08411
CVE Names: CVE-2022-20826
CWEs: CWE-501
Summary
o A vulnerability in the secure boot implementation of Cisco Secure Firewalls
3100 Series that are running Cisco Adaptive Security Appliance (ASA)
Software or Cisco Firepower Threat Defense (FTD) Software could allow an
unauthenticated attacker with physical access to the device to bypass the
secure boot functionality.
This vulnerability is due to a logic error in the boot process. An attacker
could exploit this vulnerability by injecting malicious code into a
specific memory location during the boot process of an affected device. A
successful exploit could allow the attacker to execute persistent code at
boot time and break the chain of trust.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Secure Firewalls 3100 Series if they were
running a release of Cisco ASA Software or Cisco FTD Software that includes
a vulnerable firmware bundle version:
In Cisco ASA Software Release 9.17 and Cisco FTD Software Release 7.1,
firmware bundle versions earlier than 1.0.22 are vulnerable.
In Cisco ASA Software Release 9.18 and Cisco FTD Software Release 7.2,
firmware bundle versions earlier than 1.2.17 are vulnerable.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Firmware Bundle Version
To determine which firmware bundle is running on a device, use the show
version detail CLI command at the Cisco FXOS CLI and look for the line
starting with Firmware-Vers . For information on how to log in to the Cisco
FXOS CLI, see the Cisco FXOS Troubleshooting Guide for the Firepower 1000/
2100 and Secure Firewall 3100 with Firepower Threat Defense .
The following example shows the output of the show version detail command
on a device that is running firmware bundle release 1.2.15:
firepower# show version detail
Version: 7.2.0-82
Startup-Vers: 7.2.0-82
MANAGER:
Boot Loader:
Firmware-Vers: 1.2.15
Rommon-Vers: 1.1.08
Fpga-Vers: 0.19.00
Fpga-Golden-Vers: 0.17.00
NpuFpga-Vers: 1024.37.00
TamFpga-Vers: 2.6.c
Power-Sequencer-Vers: 1.6
Firmware-Status: OK
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management Center (FMC) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The center column lists the firmware bundle version that includes the fix
for the vulnerability that is described in this advisory. The right column
lists the first software release that includes the fixed firmware bundle.
Customers are advised to upgrade to an appropriate fixed software release
as indicated in this section.
Cisco ASA First Fixed Firmware First Fixed Release That Includes
Software Release Bundle Version the Fixed Firmware Bundle
9.17 1.0.22 9.17.1.15
9.18 1.2.17 9.18.2
Cisco FTD First Fixed Firmware First Fixed Release That Includes
Software Release Bundle Version the Fixed Firmware Bundle
7.1 1.0.22 7.1.0.2
7.2 1.2.17 7.2.1
Note : When Cisco ASA Software or FTD Software is upgraded on a device, the
firmware bundle version is also upgraded automatically. If the Cisco ASA
Software or FTD Software is later downgraded, the firmware bundle version
is not downgraded. Once the firmware bundle is upgraded to a fixed version,
it will remain fixed, even if the Cisco ASA Software or FTD Software is
downgraded.
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yCq8kNZI30y1K9AQjSZBAAqjAx5B/UyKtOhF1tqphoQmn4tAfL4vTW
Ml4Q/3t58kPkeO0h4TBf8mrCQVcYAg28IbCkZo0DsYyQKbPxlh/xocaddZa3MbNx
frspFa2cHBlhVle5C/OiDimuXB1AjGUxBV+wG69YXIfwAH0eryFWCPtZAqq1Rn9o
EtZxkwuCSTJL+ptxCu/LxXijVJNML2ZjzFZtMRSDqGXILk25ELdK2fHmKuANlY7c
S2Qj7DoT/gSAlQ1WxdTnlnYVSoNXzVp0Z/Axo2oGfOgzeDvzkkO39zg71dt9Jw9I
h6PDXXY/pgxWssFZrC035KtSQhhqiI6QZkd9DiAFe6EHRGnY9EkhYc7H4TGgaJ4E
RPaXKlkitN2IvbLqcUMD2KHDw6/Qte9sTUEjxH+wywl2JkKWCmxmQkBBdOwM3Y6W
KLVElGeOLqH0SpgmVzZlMp0nCyG18kq2vG9d7YNehDQRJK0kzvFMqN7G3kr7hztK
Xhnl64xbfr9clRQ/eqAjaVEqQHHIZ4r7hxYUMfY3uSsxe62BEeTbTVu0dbii31zk
+bgZnH1zorJDcRmOdV53gf90E4fiqHXHWowUniMSX88zC/pLgorAzXo2HbOIlxIx
lev/dQZfWEqwHAReRoF2+U9TTQfP44n98AFgFqva7n/Q2ErD2aKjvMHLe0ieQq7x
nPbkysqN6zg=
=+/eI
-----END PGP SIGNATURE-----
ESB-2022.5772 - [Cisco] Cisco Products: CVSS (Max): 6.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5772
Cisco Firepower Threat Defense Software and Cisco FXOS
Software Command Injection Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Cisco FXOS Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20934
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK
Comment: CVSS (Max): 6.0 CVE-2022-20934 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software and Cisco FXOS Software Command
Injection Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb41854 CSCwc02133
CVE Names: CVE-2022-20934
CWEs: CWE-77
Summary
o A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software
and Cisco FXOS Software could allow an authenticated, local attacker to
execute arbitrary commands on the underlying operating system as root .
This vulnerability is due to improper input validation for specific CLI
commands. An attacker could exploit this vulnerability by injecting
operating system commands into a legitimate command. A successful exploit
could allow the attacker to escape the restricted command prompt and
execute arbitrary commands on the underlying operating system. To
successfully exploit this vulnerability, an attacker would need valid
Administrator credentials.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco FTD Software.
At the time of publication, this vulnerability also affected the following
products if they were running a vulnerable release of Cisco FXOS Software:
Firepower 4100 Series
Firepower 9300 Series
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
Firepower 1000 Series
Firepower 2100 Series
Firepower Management Center (FMC) Software
Details
o For Cisco products that are listed as vulnerable in this security advisory,
Administrator accounts have access by default to the underlying operating
system through expert mode. In the most common scenario, an attacker would
not gain any benefit by exploiting this vulnerability because all the
command execution capabilities would be available to them through
legitimate means. However, for deployments in which administrators are
prevented from accessing the expert mode (for example, multi-Instance
deployments or systems configured with the system lockdown-sensor command),
this vulnerability can be exploited to regain access to the expert mode
command prompt, which should no longer be available.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, FTD, and FXOS Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, FTD, and FXOS Software, Cisco provides the Cisco Software Checker .
This tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 2.9.1.158 for Cisco Firepower 4100
Series Security Appliances or 9.16.2.11 for Cisco ASA Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Brandon Sakai of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yCd8kNZI30y1K9AQgiIA/5Ae2JihHlql2pl4lpblv3YShOYgXMHxbs
JE6HUn3PIr/VaWQT6KMexs01PfbCrhv/wZ55OhO6DUqdTlivFxir1MEDJ+Btdw1Z
ilJA6ocHomC9l/+W2MeB+fnFlhE70RKc4Zf2Pw05Q7aQn++K7Hpt1Qzkh2ERGF2O
rURsIptw0i8+SuMsIlt2tNDew/BiIERH6WQyO1ZxTs6lWdTB9BZ4ozF6dmR2Iwlz
KX0P8g788j827RzmLb+lacPB6hwJ9lJBa2qTjcpgtIsinJRloqUSnfRAZy0JevGz
9+OrCWcKohEWCqZUE9Mip6v7yVKlwcX6q7jLR8HmWN9QPIfpDgs0ZT/pdhw6CtFt
qhCqjQQGtnD5Bh9ed747GazoR08G5z9Ijnjo6UM8Gmg4Uoa72Ps+Z++uqfd4YRzQ
RExwVp3YxXpW0zwJnIO8f4oYsHpNicf09UQbj1cWd1VWIa+KAYFQsSNgTdWrsV3W
WZZ7FdQJotIOMjEhhx6ybAg4WXhNPXf0dFIaZLnmN5R58NSqPEiPoV4Cbnv778ff
aqogqF5uFN6JIM7OQPBoc+SumKkqGPhpeiKC3lh9kM8iL10nDFtx1tLnql2le5GF
6nyeP3eU/6C1i+InJP/J1KhMLkUYl1godVcg9E1fVw8A6lOI3eFF7KUi5NaJT3rz
vBYXnV/BdOk=
=FIzg
-----END PGP SIGNATURE-----
ESB-2022.5771 - [Cisco] Cisco Firepower Threat Defense Software: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5771
Cisco Firepower Threat Defense Software SSL Decryption
Policy Bleichenbacher Attack Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20940
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2
Comment: CVSS (Max): 5.3 CVE-2022-20940 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software SSL Decryption Policy Bleichenbacher
Attack Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftd-tls-bb-rCgtmY2
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa41936
CVE Names: CVE-2022-20940
CWEs: CWE-203
Summary
o A vulnerability in the TLS handler of Cisco Firepower Threat Defense (FTD)
Software could allow an unauthenticated, remote attacker to gain access to
sensitive information.
This vulnerability is due to improper implementation of countermeasures
against a Bleichenbacher attack on a device that uses SSL decryption
policies. An attacker could exploit this vulnerability by sending crafted
TLS messages to an affected device, which would act as an oracle and allow
the attacker to carry out a chosen-ciphertext attack. A successful exploit
could allow the attacker to perform cryptanalytic operations that may allow
decryption of previously captured TLS sessions to the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco devices if
they were running a vulnerable release of Cisco FTD Software and had at
least one active SSL decryption policy with the behavior in response to
decryption errors set to Block with reset .
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the SSL Decryption Policy Configuration
In the Cisco Firepower Management Center (FMC) GUI, choose Policies > SSL .
For each configured SSL policy, do the following:
1. Click Edit .
2. Choose the Undecryptable Actions tab.
3. Review the setting for Decryption Errors .
If Decryption Errors is set to Block with reset for an SSL policy, devices
that have that policy applied are affected by this vulnerability.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
FMC Software
Next-Generation Intrusion Prevention System (NGIPS) Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yCUckNZI30y1K9AQh6fA//abZkRA993iJXuDHL/vnvfF5P8yd7zQvr
iDu5HE9NqVfoShqtoGsjGjzr/ANyW8KDcDF3PLB0UKO8PjCj3hKeULxbh9jDEwGi
F0lHFJGLVs9gEIl4RMOGl2ziZ1sAss0u2U7GiIbpwaonU5ZEKSjnL5ABRgGrsMLA
L/kPzP4LpQar6q8fX6ZdYYyczNj5fvWQzCA/mTiTmloW7pw3FPmeNn+9SPHTBej4
Y7YM3ZC2w6kYrKFZaCeUxcHn3xGKnDDFEflaNSsu5uBbjB4grZzxCSYQ9cxLqI4l
v3rfDyCep9zIjUUgbeARiNCvYvfXOmcBOdddwA9cbtIutRLXatYXjtxK/YTwOeGq
tJz4T6u/F4W5mpA2XmiD4Ef0JqHZvQYyJQPflJAXno+LJDZYH0QsRVkpJ9nCHobh
lh9N7wQlFUciSL6a+gZDs1SNSGajJYtl3dYQM4ERHFJBplz8KlN630sY0U7Rh0ZO
85yoq7SyWDDm65hW+R/dV/NzZ2pvzpAbYw/k0e5Ua+3nVqd6U2UTgfntDftlIZXc
vaItlhh3UiC3UvVQWIVL3Ec+T1R06aSv5mofq91Q0xdv8uWwGq+zrdJ9WlMWCXsf
SVDRu8Oex3pqrRDLTKDhJFUsr6aLdkxqh3Of8Ox0UGGKXZqyJZGLKembYQviXNzL
QEvDpfiZ30E=
=x3x0
-----END PGP SIGNATURE-----
ESB-2022.5770 - [Cisco] Cisco Firepower Threat Defense Software: CVSS (Max): 5.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5770
Cisco Firepower Threat Defense Software SIP and Snort 3
Detection Engine Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20950
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC
Comment: CVSS (Max): 5.8 CVE-2022-20950 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software SIP and Snort 3 Detection Engine Denial
of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftdsnort3sip-dos-A4cHeArC
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb99509
CVE Names: CVE-2022-20950
CWEs: CWE-770
Summary
o A vulnerability in the interaction of SIP and Snort 3 for Cisco Firepower
Threat Defense (FTD) Software could allow an unauthenticated, remote
attacker to cause the Snort 3 detection engine to restart.
This vulnerability is due to a lack of error-checking when SIP
bidirectional flows are being inspected by Snort 3. An attacker could
exploit this vulnerability by sending a stream of crafted SIP traffic
through an interface on the targeted device. A successful exploit could
allow the attacker to trigger a restart of the Snort 3 process, resulting
in a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco FTD Software
if it was running Release 7.2.0 or 7.2.0.1 and had the Snort 3 detection
engine configured with an SIP inspection policy.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Cisco FTD Software Configuration
On new installations of Cisco FTD Software releases 7.0.0 and later, Snort
3 is running by default. On devices that were running Cisco FTD Software
Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort
2 is running by default.
Determine Cisco FTD Software Configuration Using the FTD Software CLI
To determine whether Snort 3 is configured on a device that is running
Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show
snort3 status command. If the command produces the following output, the
device is running Snort 3 and is affected by this vulnerability:
show snort3 status
Currently running Snort 3
Determine Cisco FTD Software Configuration for Cisco Firepower Management
Center Software-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Firepower Management Center (FMC) Software, complete the following
steps:
1. Log in to the Cisco FMC Software web interface.
2. From the Devices menu, choose Device Management .
3. Choose the appropriate Cisco FTD device.
4. Click the Edit pencil icon.
5. Choose the Device tab and look in the Inspection Engine area.
If Snort 2 is listed, the device is not affected by this
vulnerability.
If Snort 3 is listed, the device is affected by this vulnerability.
Determine Cisco FTD Software Configuration for Cisco Firepower Device
Manager Software-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Firepower Device Manager (FDM) Software, complete the following
steps:
1. Log in to the Cisco FTD Software web interface.
2. From the main menu, choose Policies .
3. Choose the Intrusion tab.
4. Look for the Inspection Engine version. The version will start with
either a 2 for Snort 2 or a 3 for Snort 3.
If the device is running a Snort 2 version, it is not affected by
this vulnerability.
If the device is running a Snort 3 version, it is affected by this
vulnerability.
Determine Cisco FTD Software Configuration for Cisco Defense
Orchestrator-Managed Devices
To determine whether Snort 3 is configured on a device that is managed by
Cisco Defense Orchestrator, complete the following steps:
1. Log in to the Cisco Defense Orchestrator web interface.
2. From the Inventory menu, choose the appropriate Cisco FTD device.
3. In the Device Details area, look for Snort Version . The version will
start with either a 2 for Snort 2 or a 3 for Snort 3.
If the device is running a Snort 2 version, it is not affected by
this vulnerability.
If the device is running a Snort 3 version, it is affected by this
vulnerability.
Determine Cisco FTD Software SIP Configuration
To determine whether SIP inspection is configured on Cisco FTD Software,
run the show service-policy | include sip command in the CLI. The device is
considered vulnerable if Snort 3 is configured as described above and if
the output includes Inspect: sip , as shown in the following example:
device# show service-policy | include sip
Inspect: sip , packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
Note: SIP inspection is enabled by default on Cisco FTD Software. For
detailed information about the default settings for application inspection
policies, see the Cisco ASA Series Firewall CLI Configuration Guide .
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
products:
Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Management Center (FMC) Software
Open Source Snort 2
Open Source Snort 3
Details
o The following Cisco FTD Software Snort 3 configuration parameters govern
how traffic is handled if the Snort 3 process restarts, which could change
how SIP traffic is handled during an exploit of this vulnerability.
Snort Fail Open
snort preserve-connection
For additional information, see the Firepower Management Center
Configuration Guide .
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yCJckNZI30y1K9AQi1PBAAvAk7na1T9BPiT/SjI+G4INted8xHU3F8
w7hDWAMIGr9ppeNdgcsfbV9Nnban5BWvZGBse5tdxIThs0t/PeboWccCJT+ZNriA
8MOpjvTddVpIDp/XZVpMqfTDTl9t/eVjivFKkrIkvNZqMAIIU6+x0VU6gP72f9Ld
fBdZu721wQJoua4lc6INcraGuHjyb4PE+WmMHToXY5lsc9e0F4rfa89gx9aBK60l
mXazArqH3jK4z4REb0IPBTP4Yi4EL2lxTDZU3MSX76hZtJlb5ldq/GOIKr1sFe63
LKkyt9UjnHN36ooL7DwcxymFIGX2IgZE/rgFYoFtPNZIh83cwKhysi1H9SRAHnA+
cwivh5wmzENcv1LlisATujWNPeykuXtbbTBASbbIc19X9u33kBNpFcbBg9MLPbjE
kQhzsOL1uazFfV87lr+LUheeiru1U1ZNcjPnOzde5UDEjgkTzdkydCL+Ta3xwY7R
p5Drz7zKQ8RwXGN7J7nyiioDMKrzh+b+Okm6Sdv2+H1zflY7mJJRyk6L5+qfaIaP
wsnlE8V0xBDAjDkZU5IXhRI5hCO02gNTwBDNJgoMELpDJsGmehHAreau6nyK/xoP
LX+9fXmjdbCTHjkTcDRJR44Azix7C7/p1ZrJYiyHZvc6jpSLAZikQgPMcDHRy013
GdpFRuHQ2vU=
=bfMN
-----END PGP SIGNATURE-----
ESB-2022.5769 - [Cisco] Cisco Firepower Threat Defense Software: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5769
Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20949
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th
Comment: CVSS (Max): 6.5 CVE-2022-20949 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ftd-mgmt-privesc-7GqR2th
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb52401
CVE Names: CVE-2022-20949
CWEs: CWE-399
Summary
o A vulnerability in the management web server of Cisco Firepower Threat
Defense (FTD) Software could allow an authenticated, remote attacker with
high privileges to execute configuration commands on an affected system.
This vulnerability exists because access to HTTPS endpoints is not properly
restricted on an affected device. An attacker could exploit this
vulnerability by sending specific messages to the affected HTTPS handler. A
successful exploit could allow the attacker to perform configuration
changes on the affected system, which should be configured and managed only
through Cisco Firepower Management Center (FMC) Software.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco FTD Software managed by
Cisco FMC Software and had HTTPS access enabled.
For information about which Cisco software releases are vulnerable at the
time of publication, see the Fixed Software section of this advisory.
Determine the HTTPS Management Access Configuration
To identify the status and port of the HTTPS management access, use the
show running-config http CLI command. The following example shows the
output of the show running-config http command on a device that has HTTPS
management access enabled on the inside and outside interfaces using TCP
port 8443:
firepower# show running-config http
http server enable 8443
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
If the line starting with http server enable does not include a port, the
default port 443 is used. The exact port value does not affect the
vulnerability status of the device.
If the line starting with http server enable is missing, or the output does
not include an HTTP access control list (ACL) associated with an interface,
HTTPS management access is disabled.
The exact value of the HTTP ACL does not affect the vulnerability status of
the device. However, for successful exploitation, the attacker must be able
to connect to the HTTPS management server of the device from an IP address
that is permitted by the HTTP ACL.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
FMC Software
Next-Generation Intrusion Prevention System (NGIPS) Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yB9skNZI30y1K9AQgC8A//VtW+RwKQX2/bjxqQ7ZXUeW0HYQReOT0V
U14R0GJ87/Ly+kIa1uAFKEqPCUlB/C4xhlCexljeQJuaf/0J02nUr3vw6YIBTSW9
u2fZnOsQUGvDetWL/SMLnKC1Sw7x2CdQ8EMag9w//Nsz5bQlBq61IGO6J0JLlifZ
ZUq6jN0bAYo/U0i4BtvvPScriFmiMHLyQoDk02JK1eko3myM/3Uo9xKzORmAa2Iz
Lycc4MMfvjY9wHk6CvDvkjPVl1b+CbAOlQ0hPuAvakRXOBDmOTbbRrUlGn/EJraR
D04xu3GtGJ+Q0B6Mc0wlPRYw614r1eioUTlP9aJ8V6GptN4sMIW9nrCMFTi7SVlR
FmzMwgGjgIwjnFFDzsYu399ibjdYqhgjAbasUld6Pc+A6eiwWqH5QWtzWZu0lhgQ
L9DmM/SdCNyYejmsiSHfg4+qKZdOaYJvB6aufoEemY8dCGNji9sBDJtppiXdcoZ9
VZxzCDmL8yB1BTAROaGACbd6mfE78X05a9dAbQXkVvqo3uxPKDY2nT0egW/lJvoG
2aYVHgrykrHHhmhuUR1k4aIN+aM0BiS8TlQBvNZByzzXSM1IUE0ACbEFGzBPMKbH
h45V3oMnNpZOkfBMVGffurdr6UiAnKag7cOn0wspRDvngEk6xuDKywZxCalSrmUm
MaZnkrCvb8E=
=QCBx
-----END PGP SIGNATURE-----
ESB-2022.5768 - [Cisco] Cisco Firepower Threat Defense Software: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5768
Cisco Firepower Threat Defense Software Generic Routing
Encapsulation Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20946
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM
Comment: CVSS (Max): 8.6 CVE-2022-20946 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Threat Defense Software Generic Routing Encapsulation Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ftd-gre-dos-hmedHQPM
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb66761
CVE Names: CVE-2022-20946
CWEs: CWE-122
Summary
o A vulnerability in the generic routing encapsulation (GRE) tunnel
decapsulation feature of Cisco Firepower Threat Defense (FTD) Software
could allow an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device.
This vulnerability is due to a memory handling error that occurs when GRE
traffic is processed. An attacker could exploit this vulnerability by
sending a crafted GRE payload through an affected device. A successful
exploit could allow the attacker to cause the device to restart, resulting
in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco FTD Software releases 6.3.0 and later.
Note: GRE tunnel decapsulation in the LINA engine was introduced in Cisco
FTD Software Release 6.3.0. This feature is enabled by default and cannot
be disabled.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
Firepower Management Center (FMC) Software
Next-Generation Intrusion Prevention System (NGIPS) Software
Workarounds
o There are no workarounds that address this vulnerability.
However, administrators may choose to bypass decapsulation for GRE-tunneled
flows by following these steps from the Cisco FMC GUI:
1. Click Policies and choose Prefilter under Access Control .
2. Click Edit under the Prefilter Policy that is associated with the
access policy assigned to the device.
3. Change the GRE tunnel rule type action to Fastpath .
4. Click Save .
5. Click Deploy .
Note: This configuration will bypass the detection engine for GRE-tunneled
traffic.
While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Satheeshkumar Eswaramoorthy of Cisco during
internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yBsMkNZI30y1K9AQi3hQ//XXoi5X+UD47MvBEUA+Q39cCglQ97kxK1
pIy+P1nHS6FgPwANy3p/xn519C1relrgRhl5Xpno+TW1HjYLCT/sYF5Nvq+rXaIj
d85P+2XYJqHr2JYzVXuo67jbaZz/5hKJad/nWiXgRuee+iPY+/zNKv84THT+JX17
532dDOAq0/Dslm1Tu3iC8lj4aN3GRJudhhpYbbSb4UwTDkUBxrv8wZpn2p8zK5cy
919f+bdU12USQAXbwsQuBilPCKpirAdfXILsAaXkQpa6l5m8w6ya3CwalgduuzN0
363yroewawIJpD5CdTfX7uCk3ydsyhwP6+wI+uSOYroM7dme9XU123ZCevqoZAei
0JjV81lbuQrPOCBEBcfGVozKqdH4qbNkSfe6ojQHKe8EL/m6mQEAHsNWotooO+u8
UB+rIA4yMaQpifF3bTVZGz2leozxdf4FKM6nArLGwV3kaS+2gE48fONHC1YY9hU6
GIoNjL7oPL2m97SBy5E5Nt+Xu65RMdy6MZ/VOLTZ+B/YmjSjOI1k6KbeVWJSPxFP
RrJgWCF0D9P9yYdJMJpE3Y/0Yxtnd5rt5ECi6hfwyUVAMUEXQa9utgK4CJm7+7Jk
m1yf/z9TnkEmE+bn5TxrjkFSXjem5LH+yCmdyxodMb8iybgECYKAAC7NevncHUxJ
akYN1GOM7TQ=
=Ek+x
-----END PGP SIGNATURE-----
ESB-2022.5767 - Cisco Products: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5767
Cisco Firepower Management Center and Firepower Threat
Defense Software SSH Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firepower Management Center
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20854
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN
Comment: CVSS (Max): 7.5 CVE-2022-20854 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Management Center and Firepower Threat Defense Software SSH
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-fmc-dos-OwEunWJN
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy95520
CVE Names: CVE-2022-20854
CWEs: CWE-400
Summary
o A vulnerability in the processing of SSH connections of Cisco Firepower
Management Center (FMC) and Cisco Firepower Threat Defense (FTD) Software
could allow an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device.
This vulnerability is due to improper error handling when an SSH session
fails to be established. An attacker could exploit this vulnerability by
sending a high rate of crafted SSH connections to the instance. A
successful exploit could allow the attacker to cause resource exhaustion,
resulting in a reboot on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco FMC Software or Cisco FTD Software that is in the default
configuration. SSH is enabled by default on the FMC management interface.
SSH is not enabled by default on the data interfaces.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yBdskNZI30y1K9AQhcthAAhYtQ27qgfh8NcW0jVPA2IAJgx0doUmkm
d4RAn1uM4GdZON8+mA5bbrgPW/5JAvB3OUzxaeYRtHJ4KJwDXiNRb2mkEPfm5PXn
dZzs3KVUvWMXGbmoEDdrWuHlepont2U00NM2W+I0y+0VKZx7uKuXHltwl6V9J/mN
PMb9MCnXmLQa2Dt4bnzGgT0Jr+vxq/JhM7w/2EBOicn+AefMCEhpYLK+bbBKvmik
NUhbiOzx8Ve0LcmfetGjWWFLbblxIhipQCmliwF2xQXNd7y3WCx0gSKE60PLebO/
6FZe2dpkG7vmD2B3ppjhtpUDlyWAaCwNUFR/HuMUKqu+bdIDT1WYHtPJdH9yhK7r
gmNIQ/+eX00vBApkK0LJvkPmG/NNb5gmmcG/qvRTUmvd9kg45LqQH/bQd5riET8F
lO6LvkeBEYkf3wi6Tm8XjqkJ4RX8JNxIE5c+Uhz9SiFQo4MELOl6znGumV5YIXkD
G8r997L+lF1oRUOKhmx1Mr0r1jL2oEpPdwOqusbvn9vdxzwjc989P20M2mAaT2KR
v6ia+rrbG25XUOv5nGoWEU/oD9sOfcXTN9DobIY0ZTKAZOL/3APGOFT/WVOUIRwc
zS+X0HkeU3aBqWaYZMkJduwUo72KUacj2HyR+CChYcWMe1jvuXMHIx7PdRyYZtHx
e8tD4G37Pzw=
=3JaE
-----END PGP SIGNATURE-----
ESB-2022.5766 - [Cisco] Cisco Firepower Management Center Software: CVSS (Max): 4.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5766
Cisco Firepower Management Center Software XML External
Entity Injection Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Management Center Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20938
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd
Comment: CVSS (Max): 4.3 CVE-2022-20938 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Management Center Software XML External Entity Injection
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-fmc-xxe-MzPC4bYd
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb53694
CVE Names: CVE-2022-20938
CWEs: CWE-611
Summary
o A vulnerability in the module import function of the administrative
interface of Cisco Firepower Management Center (FMC) Software could allow
an authenticated, remote attacker to view sensitive information.
This vulnerability is due to insufficient validation of the XML syntax when
importing a module. An attacker could exploit this vulnerability by
supplying a specially crafted XML file to the function. A successful
exploit could allow the attacker to read sensitive data that would normally
not be revealed.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco FMC Software.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Sanmith Prakash of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yBO8kNZI30y1K9AQgLkg/8DEgTyNlZdrmSPYJvuCik10xGDIUJ2a4h
eOxLdVHWRgnDLTMqtiDsDsHOxlwS3j0JdftVUGzFrAkkaYQSqZKZyGNjeHZM3VZW
DKnTZ7KHg4ud2FRl6vHXmXMt8SR99UjYlpXKlmsh1bWzx7BT8V8CeDEeq7ixqzOM
Wni+zFfPRitPtq+PTX8FHGajd3aOWZBU1vz0eq2r8UE8nwdyiLr/4VJIyi+iagTD
r/Ch8d4/GOMYXEIsDk2bpmU6apEPv7LspCmteNM3OfsumbbYg61SpXIRYmAZkLuf
MqXzbf7WTehzrn6xg8Xq/ExRAin46ue/RMAKQrfJFQQpzfphtnKzaekz+awC5zMi
LDJHCTG4CM5ZQ0XqxO6meThAbp07onorEzTjU4j8sJDx8q3xzBiKbCNr+O33btJ3
VFUiPZnNHEyZtwuqQ1N3KGp+eA+n+1iZrLx7Tgb2lgXESc0TR3fzjGsMoj9cA1cD
h/lSyzSt3dJETU3mPNXVRb1HgXXf/xMoo7IFbH2hA9aEQWi9GAu9WbvLcwXW9YKJ
Ehbw9q8YXQYTs6wB9LJcWpqfyJyQmJE5hJoTLV2nRT+SuMVBbu9LiY+KiT2YVPNS
UzwuVDtyc8lcpc4CbXjf0ngkg/ViAjkuNE1d3stxSXsQAEjqZ8/+eJRS85S/yMhL
bS0VI5hyZYY=
=ua4c
-----END PGP SIGNATURE-----
ESB-2022.5765 - [Cisco] Cisco Firepower Management Center Software: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5765
Cisco Firepower Management Center Software Information
Disclosure Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Management Center Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20941
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP
Comment: CVSS (Max): 5.3 CVE-2022-20941 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Management Center Software Information Disclosure Vulnerability
Priority: Medium
Advisory ID: cisco-sa-fmc-info-disc-UghNRRhP
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa85709
CVE Names: CVE-2022-20941
CWEs: CWE-334
Summary
o A vulnerability in the web-based management interface of Cisco Firepower
Management Center (FMC) Software could allow an unauthenticated, remote
attacker to access sensitive information.
This vulnerability is due to missing authorization for certain resources in
the web-based management interface together with insufficient entropy in
these resource names. An attacker could exploit this vulnerability by
sending a series of HTTPS requests to an affected device to enumerate
resources on the device. A successful exploit could allow the attacker to
retrieve sensitive information from the device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco FMC Software.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Adaptive Security Appliance (ASA) Software
Firepower Threat Defense (FTD) Software
Next-Generation Intrusion Prevention System (NGIPS) Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank security researcher Albert Sanchez for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yA+skNZI30y1K9AQhomxAAvQZUQqARXAQUKq5RysILQnuUIyFkWbLP
yuvqtsniSzb1+7i/or1iGddaFf6E31uu1WMkTioDlrn7kVrcKmVyZ/yxvwZV6zLM
jPYbU0QVO+HcGNCwqWFflUzqIoPhx0pfO6satQpmcvwsdb50iskJCuifD+w9YidK
Ad+0xiMdjeAZzC8XPWuFzSYFspzGE1/S+8xhnEuZ1Lyg9iRfwge2GHkwazpD4G9i
WauBmTwFo4SOoarPZj37INOgjBFcgdhzm63Dnn1p9jX5bCghDd4kusXbGwqzunRP
LKo3O6YmEkoeMHTSZ7NqX2BCXZcKzPVP0tNRBftxIzpbXywJEBUmf547N9GUKTvU
QLJSILrZi3NLpBScEpnNw7OcE1aPx8eSDfNOf/oyzAZ8uQokI6gaF+kOfugaiHY2
y3+Ob5keHGfeuhqa8xzkY0TaJ87V/jSdQC2Uy2YVyCiVcKE6DdXC7LSqtv6cDlSz
WzOVPEv6LZkF6C1MGDOnD4En8KpTHjefXbkgI4qkVfjcU4Iz8gPlj7d5fBlXjLAa
5U/rhTDcyumlVaPNq++I26t+ZorCczOmDd/Yx70kfNWbOXLTbgByGBJ6gB0+6omo
Xm5et3YmJo2ofA9fgGq3eAuzo4MD5R6ijNwOBSDtMUuPc6NLRFjfQ3E97tSWq0hU
nXhDmzmyoho=
=g0t/
-----END PGP SIGNATURE-----
ESB-2022.5764 - [Cisco] Cisco Firepower Management Center Software: CVSS (Max): 4.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5764
Cisco Firepower Management Center Software Cross-Site
Scripting Vulnerabilities
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Management Center Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20936 CVE-2022-20935 CVE-2022-20932
CVE-2022-20905 CVE-2022-20872 CVE-2022-20843
CVE-2022-20840 CVE-2022-20839 CVE-2022-20838
CVE-2022-20836 CVE-2022-20835 CVE-2022-20834
CVE-2022-20833 CVE-2022-20832 CVE-2022-20831
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs
Comment: CVSS (Max): 4.8 CVE-2022-20936 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities
Priority: Medium
Advisory ID: cisco-sa-fmc-xss-LATZYzxs
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa64739 CSCwa93499 CSCwb01976 CSCwb01983 CSCwb01990
CSCwb01995 CSCwb02006 CSCwb02018 CSCwb02020 CSCwb02026
CSCwb61901 CSCwb61908 CSCwb61919 CSCwb88587 CSCwc10037
CVE Names: CVE-2022-20831 CVE-2022-20832 CVE-2022-20833 CVE-2022-20834
CVE-2022-20835 CVE-2022-20836 CVE-2022-20838 CVE-2022-20839
CVE-2022-20840 CVE-2022-20843 CVE-2022-20872 CVE-2022-20905
CVE-2022-20932 CVE-2022-20935 CVE-2022-20936
CWEs: CWE-79
Summary
o Multiple vulnerabilities in the web-based management interface of Cisco
Firepower Management Center (FMC) Software could allow an authenticated,
remote attacker to conduct a stored cross-site scripting (XSS) attack
against a user of the interface of an affected device.
These vulnerabilities are due to insufficient validation of user-supplied
input by the web-based management interface. An attacker could exploit
these vulnerabilities by inserting crafted input into various data fields
in an affected interface. A successful exploit could allow the attacker to
execute arbitrary script code in the context of the interface, or access
sensitive, browser-based information. In some cases, it is also possible to
cause a temporary availability impact to portions of the FMC Dashboard.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, these vulnerabilities affected Cisco FMC
Software.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect Cisco Adaptive
Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD)
Software.
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o CVE-2022-20932: Cisco would like to thank Thuy Nguyen and Kien Luong of
Cybersecurity Research as well as Albert Sanchez for reporting this
vulnerability.
The remainder of the vulnerabilities were found during internal security
testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yAvskNZI30y1K9AQiioA//Xf6OKNMmxO11DT9SpKX78whn6sG/WGJj
lMpSqKeqG9lsgd56NKe/QrIJwlXW7nKFxXcq1bCxImHklhafWzbVhV/3GgDr9hTo
T9klSUGP7s1hhGsj9gEg5R5MarEKGHgUhCs8j/cUugx1uBC2kL/fLx3k5nmNp4ul
8YM2DWeQYN3uogYoqyFjqnVZS/It6+WgWv5mtUGSwB0aE3WRtAg/mSyUI9CDK2uP
3An6mQaFwZFtL191SMNpFDNTvEWOOa0TiuacxchotHVzGs27k+VJygwE/94aLBnN
1kw8jhp3gyJGYK/UW2Cs5JgF1x/2awpT20fPmoykOfJknEQmwkjtVGoGw62gd5LW
uvDE6XMn94C3uQYrCYsYvzBXXWOTIafS21IQPKNOh1yhU6be+3abGXIWTviAEEJq
fZSlEqtr6xJZobhwElJAzYuhRmGcwWvmD5UY8zJS3L/ZQphWW+8eGJ7ZidD5ewt2
yQCOcPbHO6c1rkbJ+y9YyJCxVjMzAP1AvTp4UeVHWXg0r3W0h+NjzM9rdQ3hOMrU
433SrfOfRahNUeI2UVQ/cUOqzMNUeHaz0PwVIQ+8OCI6cGurqSOTRbTkCg1nsZc/
dsWZO+ywJKhaWVdIEIgZFIJ+4MeGXGAB0R2qJykogDkRyoDJW0ZC20HzTJFdEk78
H+YRNEIRFL4=
=2yNv
-----END PGP SIGNATURE-----
ESB-2022.5763 - [Cisco] Cisco Firepower Management Center Software: CVSS (Max): 6.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5763
Cisco Firepower Management Center Software Command Injection
Vulnerabilities
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Firepower Management Center Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20926 CVE-2022-20925
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35
Comment: CVSS (Max): 6.3 CVE-2022-20926 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Firepower Management Center Software Command Injection Vulnerabilities
Priority: Medium
Advisory ID: cisco-sa-fmc-cmd-inj-Z3B5MY35
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb23029 CSCwb23048
CVE Names: CVE-2022-20925 CVE-2022-20926
CWEs: CWE-77
Summary
o Multiple vulnerabilities in the web management interface of Cisco Firepower
Management Center (FMC) Software could allow an authenticated, remote
attacker to execute arbitrary commands on the underlying operating system.
These vulnerabilities are due to insufficient validation of user-supplied
parameters for certain API endpoints. An attacker could exploit these
vulnerabilities by sending crafted input to an affected API endpoint. A
successful exploit could allow an attacker to execute arbitrary commands on
the device with low system privileges. To successfully exploit these
vulnerabilities, an attacker would need valid credentials for a user who
has Devices permissions. By default, only Administrator, Security Approver
and Network Admin roles have these permissions.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, these vulnerabilities affected Cisco FMC
Software.
For information about which Cisco software releases are vulnerable at the
time of publication, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
Firepower Threat Defense (FTD) Software
Adaptive Security Appliance (ASA) Software
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform (for Cisco ASA and FTD Software only).
4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o These vulnerabilities were found by Brandon Sakai of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yAgckNZI30y1K9AQhfzxAAsUQGP9nNLY11B1dQnON5uu8poF4WlKnh
5h40DSEeY0mtDeb7NT4f3LIgZP6wCfeOTo1ni9m17ohXayU0WQ/YRikrqUFJeNWv
nv8TJAD7SQ0yi0ORbukwu3SGXf3B8U3Nm4cyg1C6X+3lEJS/vhfBt6bPBzonk+LG
xfRitu7JN+S/UIZ2+Hi8IN6LuO3+QhtNH1vM0Sz4elAir5PXEZFhaBRWZjWRLuH1
5ryASPty6mf6p4RJeo1af3vND5LTnfAy8fGoMPI/POuip9iQvDVdl42FahZCWcBr
2i69+4P+e1Vf3NcCv/By8k6IsIvlBf6PT/n5ogZE0nhqolt60fQZyVEnD/Qd3aXn
bNTiwWTLnsIF2cOXbACrTekjb0ePX25qByromhLTEmldDiesm48uvp12tVj8oE3/
iDtydYtr4FDei+QNRzLs46+FzVBxSVJ9YpyYi5G7bglBcWA+k46dKQmGzLQXm8b5
svgPFVH+ZGNSHJOb2YOInS9RsiG+DTniIxNa77tGhGPy1OMkXezzBl2rgG9bfr2/
o67xDylAP1hU9nUgypOYxJ5zIhbli10UbS80V8Jz3Hmrl9aVji0ZkiH3V6YZQWS/
VeeWSKhZBehiOBS/RAs0kJw+kW6fCe+TcX1x5siryDLjQL1ezuTHk6gpUG2/YelT
I0Abcnawf6I=
=U8Hz
-----END PGP SIGNATURE-----
ESB-2022.5760 - [Cisco] Cisco Products: CVSS (Max): 7.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5760
TITLE: Cisco Adaptive Security Appliance Software and Firepower Threat
Defense Software SSL/TLS Client Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adaptive Security Appliance Software
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20927
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA
Comment: CVSS (Max): 7.7 CVE-2022-20927 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software SSL/TLS Client Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ssl-client-dos-cCrQPkA
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz98540
CVE Names: CVE-2022-20927
CWEs: CWE-120
Summary
o A vulnerability in the SSL/TLS client of Cisco Adaptive Security Appliance
(ASA) Software and Cisco Firepower Threat Defense (FTD) Software could
allow an authenticated, remote attacker to cause a denial of service (DoS)
condition on an affected device.
This vulnerability is due to improper memory management when a device
initiates SSL/TLS connections. An attacker could exploit this vulnerability
by ensuring that the device will connect to an SSL/TLS server that is using
specific encryption parameters. A successful exploit could allow the
attacker to cause the affected device to unexpectedly reload, resulting in
a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco ASA Software or Cisco FTD Software:
ASA 5500-X Series
Firepower 4100 Series
Firepower 9300 Series
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
3000 Series Industrial Security Appliances (ISAs)
ASA Virtual Appliance
Firepower 1000 Series
Firepower 2100 Series
Firepower Management Center (FMC) Software
Firepower Threat Defense Virtual (FTDv)
Next-Generation Intrusion Prevention System (NGIPS) Software
Secure Firewall 3100 Series
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yAPMkNZI30y1K9AQi2/Q//afDbET4PH4G887kn81ejekL74fxRqLSy
yrQERgeAIB+du0DcicfFS2ynBw6cLfIe9aSei9AEdmGHt3kKxNetYOSYMWrmgFk0
rzrx6scCk4t8PcuXQO6dqTJua13ke2kyRkVZUOt9yLBwWV7Q/k7e3bTFWtlFdC1s
5h6hF4CgUjcAe4NV/jq5C774gqOMlfxRPjKd5D1H8ITT9xzQTA2asl3x1ZpcXx8E
DYETto9j1LOXDbWwUQ7mpAce0FTYO0QenWxsC/kqMrf6Irru3RZD+1f8t+CY9S4Q
XPz/P/K1fpx7Ze5+B4Avrf3QEcFlOPs1mLh8m0dY+UilBUHYWYhC5WFCpI0vuWGw
t06fItcHS4K7/NRqE87yfXuUos9J9imsMBYO0jQcJmOAOWIhVyoWko3PZmxzqJA9
RFvrmhOpY3nMm2vwyj+Qbgb2U6imeOyaoIDRARVW5Q0jxkODnmymGJ9GIUGzN8GH
ES5Enp8n5VrO2Mcb9cPu7bSMdOq6R2hOEdB3sqFcz7BrSTRJ6Esf/51wSTfcIyOO
b6DRMEX2WnlB6eM9YLQICNf3k1exarYEPcOf1VPO4nX8+11eF8FdQx8BvPBZ5oj2
IU9/S93UMVFZf+W6HygJ85JfRpqhWtvuBD51RDW+73Rm47golCoLX0YMcIi/e4XS
404n0JTz4aM=
=b56/
-----END PGP SIGNATURE-----
ESB-2022.5762 - [Cisco] Cisco Products: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5762
Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management
Center Software, and NGIPS Software SNMP Default Credential Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FirePOWER Software for ASA FirePOWER Module
NGIPS Software
Firepower Management Center Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20918
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S
Comment: CVSS (Max): 7.5 CVE-2022-20918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management Center
Software, and NGIPS Software SNMP Default Credential Vulnerability
Priority: High
Advisory ID: cisco-sa-fmcsfr-snmp-access-6gqgtJ4S
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCwa97541
CVE Names: CVE-2022-20918
CWEs: CWE-284
Summary
o A vulnerability in the Simple Network Management Protocol (SNMP) access
controls for Cisco FirePOWER Software for Adaptive Security Appliance (ASA)
FirePOWER module, Cisco Firepower Management Center (FMC) Software, and
Cisco Next-Generation Intrusion Prevention System (NGIPS) Software could
allow an unauthenticated, remote attacker to perform an SNMP GET request
using a default credential.
This vulnerability is due to the presence of a default credential for SNMP
version 1 (SNMPv1) and SNMP version 2 (SNMPv2). An attacker could exploit
this vulnerability by sending an SNMPv1 or SNMPv2 GET request to an
affected device. A successful exploit could allow the attacker to retrieve
sensitive information from the device using the default credential.
This attack will only be successful if SNMP is configured, and the attacker
can only perform SNMP GET requests; write access using SNMP is not allowed.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects devices that are running Cisco FirePOWER
Software for ASA FirePOWER module, Cisco FMC Software, or Cisco NGIPS
Software releases 7.0.0 through 7.0.4 if they have any version of SNMP
enabled. This vulnerability is fixed in software Release 7.0.5 and later.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether SNMP is enabled on Cisco FirePOWER Software for ASA
FirePOWER module or Cisco NGIPS Software using devices that are managed by
Cisco FMC Software, choose Devices > Platform Settings > Enable SNMP
Servers . If the interface of an SNMP server in the SNMP Host tab is
configured for the Cisco FirePOWER Software for ASA FirePOWER module
management interface, then the device is considered vulnerable.
To determine whether SNMP is enabled on Cisco FMC Software, choose Devices
> Device Management . If Admin State is checked, SNMP is enabled.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco ASA
Software or Cisco Firepower Threat Defense (FTD) Software.
Workarounds
o A user with Administrator privileges can execute the following commands in
expert mode to apply a workaround for this vulnerability:
# expert
# sudo su -
# sed -i 's/^com2sec/#com2sec/' /etc/snmp/snmpd.conf
# pmtool restartbyid snmpd
If SNMP is not needed on the device, the administrator can remove the SNMP
configuration so the device will not be affected by this vulnerability. The
administrator can also reduce the attack surface by allowing SNMP
connections only from trusted SNMP monitoring hosts.
While this workaround and mitigation have been deployed and were proven
successful in a test environment, customers should determine the
applicability and effectiveness in their own environment and under their
own use conditions. Customers should be aware that any workaround or
mitigation that is implemented may negatively impact the functionality or
performance of their network based on intrinsic customer deployment
scenarios and limitations. Customers should not deploy any workarounds or
mitigations before first evaluating the applicability to their own
environment and any impact to such environment.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
Cisco FirePOWER Software for ASA FirePOWER Module and Cisco NGIPS Software
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability that is
described in this advisory and which release included the fix for this
vulnerability.
Cisco FirePOWER Software Release First Fixed Release
Earlier than 7.0 Not vulnerable
7.0 ^1 7.0.5
1. Cisco FirePOWER Software Release 7.0 is the final release for the Cisco
ASA FirePOWER module and Cisco NGIPS Software.
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2x/3MkNZI30y1K9AQjNoBAAoQaUZb9/nhtmRvC7e2O78q56sYG5+Xu+
N3nO6bXV3FIs8e2BUbNkh+FFu9TXd8mHFBFhLtZJRoC63gL4rtt6wPLyHamWg7S+
0RJ0g6WXX4OVjhXYQN3RWpqKfNT/fUlkaMTN0XG1vaf+/GEzQZ5spYmN+VI/Y7pD
EP18xXeHDTxW8H0doQInuwOgIi+vq7BJaNxFYViXmkFnPA0yynv/KnaoQjlwP+dJ
Cpp5Sjsb0RsiE+xMqX3lRdOAOp7XI85cnnFIZHGd45sQ1/08K+eUAIxMl4/aQB0w
eHKidwV+a4+rRz0Z5rwJzpNQwMZEUQRzM1UOxcv3BXFJyOWnc2H0bvX+TvEMH35r
m2HrmnmmE0K83O9nMt/Qb/ZZNnNu65CWdpllkdC2v0OQxc86WgaIx0arkoeKpOpJ
AyLwIJZ9ep/QJJ0Bdvuoxz0cOjZkpRM7ewIttkhJejnJofF9X4NVMwk8UKQkaLaX
pzhpH15yhGZAbTb961gzGNC6qrScH+/AKMWJhiycFuMfMmZUDYqXB9pc+hDjJ0a5
ONm5seVVgpp4jiNe5wKNJwkeVj59s2Ge7AGWn2X2PZ/S7IroGMZQGKSa3aKpRaWH
wTlttwXUBXcCg+nyy0BRkH63Tcd5dDn0gFstPAOCX5Ux6o5wv5cO428SzzHxB5sG
aSlMfe4KGxg=
=1LX+
-----END PGP SIGNATURE-----
ESB-2022.5761 - [Cisco] Cisco Products: CVSS (Max): 5.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5761
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software VPN Authorization Bypass Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adaptive Security Appliance Software
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20928
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6
Comment: CVSS (Max): 5.8 CVE-2022-20928 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software VPN Authorization Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-asa-ftd-vp-authz-N2GckjN6
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa81795
CVE Names: CVE-2022-20928
CWEs: CWE-863
Summary
o A vulnerability in the authentication and authorization flows for VPN
connections in Cisco Adaptive Security Appliance (ASA) Software and
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to establish a connection as a different user.
This vulnerability is due to a flaw in the authorization verifications
during the VPN authentication flow. An attacker could exploit this
vulnerability by sending a crafted packet during a VPN authentication. The
attacker must have valid credentials to establish a VPN connection. A
successful exploit could allow the attacker to establish a VPN connection
with access privileges from a different user.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco ASA Software or Cisco FTD
Software and had VPN with multi-factor authentication (MFA) enabled.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management (FMC) Software.
Details
o Exploitation of this vulnerability could allow an attacker to establish a
VPN connection as a different user. If authorization is enabled, it could
allow the attacker to bypass network access protections by obtaining access
privileges from a different user. The overall impact of exploitation is
organization specific because it depends on the importance of the assets
that the different authorization levels were supposed to protect. Customers
should evaluate how exploitation of this vulnerability would impact their
network and proceed according to their own processes for handling and
remediating vulnerabilities.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform (for Cisco ASA and FTD Software only).
4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2x/aMkNZI30y1K9AQghhw/+MYEQYIV/9GfOobatnsA5ZSf0TfqUkfxt
+Mu/cZIw9eKlxK2Pv5jgCQc4Ig4PrfcxRayebMJe1bzQv2UETYsPq76P0l3JzBYp
lHuxusBjx7v7CEgeOIv9Lw7/V6QvKiBljwff1e9K9226cZcGExOQX5lgPWZ3X3gL
14iX0pJZY0jrHBul7Ei2kRrsdd3MVHSFFJosgeVAdF7LvrHGPAvVTdn1r4va6U0J
v4a0JL0HRIszLdlqbho4yJFLPypdvVOEWnOQZPMSXRVpjaOMBo/sfoXi/0l7NCkV
sL8FhL7+aB6BJvwtaPBkAyEXuVZuCXQ8Y+NInBNWzg4hg1OWLNgWZxSZTehXGyIN
wuMRygMixG+r84SCr7MxNW1FWtYySKw9ssFA/7PFpwXveRawydomlkTGK0ZJrv4t
fI8TJLWH3lJBfKHSRPcWG5Hrz4bLkcc+FhrGKZZnWnHt8flEBDqSZoY23Fdl5OFE
bBpZVPgzTHgEqY0iniSglsXXyFNd3RAV+mZVRzZfmazu4ZFspFnqYPAV0qLk13Mb
lPDXPv1ZpLEifD8+8KjuXu71TMuOfw1mQw1GFZDkoTePBA7VtErjKTEFyOxmLp/E
+j/zguJ/REYKKZ3GU0mg9lNSLePnnWnhR2uLf0SFAAP3jnylMlXNVFrbUiR/9Mfn
JsNzD00XvZY=
=QFH+
-----END PGP SIGNATURE-----
ESB-2022.5759 - [Cisco] Cisco Products: CVSS (Max): 7.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5759
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software SNMP Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adaptive Security Appliance Software
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20924
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x
Comment: CVSS (Max): 7.7 CVE-2022-20924 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software SNMP Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-asaftd-snmp-dos-qsqBNM6x
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb05148
CVE Names: CVE-2022-20924
CWEs: CWE-703
Summary
o A vulnerability in the Simple Network Management Protocol (SNMP) feature of
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat
Defense (FTD) Software could allow an authenticated, remote attacker to
cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to insufficient input validation. An attacker
could exploit this vulnerability by sending a crafted SNMP request to an
affected device. A successful exploit could allow the attacker to cause the
affected device to reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco ASA Software and Cisco FTD Software if
they have remote SNMP management enabled.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Whether SNMP is Enabled
To determine if SNMP is enabled on a device, do one of the following
options.
Option 1: Use the CLI
Use the show running-config snmp-server command. This option works for both
Cisco ASA Software and Cisco FTD Software.
If the output includes an snmp-server entry, the system is affected by this
vulnerability, regardless of which version of SNMP is configured. The
following example shows the output for a device that has SNMP access
configured for SNMP Version 2c:
ASA# show running-config snmp-server
snmp-server host mgmt 10.10.10.10 community snmpro version 2c
ASA#
Option 2: Use the Cisco Firepower Management Center GUI
For Cisco FTD devices that are managed by Cisco Firepower Management Center
(FMC) Software, do the following:
1. Log in to Cisco FMC.
2. Choose Devices > Platform Settings .
3. Choose a policy object to review.
4. In the left-hand column, choose SNMP .
If the Enable SNMP Servers check box is checked and there are entries on
the Hosts tab, devices that have the selected policy deployed are
vulnerable.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
FMC Software
Next-Generation Intrusion Prevention System (NGIPS) Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Additional Resources
For help determining the best Cisco ASA, FTD, or FMC Software release, see
the following Recommended Releases documents. If a security advisory
recommends a later release, Cisco recommends following the advisory
guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2x/G8kNZI30y1K9AQhghw/8D1vvwrRaCNM31lGa1JcXUL9UcjQ3WAqD
D+6GlsLF1IwAyaVDih1GfrguZ1RIM25GADI5DSTdsiYc9Lo9AY9HEZSR75Od1Om/
SBb8K9A4vVBV8tVtCKGdL8a5CLlnJNQlma1BbWlJLn+xYu6XdvxApwMBq9uuc7Z9
V0uhvKdLahx1LvORe9hZj/lXCxcHx2atFb+uGkuQRwyyfVCqmWfQpe9ZoerffG9p
A7m+wAUfWiywTfvR6RgW4wdaLVOfhbW8+UD7kaln2kM9J/cWHQPtXURgCwtdynTg
3Om/VAEWxFepdwh3id8QaHXGoUJd9VSEndgePiwC2HALH5cIpITw29F2HoyDQsoh
+JQ9MVvYeEwqlLToTSnECuFjywvV2rbLP9u7ogoF0Nw8aDrf9jiDWsWZY94z+B6n
hEF8nNEsS4erLVB3nSDKbsFV5dJC/pHAAr8b3lOQB+SObz4kRBv73kvyhVGCF0u4
l1YcOPHqQ1uEwSTdToKpBvwQua0LlwANDyNhRNzHdQT+e+xT4i/finXh7Poqor2D
K6OND/ho/gL5v9Zyry2D5Jn4GNYcSpStOCjVUE8FXHwTL2qt1W2uBHCLumBeB32E
3VFk7wCl7GzelxD+nVqvKzuqj7Xrt4UA79I5/pmQJKLFtyr5XUaWAlgoHVZPEr2O
By7vUTWKpFg=
=0kwJ
-----END PGP SIGNATURE-----
ESB-2022.5758 - [Cisco] Cisco Products: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5758
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Dynamic Access Policies Denial of Service Vulnerability
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adaptive Security Appliance Software
Firepower Threat Defense Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20947
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU
Comment: CVSS (Max): 8.6 CVE-2022-20947 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Dynamic Access Policies Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-asa-ftd-dap-dos-GhYZBxDU
First Published: 2022 November 9 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwa47041
CVE Names: CVE-2022-20947
CWEs: CWE-119
Summary
o A vulnerability in dynamic access policies (DAP) functionality of Cisco
Adaptive Security Appliance (ASA) Software and Firepower Threat Defense
(FTD) Software could allow an unauthenticated, remote attacker to cause an
affected device to reload, resulting in a denial of service (DoS)
condition.
This vulnerability is due to improper processing of HostScan data received
from the Posture (HostScan) module. An attacker could exploit this
vulnerability by sending crafted HostScan data to an affected device. A
successful exploit could allow the attacker to cause the affected device to
reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU
This advisory is part of the November 2022 release of the Cisco ASA, FTD,
and FMC Security Advisory Bundled publication. For a complete list of the
advisories and links to them, see Cisco Event Response: November 2022
Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled
Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco ASA Software or Cisco FTD Software and all of the
following conditions are true:
Remote access SSL VPN is enabled.
HostScan is enabled.
At least one custom DAP is configured.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Remote Access SSL VPN and HostScan Configuration
Use the show running-config webvpn | include enable command on the device
CLI to assess the remote access SSL VPN configuration and the HostScan
configuration. If the output of that command contains at least one line
starting with enable , remote access SSL VPN is configured. If the output
of that command contains a line with hostscan enable , HostScan is
configured. The following example shows the output of the show
running-config webvpn command on a device that has both remote access SSL
VPN enabled on the outside interface and HostScan enabled:
asa# show running-config webvpn | include enable
webvpn
enable outside
hostscan enable
Empty output for this command indicates that neither remote access SSL VPN
nor HostScan are configured. If either of these lines is missing, the
respective feature is not configured.
Determine the DAP Configuration
Use the show running-config dynamic-access-policy-record command on the
device CLI to assess the DAP configuration. If the output of that command
contains at least one record in addition to the DfltAccessPolicy record, a
custom DAP is configured. The following example shows the output of the
show running-config dynamic-access-policy-record command on a device that
has the custom DAP named DAP_TEST_POLICY configured:
asa# show running-config dynamic-access-policy-record
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DAP_TEST_POLICY
user-message "NO WAY IN!"
action terminate
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower
Management (FMC) Software.
Workarounds
o There are no workarounds that address this vulnerability. However,
administrators may disable HostScan by issuing the no hostscan enable
command in the configuration mode of the device.
While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA,
FMC, and FTD Software, Cisco provides the Cisco Software Checker . This
tool identifies any Cisco security advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
that are described in each advisory ("First Fixed"). If applicable, the
tool also returns the earliest release that fixes all the vulnerabilities
that are described in all the advisories that the Software Checker
identifies ("Combined First Fixed").
To use the tool, go to the Cisco Software Checker page and follow the
instructions. Alternatively, use the following form to search for
vulnerabilities that affect a specific software release. To use the form,
follow these steps:
1. Choose which advisories the tool will search-all advisories, only
advisories with a Critical or High Security Impact Rating (SIR) , or
only this advisory.
2. Choose the appropriate software.
3. Choose the appropriate platform.
4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or
6.6.7 for Cisco FTD Software.
5. Click Check .
For instructions on upgrading your FTD device, see Cisco Firepower
Management Center Upgrade Guide .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-NOV-09 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2x+MMkNZI30y1K9AQh9iBAAkydg24NmCLv1wrgJn9vXktZ4VsjLit+B
7cQ4/nF7tSkJI0TXrOH/CGwGkH6wPf12jJCB7lCmow2hY1vuMVLetgvIxOZMbYZ8
3lMM8o779kC8H9X4trPfVQQjel2yz+Gh44a3KzbpVFpMivPfogeNTu6ZmzOG2FT+
wARGaFHN0tjWUzCYSdxNZEP9hA7QPZDxtPMug+5Yro33th3JhmjKy+rOKS3igDl6
pIGspgbBtL4BiOzge9A+djQyxC5qdzOZBbJ4dq8R6pNYSsDl5Qp3ir7vmUXZsgtr
jDOsqqZ4yUAxPELmnLW94t6Imx6L5c7xrbZF+XkSn3m0PXbYHfKGogQtHKMw4eqf
75JfnOE5TKn1OJsV6k4+/G0Q+xs/JUQl4MjZuFFk8ts7tekL34fyXMGh549T5vgC
NtLc282aBQWFG8UxhjI6QPqfwP2vdfncwv47JkHaosBL15b8JvqlBUjdBL1sYZX6
o/pPJ0E/O3Zv3JTdvSCbzyrfS9F7j3IznhYTdfz/iJQD92DXakaRRfFA4HT6GLYN
OsJ5eTwN4H2qVU5kARHhMm600g87fdnFdpX84aGnbxFwFFyGkIC9nbPPXg4jmQ9E
Am1a7fcwK4u6YCHv79dNrlzbF1Jd3PdaQvMjwi/FhY1g8nM4MWKaaBuvSHNSsM5O
v9BAzQ2uIXc=
=vjKw
-----END PGP SIGNATURE-----
ESB-2022.5477.4 - UPDATE [Appliance] F5 Products:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5477.4
K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 Products
Publisher: F5 Networks
Operating System: Network Appliance
Resolution: None
Original Bulletin:
https://support.f5.com/csp/article/K44030142
Revision History: November 10 2022: F5 updated severity of the vulnerability
November 3 2022: Vendor updated bulletin
November 2 2022: F5 updated advisory with CVE details and product vulnerability details
November 1 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602
Original Publication Date: 29 Oct, 2022
Latest Publication Date: 10 Nov, 2022
Security Advisory Description
o CVE-2022-3786
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed a malicious certificate or for an application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address in a certificate to
overflow an arbitrary number of bytes containing the `.' character (decimal
46) on the stack. This buffer overflow could result in a crash (causing a
denial of service).
o CVE-2022-3602
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to have
signed the malicious certificate or for the application to continue
certificate verification despite failure to construct a path to a trusted
issuer. An attacker can craft a malicious email address to overflow four
attacker-controlled bytes on the stack. This buffer overflow could result
in a crash (causing a denial of service) or potentially remote code
execution.
Note: For more details about CVE-2022-3786 and CVE-2022-3602, refer to OpenSSL
Security Advisory [01 November 2022].
Impact
For products with None in the Versions known to be vulnerable column, there is
no impact.
For products with ** in the various columns, F5 will update this article after
confirming the required information. F5 Support has no additional information
about this issue.
Security Advisory Status
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following tables. You can
also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems. For
more information about using iHealth, refer to K27404821: Using F5 iHealth to
diagnose vulnerabilities. For more information about security advisory
versioning, refer to K51812227: Understanding security advisory versioning.
In this section
o BIG-IP and BIG-IQ
o F5OS
o NGINX
o Other products
BIG-IP and BIG-IQ
BIG-IP is Not vulnerable because OpenSSL 3.x is not included in BIG-IP
releases. To see the OpenSSL versions that run on BIG-IP systems, refer to
K11398383: BIG-IP third-party software matrix. If the preceding article does
not apply to your version, follow the links in the article to the third-party
software article for your BIG-IP release.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IP (all |All |None |Not |Not |None |None |
|modules) | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IP SPK |1.x |** |** |** |** |** |
+------------+------+--------------+----------+----------+------+-------------+
|BIG-IQ | | |Not |Not | | |
|Centralized |All |None |applicable|vulnerable|None |None |
|Management | | | | | | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
**Confirmation of vulnerability or non-vulnerability is not presently
available. F5 will update this article with the most current information as
soon as it has been confirmed. F5 Support has no additional information on this
issue.
F5OS
+-------+------+----------------+----------+----------+-------+---------------+
| | |Versions known |Fixes | |CVSSv3 |Vulnerable |
|Product|Branch|to be vulnerable|introduced|Severity |score^2|component or |
| | |^1 |in | | |feature |
+-------+------+----------------+----------+----------+-------+---------------+
|F5OS-A |All |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
|F5OS-C |All |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
NGINX
+---------+------+---------------+----------+----------+------+---------------+
| | |Versions known |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+---------+------+---------------+----------+----------+------+---------------+
|NGINX | | |Not |Not | | |
|(all |All |None |applicable|vulnerable|None |None |
|products)| | | | | | |
+---------+------+---------------+----------+----------+------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Other products
+-------+------+----------------+----------+----------+-------+---------------+
| | |Versions known |Fixes | |CVSSv3 |Vulnerable |
|Product|Branch|to be vulnerable|introduced|Severity |score^2|component or |
| | |^1 |in | | |feature |
+-------+------+----------------+----------+----------+-------+---------------+
|Traffix|All |None |Not |Not |None |None |
|SDC | | |applicable|vulnerable| | |
+-------+------+----------------+----------+----------+-------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle. For more information, refer
to the Security hotfixes section of K4602: Overview of the F5 security
vulnerability response policy.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Supplemental Information
o K41942608: Overview of security advisory articles
o K12201527: Overview of Quarterly Security Notifications
o K51812227: Understanding security advisory versioning
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 product support policies
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yY88kNZI30y1K9AQjPhg//U5ChofNMX+Ucj0a8NyH21aeIlpX7SGD7
oa/DLiANm4T7RJ3NUbXoRJY7EpdPoSbszK7oyfhiMO34zFK601SPPah05+QrEWz7
nm3y6SF+h3g8z/AvDOHOMOpbCoOZso0Akyzc7AzUUs8zx71UG1o1f+eX3guuazfD
/8vBooX++tuLQOjzUrWDfXR3IZMP3IqldLdOdQL90y+09XWDlG0JPRaeY750qhOQ
x/gPiejzZ1H5zKtAZ2Nqx7eaV6VWEHJ+KpD0fffbUGPBNnliaF7jG8MGh+E4dV6m
qR5VUK5LfE1l1uNhFxDFtezwR3V7Lp8Vy0biftGmUPkY0Ih5OC9P3RnLkmkSCk3k
faHRpWPDWqXywRWHe639YD1pF/bsPgW4xrlZMo8ztX0MiSBAUKK9CY0+JEA7wHBM
MdhyrApiOC7E9LU5dI5ufZR+4gK4LP0LUk2tiOhXIC1nkwoSTMpfCWTEawDkli3S
t5FnYExl4yDsH7ZlylkILg0TmJ8mbyzie8tAG2vl5xgzXjskRRVXx2D0vcLQ0Tct
Fx69b9DAnGfl/YyV/spwrAcvCossEkrqgZGSbvBMWqefHGsL2IMKBOK2p22aHvYR
yeHDdfAHsHQPfOHh61BH4X6lx4hzTORyADzFxMQSyQagwSaed3kYr2xDL7LKqS/c
9RvOvDkw8hI=
=qgln
-----END PGP SIGNATURE-----
ESB-2022.5677.2 - UPDATE [Juniper] Junos OS: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5677.2
cSRX Series: Storing Passwords in a Recoverable Format and software
permissions issues allows a local attacker to elevate
privileges (CVE-2022-22251)
9 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22251
Original Bulletin:
https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-cSRX-Series-Storing-Passwords-in-a-Recoverable-Format-and-software-permissions-issues-allows-a-local-attacker-to-elevate-privileges-CVE-2022-22251
Comment: CVSS (Max): 7.8 CVE-2022-22251 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Revision History: November 9 2022: Correcting the typo in the Title
November 8 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA69908
Product Affected: This issue affects Junos OS 20.2, 20.3, 20.4, 21.1. Affected
platforms: cSRX Series.
Severity Level: High
CVSS Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Problem:
On cSRX Series devices software permission issues in the container filesystem
and stored files combined with storing passwords in a recoverable format in
Juniper Networks Junos OS allows a local, low-privileged attacker to elevate
their permissions to take control of any instance of a cSRX software deployment.
This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later
versions prior to 21.2R1 on cSRX Series.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was found during internal product security testing or research.
This issue has been assigned CVE-2022-22251.
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 21.2R1, and all subsequent releases.
Additionally, customers using Docker or Kubernetes must contact JTAC to receive
additional guidance on applying commands manually to deployments to provide a
complete fix.
This issue is being tracked as 1564383 which is visible on the Customer Support
website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
IMPLEMENTATION:
Software Releases, patches and updates are available at
https://support.juniper.net/support/downloads/.
Workaround:
There are no viable workarounds for this issue.
To reduce the risk of exploitation of this issue, use access lists or firewall
filters to limit access to the cSRX instance to only trusted administrative
networks, hosts and users.
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Modification History:
2022-10-12: Initial Publication.
Related Information:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
Last Updated: 2022-10-12
Created: 2022-10-12
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2tRAMkNZI30y1K9AQgreg/+LBFA1pMxDrkg5B4Mh/LT7pI90D32y2FV
gm0zgfnOOKs6HH+Cc7njEoFGb4ltXNhOYKuHSNPbzPjRsT2igRK9NBKq54joRo9N
GYg9nEab7kueLD8CR+HCz0CvPEZ6sc6tZ7fYtqU7tixXCDRNDRcP1xscXZ3xMm2W
CZH36p6iclX/wRcEJ/EAIjM2NecGZIc5uqWp9Nj5eY5W4eGtspprXBsshe1WDI25
3Xyi2EMwlBsgxKFaXBaKTxJl8isFYK1IpL6VeWLBJ+sQtOHZxH/BCBNNAWf4vw8f
d4pFDBZTDTu90GwjlVAdprUTzDFxcPup9DQvQpg9ncynHCmPWY12NH0Q/cbj2wWG
nGiHD/wq0aNLvzxSposA5shHqAAtGNP3FrN3KItR+bIOncu54UPgwDpSkuEanuEz
juILTZBJ0hyn6OvR/U5JGjtp0scbZEv3xpMVKqbTb4pxYQWKvtdHGRf8fQkccxZi
uG16o3A0THRrCsAdBEdkbcU2gc2GZ3uROEl7Fa5BYflr9rFQW/XYoVR5lyFzdUlj
aUjV1aFNzWFUJNFZjF755VWmgLtFCnWhKIeW2AXdL2yppxJ1fkAfElo8rCEucD73
FfT/2eh7eRDbIYMR5TvzBe9X5CHto5e7nVZGPdi3OasrP77PRW/3UUEgy2cQRITB
9aSgO1X0zbo=
=iinB
-----END PGP SIGNATURE-----