AusCERT - Security Bulletins

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5775 CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cortex XSOAR Publisher: Palo Alto Networks Operating System: Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-0031 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2022-0031 Comment: CVSS (Max): 6.7 CVE-2022-0031 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2022-0031 CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine 047910 Severity 6.7 . MEDIUM Attack Vector LOCAL Scope UNCHANGED Attack Complexity LOW Confidentiality Impact HIGH Privileges Required HIGH Integrity Impact HIGH User Interaction NONE Availability Impact HIGH NVD JSON Published 2022-11-09 Updated 2022-11-09 Reference CRTX-57476 Discovered externally Description A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges. Product Status Versions Affected Unaffected Cortex XSOAR 6.9 6.9.0.130766 on Linux 6.9.0.130766 on Linux Cortex XSOAR 6.8 all Cortex XSOAR 6.6 all Cortex XSOAR 6.5 all Required Configuration for Exposure This issue is applicable only to Cortex XSOAR engine software running on a Linux operating system that was installed through the shell method. Please see the following link for more Cortex XSOAR engine installation information: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/ engines/install-deploy-and-configure-demisto-engines Severity:MEDIUM CVSSv3.1 Base Score:6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-345 Insufficient Verification of Data Authenticity Solution This issue is fixed in Cortex XSOAR engine software available in Cortex XSOAR 6.9.0 build 130766 and all later versions of Cortex XSOAR. Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments Palo Alto Networks thanks Olivier Caillault for discovering and reporting this issue. Timeline 2022-11-09 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2022 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yFFskNZI30y1K9AQgctg/8D6R+A2Ayujo+3FpfuX5iDlhoIxkJtlM4 P9PvliIseC6tX7i/deZ7nENHf7/U7HFScCbZBsYCfKPDs7DZznbTk84tjR9tyRxK cgThwbL+HDuZ/wDhcYz18HiY+QFSoWlUTI4HTmK3VINzvW6Gh2bfCjGEG1LKGrG+ e5ACtj4Load6Ob0FXZmJa4Fb6UTDIAFKJj84Y8cQCSgp+7yx1PKTcnOcVCqE1Aq2 U3to5tjjugJ6qMfkXh8ek5a/dxRDI/cY7vzyjpjkX2XsS84jezK481IbIqKeIN7h pvcz0g8Hsv8c3as8vtEkyMczR9K1wNpN/8ec/d8P41XJguf9uB17qZhTIl+B8wuc NF2+GdXxCuaS8zG19Kw1ch+zsuBfa/6pjTcta8X4GPb+iBvVPx19fpv6NWO5cOHS ntE9jezyUe9pcaDZMQpbqAQ1HnAKdY5xvB9F+fumRJJKgRp11gQNBZVKKyggcz5+ NPRTO05e6uIa6bnW5V+V9j+6t2dVMmnbbY7qPkbKCSK6Y6MY38zYSCC7ZR4RDfEZ gxzNAdidjPQKGtgvFxrIJz85OItd0jVGcTU2+/gMm75g5ATaGYjD3qs+wfOO/T7J 2K2fwrSKkkj1em8V6LXGYsBbIzP12n3H3crJsOuB0toZV+/epe3Yon2cCUleXHda t5jJDM7RDD0= =GnHO -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5774 Multiple Cisco Products Snort SMB2 Detection Engine Policy Bypass and Denial of Service Vulnerabilities 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Server Message Block Version 2 Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20943 CVE-2022-20922 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr Comment: CVSS (Max): 5.8 CVE-2022-20943 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Cisco Products Snort SMB2 Detection Engine Policy Bypass and Denial of Service Vulnerabilities Priority: Medium Advisory ID: cisco-sa-snort-smb-3nfhJtr First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCvy97080 CSCwa55404 CSCwb66736 CSCwb78519 CSCwb87762 CSCwb91454 CSCwc37339 CSCwc37518 CVE Names: CVE-2022-20922 CVE-2022-20943 CWEs: CWE-244 Summary o Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. An attacker could exploit these vulnerabilities by sending a high rate of certain types of SMB2 packets through an affected device. A successful exploit could allow the attacker to trigger a reload of the Snort process, resulting in a DoS condition. Note : When the snort preserve-connection option is enabled for the Snort detection engine, a successful exploit could also allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network. The snort preserve-connection setting is enabled by default. See the Details section of this advisory for more information. Note : Only products that have Snort 3 configured are affected. Products that are configured with Snort 2 are not affected. Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Open Source Snort 3. For information about which Snort releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. For more information on Snort, see the Snort website . Impact to Cisco Products At the time of publication, these vulnerabilities affected the following Cisco products if they were running a vulnerable release of Cisco software: Cyber Vision FirePOWER Services - All platforms Firepower Threat Defense (FTD) Software - All platforms Meraki MX Security Appliances ^ 1 Umbrella Secure Internet Gateway (SIG) 1. See the Products Confirmed Not Vulnerable section of this advisory for a list of Meraki devices that are not affected by these vulnerabilities. For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine Cisco FTD Software Configuration On new installations of Cisco FTD Software releases 7.0.0 and later, Snort 3 is running by default. On devices that were running Cisco FTD Software Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort 2 is running by default. Determine Cisco FTD Software Configuration Using the FTD Software CLI To determine whether Snort 3 is configured on a device that is running Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show snort3 status command. If the command produces the following output, the device is running Snort 3 and is affected by these vulnerabilities: show snort3 status Currently running Snort 3 Determine Cisco FTD Software Configuration for Cisco Firepower Management Center Software-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Management Center (FMC) Software, complete the following steps: 1. Log in to the Cisco FMC Software web interface. 2. From the Devices menu, choose Device Management . 3. Choose the appropriate Cisco FTD device. 4. Click the Edit pencil icon. 5. Choose the Device tab and look in the Inspection Engine area. If Snort 2 is listed, the device is not affected by these vulnerabilities. If Snort 3 is listed, the device is affected by these vulnerabilities. Determine Cisco FTD Software Configuration for Cisco Firepower Device Manager Software-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Device Manager (FDM) Software, complete the following steps: 1. Log in to the Cisco FTD Software web interface. 2. From the main menu, choose Policies . 3. Choose the Intrusion tab. 4. Look for the Inspection Engine version. The version will start with either a 2 for Snort 2 or a 3 for Snort 3. If the device is running a Snort 2 version, it is not affected by these vulnerabilities. If the device is running a Snort 3 version, it is affected by these vulnerabilities. Determine Cisco FTD Software Configuration for Cisco Defense Orchestrator-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Defense Orchestrator, complete the following steps: 1. Log in to the Cisco Defense Orchestrator web interface. 2. From the Inventory menu, choose the appropriate Cisco FTD device. 3. In the Device Details area, look for Snort Version . The version will start with either a 2 for Snort 2 or a 3 for Snort 3. If the device is running a Snort 2 version, it is not affected by these vulnerabilities. If the device is running a Snort 3 version, it is affected by these vulnerabilities. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following products: Cisco 1000 Series Integrated Services Routers (ISRs) Cisco 4000 Series Integrated Services Routers (ISRs) Cisco Adaptive Security Appliance (ASA) Software Cisco Catalyst 8000V Edge Software Cisco Catalyst 8200 Series Edge Platforms Cisco Catalyst 8300 Series Edge Platforms Cisco Catalyst 8500 Series Edge Platforms Cisco Catalyst 8500L Series Edge Platforms Cisco Cloud Services Routers 1000V Cisco Firepower Management Center (FMC) Software Cisco Meraki MX64 and MX64w Appliances Cisco Meraki MX65 and MX65w Appliances Cisco Integrated Services Virtual Routers (ISRv) Open Source Snort 2 Details o snort preserve-connection Settings The impact of these vulnerabilities can be twofold, depending on whether the snort preserve-connection setting is enabled or disabled and whether a traffic flow began before the Snort process went down or began while the Snort process was down. The behavior for traffic flows that were established before the Snort process went down is configuration dependent. The behavior for traffic flows that begin while the Snort process is down is not configuration dependent and always results in a DoS condition. For details on the snort preserve-connection setting, see the Cisco Secure Firewall Threat Defense Command Reference and the Snort Restart Traffic Behavior section of the Firepower Management Center Configuration Guide. snort preserve-connection Is Enabled When the snort preserve-connection option is enabled for the Snort detection engine, existing traffic flow are not dropped when the Snort process goes down. Instead, existing traffic flows bypass the Snort detection engine. A successful exploit could allow an attacker to bypass the configured policies and deliver a malicious payload to the protected network. Traffic flows that begin while the Snort process is down are dropped, resulting in a DoS condition. The CVSS score for existing traffic flows is as follows: CVSS:3.1/AV:N/AC:L /PR:N/UI:N/S:C/C:N/I:L/A:N The CVSS score for new traffic flows is as follows: CVSS:3.1/AV:N/AC:L/PR:N /UI:N/S:C/C:N/I:N/A:L snort preserve-connection Is Disabled When the snort preserve-connection option is disabled for the Snort detection engine, existing traffic flows are dropped. A successful exploit could result in a DoS condition. Traffic flows that begin while the Snort process is down are also dropped, resulting in a DoS condition. The CVSS score is the same for both new and existing traffic flows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L Determine the Cisco FTD Software Configuration The snort preserve-connection setting is enabled by default. To view the current setting, log in to the Cisco FTD Software CLI and use the s how running-config | include snort command. There are no GUI options for viewing the setting. If the command produces the following output, snort preserve-connection is enabled on the device: > show running-config | include snort snort preserve-connection > If the command produces the following output, snort preserve-connection is disabled on the device: > show running-config | include snort no snort preserve-connection > Workarounds o There is a workaround that addresses these vulnerabilities. To remove the attack vector for these vulnerabilities for Cisco FMC Software-managed devices and Cisco Defense Orchestrator-managed devices, configure a fastpath prefilter rule to bypass the Snort detection engine. To remove the attack vector for these vulnerabilities for Cisco Firepower Device Manager (FDM)-managed devices, configure an access control rule to bypass the Snort detection engine. Workaround for Cisco FMC Software-Managed Devices To configure a fastpath prefilter rule for SMB traffic for Cisco FMC Software-managed devices, do the following: 1. Log in to the FMC web interface. 2. From the Policies menu, under the Access Control section, choose Prefilter . 3. Choose New Policy . 4. Enter the Name and Description and click Save . 5. In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic . 6. Click Add Prefilter Rule . 7. In the resulting window, enter a rule Name and ensure the Enabled box is checked. 8. From the Action drop-down menu, choose Fastpath . 9. Configure the policy under the Interfaces , Networks , and Vlan Tags tabs for SMB traffic on the affected network. 10. Click the Port tab. 11. Enter the following destination ports for SMB traffic: TCP (6):138, TCP (6):139, TCP (6):445 and UDP (17):137 . 12. Click Add to add the policy. 13. Click Save to save the policy. To associate the SMB prefilter policy with the access control policy deployed on Cisco FMC Software-managed devices, do the following: 1. From the Policies menu, under the Access Control section, choose Access Control . 2. Find the policy of interest. 3. Click the Edit icon. 4. Click the name next to Prefilter Policy . 5. Choose the name of the newly created SMB prefilter policy from the drop-down menu. 6. Click OK . For more information, see the Prefiltering and Prefilter Policies chapter of the Firepower Management Center Device Configuration Guide. Workaround for Cisco FDM-Managed Devices Fastpath is not supported on Cisco FDM-managed devices. Instead, set an access control policy with an action of trust for the appropriate ports. To configure an access control policy to bypass SMB traffic for Cisco FDM-managed devices, do the following: 1. Log in to the Cisco FDM web interface. 2. From the Policies menu, choose Access Control . 3. Create a new policy by clicking the plus ( + ) sign. 4. Enter a name and under the Action drop-down menu, choose Trust . 5. In the Port section, click the plus ( + ) sign. 6. Select Create new Port. 7. Enter a name, protocol type, and port number for each of the following ports: TCP (6):138 , TCP (6):139 , TCP (6):445 , and UDP (17):137 . 8. Once the ports have been created, select the four ports to be added to the rule by selecting their names. 9. Click OK when done. 10. Click OK to add the policy. 11. Deploy changes to Cisco FTD Software. For more information, see the Access Control Chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Workaround for Cisco Defense Orchestrator-Managed Devices To configure a fastpath prefilter rule for SMB traffic for Cisco Defense Orchestrator-managed devices, do the following: 1. Log in to the Cisco Defense Orchestrator web interface. 2. From the Policies menu, choose FTD Policies . 3. From the Policies menu, under the Access Control section, choose Prefilter . 4. Click New Policy . 5. Enter the Name and Description and click Save . 6. In the resulting window, ensure that Default Action: Tunnel Traffic is set to Analyze all tunnel traffic . 7. Click Add Prefilter Rule . 8. In the resulting window, enter a rule Name and ensure the Enabled box is checked. 9. From the Action drop-down menu, select Fastpath . 10. Configure the policy under the Interfaces , Networks , and Vlan Tags tabs for SMB traffic on the affected network. 11. Click the Port tab. 12. Enter the following destination ports for SMB traffic: TCP (6):138 , TCP (6):139 , TCP (6):445 , and UDP (17):137 . 13. Click Add to add the policy. 14. Click Save to save the policy. To associate the SMB prefilter policy with the access control policy deployed on Cisco Defense Orchestrator-managed devices, do the following: 1. From the Policies menu, under the Access Control section, choose Access Control. 2. Find the policy of interest. 3. Click the Edit icon. 4. Click the name next to Prefilter Policy . 5. Choose the name of the newly created SMB prefilter policy from the drop-down menu. 6. Click OK . For more information, see the Cisco Defense Orchestrator website . While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software: CSCwb87762 , CSCwb66736 , CSCwa55404 , CSCvy97080 To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only High and Critical advisories, or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform (for Cisco ASA and FTD Software only). 4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Cyber Vision: CSCwc37339 , CSCwc37518 , CSCwb78519 At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Cisco Cyber Vision First Fixed Release for CVE-2022-20922 and Release CVE-2022-20943 3.x Migrate to a fixed release. 4.0 Migrate to a fixed release. 4.1 4.1.2 Meraki MX Security Appliances Cisco Meraki MX Security First Fixed Release for First Fixed Release for Appliances Release CVE-2022-20922 CVE-2022-20943 MX15 and earlier None planned. Migrate to a fixed release. MX16 None planned. Hotfix available for 16.6.7 (Nov 22, 2022) MX17 None planned. Hotfix available for 17.11.1 (Nov 22, 2022) MX18 None planned. Hotfix available for 18.1.3 (Nov 22, 2022) Snort: CSCwb87762 , CSCwb66736 , CSCwa55404 , CSCvy97080 Snort First Fixed Release for First Fixed Release for Release CVE-2022-20922 CVE-2022-20943 2.x Not vulnerable Not vulnerable 3.x 3.1.31.0 Not vulnerable Umbrella SIG: CSCwb91454 Cisco plans to address these vulnerabilities in Cisco Umbrella SIG, which is cloud based. No user action is required. Customers who need additional information are advised to contact Cisco Umbrella Support at umbrella-support@cisco.com or their contracted maintenance providers. Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-smb-3nfhJtr Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yDyMkNZI30y1K9AQgKWQ/7BlU89bDBtckQ4ms6YPcWheyNm2Ff/Z/R AJtkFDL/pbYSFzGmCnQ3QM8yY5Eq9HusU/MAGvYhIg1A4VgbgBsrezoDbB+gO8En z5v42uuUT+XqyyFdqFBXoFC/yVQt/Ev1E2WByX4k0TITyp5AGocefrxHRjLdCrVI Yx2dIcJY2yrQND/2uQVZxPFgVKdH7z0/Dexj62dsDCrcdDaxH2IhlSk8EFE1+o/V 6SVKM2V6b1+kTQq0TNfINLkkGOPd0R9oDaB78uTo6MHI+kANefROmMsdnYOzup88 FkMNAkopfPYE2m99bRmYj9MfTvb7DWrAf5L0nCPbQldKhh09Ti6iFxzsuSszOUYW LXNL/S6V4cWK8VeTlYnu/R0DRY/25hh57LCOq+xXXeBuR2+sRfTDpKNJo8ho4D3q lDHqWyVggzx3VOfgXRfZbaRjlBGWTzVN4N3lEO5FDSOJkqlYuMHWKHZRghP+q/pm eF2ctRklci86oKwla2g9BVkCcZnU+pzAeodHEl0gl1tKeZI/VNPh6m3Vl/MAvi1I 79NiT4OII8ajOYk7wQ4UkOzmy+OrvjVL6pggcrxrpg486Ax/SB3Jmkov7NR1WdUT ICd/eMcMjhETv944lp3ul69MjxkxRKImRTsXN1cETg2iJmIhUatN7f42+U+nqV5o AGAx8/PA/iY= =FsN7 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5773 Cisco Secure Firewall 3100 Series Secure Boot Bypass Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Secure Firewall 3100 Series Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20826 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Secure Firewall 3100 Series Secure Boot Bypass Vulnerability Priority: High Advisory ID: cisco-sa-fw3100-secure-boot-5M8mUh26 First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb08411 CVE Names: CVE-2022-20826 CWEs: CWE-501 Summary o A vulnerability in the secure boot implementation of Cisco Secure Firewalls 3100 Series that are running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated attacker with physical access to the device to bypass the secure boot functionality. This vulnerability is due to a logic error in the boot process. An attacker could exploit this vulnerability by injecting malicious code into a specific memory location during the boot process of an affected device. A successful exploit could allow the attacker to execute persistent code at boot time and break the chain of trust. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26 This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco Secure Firewalls 3100 Series if they were running a release of Cisco ASA Software or Cisco FTD Software that includes a vulnerable firmware bundle version: In Cisco ASA Software Release 9.17 and Cisco FTD Software Release 7.1, firmware bundle versions earlier than 1.0.22 are vulnerable. In Cisco ASA Software Release 9.18 and Cisco FTD Software Release 7.2, firmware bundle versions earlier than 1.2.17 are vulnerable. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Firmware Bundle Version To determine which firmware bundle is running on a device, use the show version detail CLI command at the Cisco FXOS CLI and look for the line starting with Firmware-Vers . For information on how to log in to the Cisco FXOS CLI, see the Cisco FXOS Troubleshooting Guide for the Firepower 1000/ 2100 and Secure Firewall 3100 with Firepower Threat Defense . The following example shows the output of the show version detail command on a device that is running firmware bundle release 1.2.15: firepower# show version detail Version: 7.2.0-82 Startup-Vers: 7.2.0-82 MANAGER: Boot Loader: Firmware-Vers: 1.2.15 Rommon-Vers: 1.1.08 Fpga-Vers: 0.19.00 Fpga-Golden-Vers: 0.17.00 NpuFpga-Vers: 1024.37.00 TamFpga-Vers: 2.6.c Power-Sequencer-Vers: 1.6 Firmware-Status: OK Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column lists the firmware bundle version that includes the fix for the vulnerability that is described in this advisory. The right column lists the first software release that includes the fixed firmware bundle. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section. Cisco ASA First Fixed Firmware First Fixed Release That Includes Software Release Bundle Version the Fixed Firmware Bundle 9.17 1.0.22 9.17.1.15 9.18 1.2.17 9.18.2 Cisco FTD First Fixed Firmware First Fixed Release That Includes Software Release Bundle Version the Fixed Firmware Bundle 7.1 1.0.22 7.1.0.2 7.2 1.2.17 7.2.1 Note : When Cisco ASA Software or FTD Software is upgraded on a device, the firmware bundle version is also upgraded automatically. If the Cisco ASA Software or FTD Software is later downgraded, the firmware bundle version is not downgraded. Once the firmware bundle is upgraded to a fixed version, it will remain fixed, even if the Cisco ASA Software or FTD Software is downgraded. For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fw3100-secure-boot-5M8mUh26 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yCq8kNZI30y1K9AQjSZBAAqjAx5B/UyKtOhF1tqphoQmn4tAfL4vTW Ml4Q/3t58kPkeO0h4TBf8mrCQVcYAg28IbCkZo0DsYyQKbPxlh/xocaddZa3MbNx frspFa2cHBlhVle5C/OiDimuXB1AjGUxBV+wG69YXIfwAH0eryFWCPtZAqq1Rn9o EtZxkwuCSTJL+ptxCu/LxXijVJNML2ZjzFZtMRSDqGXILk25ELdK2fHmKuANlY7c S2Qj7DoT/gSAlQ1WxdTnlnYVSoNXzVp0Z/Axo2oGfOgzeDvzkkO39zg71dt9Jw9I h6PDXXY/pgxWssFZrC035KtSQhhqiI6QZkd9DiAFe6EHRGnY9EkhYc7H4TGgaJ4E RPaXKlkitN2IvbLqcUMD2KHDw6/Qte9sTUEjxH+wywl2JkKWCmxmQkBBdOwM3Y6W KLVElGeOLqH0SpgmVzZlMp0nCyG18kq2vG9d7YNehDQRJK0kzvFMqN7G3kr7hztK Xhnl64xbfr9clRQ/eqAjaVEqQHHIZ4r7hxYUMfY3uSsxe62BEeTbTVu0dbii31zk +bgZnH1zorJDcRmOdV53gf90E4fiqHXHWowUniMSX88zC/pLgorAzXo2HbOIlxIx lev/dQZfWEqwHAReRoF2+U9TTQfP44n98AFgFqva7n/Q2ErD2aKjvMHLe0ieQq7x nPbkysqN6zg= =+/eI -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5772 Cisco Firepower Threat Defense Software and Cisco FXOS Software Command Injection Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defense Software Cisco FXOS Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20934 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK Comment: CVSS (Max): 6.0 CVE-2022-20934 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Threat Defense Software and Cisco FXOS Software Command Injection Vulnerability Priority: Medium Advisory ID: cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb41854 CSCwc02133 CVE Names: CVE-2022-20934 CWEs: CWE-77 Summary o A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software and Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root . This vulnerability is due to improper input validation for specific CLI commands. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco FTD Software. At the time of publication, this vulnerability also affected the following products if they were running a vulnerable release of Cisco FXOS Software: Firepower 4100 Series Firepower 9300 Series For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Appliance (ASA) Software Firepower 1000 Series Firepower 2100 Series Firepower Management Center (FMC) Software Details o For Cisco products that are listed as vulnerable in this security advisory, Administrator accounts have access by default to the underlying operating system through expert mode. In the most common scenario, an attacker would not gain any benefit by exploiting this vulnerability because all the command execution capabilities would be available to them through legitimate means. However, for deployments in which administrators are prevented from accessing the expert mode (for example, multi-Instance deployments or systems configured with the system lockdown-sensor command), this vulnerability can be exploited to regain access to the expert mode command prompt, which should no longer be available. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, FTD, and FXOS Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, FTD, and FXOS Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 2.9.1.158 for Cisco Firepower 4100 Series Security Appliances or 9.16.2.11 for Cisco ASA Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Brandon Sakai of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fxos-cmd-inj-Q9bLNsrK Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yCd8kNZI30y1K9AQgiIA/5Ae2JihHlql2pl4lpblv3YShOYgXMHxbs JE6HUn3PIr/VaWQT6KMexs01PfbCrhv/wZ55OhO6DUqdTlivFxir1MEDJ+Btdw1Z ilJA6ocHomC9l/+W2MeB+fnFlhE70RKc4Zf2Pw05Q7aQn++K7Hpt1Qzkh2ERGF2O rURsIptw0i8+SuMsIlt2tNDew/BiIERH6WQyO1ZxTs6lWdTB9BZ4ozF6dmR2Iwlz KX0P8g788j827RzmLb+lacPB6hwJ9lJBa2qTjcpgtIsinJRloqUSnfRAZy0JevGz 9+OrCWcKohEWCqZUE9Mip6v7yVKlwcX6q7jLR8HmWN9QPIfpDgs0ZT/pdhw6CtFt qhCqjQQGtnD5Bh9ed747GazoR08G5z9Ijnjo6UM8Gmg4Uoa72Ps+Z++uqfd4YRzQ RExwVp3YxXpW0zwJnIO8f4oYsHpNicf09UQbj1cWd1VWIa+KAYFQsSNgTdWrsV3W WZZ7FdQJotIOMjEhhx6ybAg4WXhNPXf0dFIaZLnmN5R58NSqPEiPoV4Cbnv778ff aqogqF5uFN6JIM7OQPBoc+SumKkqGPhpeiKC3lh9kM8iL10nDFtx1tLnql2le5GF 6nyeP3eU/6C1i+InJP/J1KhMLkUYl1godVcg9E1fVw8A6lOI3eFF7KUi5NaJT3rz vBYXnV/BdOk= =FIzg -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5771 Cisco Firepower Threat Defense Software SSL Decryption Policy Bleichenbacher Attack Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20940 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2 Comment: CVSS (Max): 5.3 CVE-2022-20940 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Threat Defense Software SSL Decryption Policy Bleichenbacher Attack Vulnerability Priority: Medium Advisory ID: cisco-sa-ftd-tls-bb-rCgtmY2 First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa41936 CVE Names: CVE-2022-20940 CWEs: CWE-203 Summary o A vulnerability in the TLS handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain access to sensitive information. This vulnerability is due to improper implementation of countermeasures against a Bleichenbacher attack on a device that uses SSL decryption policies. An attacker could exploit this vulnerability by sending crafted TLS messages to an affected device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack. A successful exploit could allow the attacker to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions to the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2 This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco FTD Software and had at least one active SSL decryption policy with the behavior in response to decryption errors set to Block with reset . For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the SSL Decryption Policy Configuration In the Cisco Firepower Management Center (FMC) GUI, choose Policies > SSL . For each configured SSL policy, do the following: 1. Click Edit . 2. Choose the Undecryptable Actions tab. 3. Review the setting for Decryption Errors . If Decryption Errors is set to Block with reset for an SSL policy, devices that have that policy applied are affected by this vulnerability. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Appliance (ASA) Software FMC Software Next-Generation Intrusion Prevention System (NGIPS) Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-bb-rCgtmY2 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yCUckNZI30y1K9AQh6fA//abZkRA993iJXuDHL/vnvfF5P8yd7zQvr iDu5HE9NqVfoShqtoGsjGjzr/ANyW8KDcDF3PLB0UKO8PjCj3hKeULxbh9jDEwGi F0lHFJGLVs9gEIl4RMOGl2ziZ1sAss0u2U7GiIbpwaonU5ZEKSjnL5ABRgGrsMLA L/kPzP4LpQar6q8fX6ZdYYyczNj5fvWQzCA/mTiTmloW7pw3FPmeNn+9SPHTBej4 Y7YM3ZC2w6kYrKFZaCeUxcHn3xGKnDDFEflaNSsu5uBbjB4grZzxCSYQ9cxLqI4l v3rfDyCep9zIjUUgbeARiNCvYvfXOmcBOdddwA9cbtIutRLXatYXjtxK/YTwOeGq tJz4T6u/F4W5mpA2XmiD4Ef0JqHZvQYyJQPflJAXno+LJDZYH0QsRVkpJ9nCHobh lh9N7wQlFUciSL6a+gZDs1SNSGajJYtl3dYQM4ERHFJBplz8KlN630sY0U7Rh0ZO 85yoq7SyWDDm65hW+R/dV/NzZ2pvzpAbYw/k0e5Ua+3nVqd6U2UTgfntDftlIZXc vaItlhh3UiC3UvVQWIVL3Ec+T1R06aSv5mofq91Q0xdv8uWwGq+zrdJ9WlMWCXsf SVDRu8Oex3pqrRDLTKDhJFUsr6aLdkxqh3Of8Ox0UGGKXZqyJZGLKembYQviXNzL QEvDpfiZ30E= =x3x0 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5770 Cisco Firepower Threat Defense Software SIP and Snort 3 Detection Engine Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20950 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC Comment: CVSS (Max): 5.8 CVE-2022-20950 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Threat Defense Software SIP and Snort 3 Detection Engine Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-ftdsnort3sip-dos-A4cHeArC First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb99509 CVE Names: CVE-2022-20950 CWEs: CWE-770 Summary o A vulnerability in the interaction of SIP and Snort 3 for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 detection engine to restart. This vulnerability is due to a lack of error-checking when SIP bidirectional flows are being inspected by Snort 3. An attacker could exploit this vulnerability by sending a stream of crafted SIP traffic through an interface on the targeted device. A successful exploit could allow the attacker to trigger a restart of the Snort 3 process, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco FTD Software if it was running Release 7.2.0 or 7.2.0.1 and had the Snort 3 detection engine configured with an SIP inspection policy. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine Cisco FTD Software Configuration On new installations of Cisco FTD Software releases 7.0.0 and later, Snort 3 is running by default. On devices that were running Cisco FTD Software Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort 2 is running by default. Determine Cisco FTD Software Configuration Using the FTD Software CLI To determine whether Snort 3 is configured on a device that is running Cisco FTD Software, log in to the Cisco FTD Software CLI and use the show snort3 status command. If the command produces the following output, the device is running Snort 3 and is affected by this vulnerability: show snort3 status Currently running Snort 3 Determine Cisco FTD Software Configuration for Cisco Firepower Management Center Software-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Management Center (FMC) Software, complete the following steps: 1. Log in to the Cisco FMC Software web interface. 2. From the Devices menu, choose Device Management . 3. Choose the appropriate Cisco FTD device. 4. Click the Edit pencil icon. 5. Choose the Device tab and look in the Inspection Engine area. If Snort 2 is listed, the device is not affected by this vulnerability. If Snort 3 is listed, the device is affected by this vulnerability. Determine Cisco FTD Software Configuration for Cisco Firepower Device Manager Software-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Firepower Device Manager (FDM) Software, complete the following steps: 1. Log in to the Cisco FTD Software web interface. 2. From the main menu, choose Policies . 3. Choose the Intrusion tab. 4. Look for the Inspection Engine version. The version will start with either a 2 for Snort 2 or a 3 for Snort 3. If the device is running a Snort 2 version, it is not affected by this vulnerability. If the device is running a Snort 3 version, it is affected by this vulnerability. Determine Cisco FTD Software Configuration for Cisco Defense Orchestrator-Managed Devices To determine whether Snort 3 is configured on a device that is managed by Cisco Defense Orchestrator, complete the following steps: 1. Log in to the Cisco Defense Orchestrator web interface. 2. From the Inventory menu, choose the appropriate Cisco FTD device. 3. In the Device Details area, look for Snort Version . The version will start with either a 2 for Snort 2 or a 3 for Snort 3. If the device is running a Snort 2 version, it is not affected by this vulnerability. If the device is running a Snort 3 version, it is affected by this vulnerability. Determine Cisco FTD Software SIP Configuration To determine whether SIP inspection is configured on Cisco FTD Software, run the show service-policy | include sip command in the CLI. The device is considered vulnerable if Snort 3 is configured as described above and if the output includes Inspect: sip , as shown in the following example: device# show service-policy | include sip Inspect: sip , packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0 Note: SIP inspection is enabled by default on Cisco FTD Software. For detailed information about the default settings for application inspection policies, see the Cisco ASA Series Firewall CLI Configuration Guide . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following products: Cisco Adaptive Security Appliance (ASA) Software Cisco Firepower Management Center (FMC) Software Open Source Snort 2 Open Source Snort 3 Details o The following Cisco FTD Software Snort 3 configuration parameters govern how traffic is handled if the Snort 3 process restarts, which could change how SIP traffic is handled during an exploit of this vulnerability. Snort Fail Open snort preserve-connection For additional information, see the Firepower Management Center Configuration Guide . Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdsnort3sip-dos-A4cHeArC Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yCJckNZI30y1K9AQi1PBAAvAk7na1T9BPiT/SjI+G4INted8xHU3F8 w7hDWAMIGr9ppeNdgcsfbV9Nnban5BWvZGBse5tdxIThs0t/PeboWccCJT+ZNriA 8MOpjvTddVpIDp/XZVpMqfTDTl9t/eVjivFKkrIkvNZqMAIIU6+x0VU6gP72f9Ld fBdZu721wQJoua4lc6INcraGuHjyb4PE+WmMHToXY5lsc9e0F4rfa89gx9aBK60l mXazArqH3jK4z4REb0IPBTP4Yi4EL2lxTDZU3MSX76hZtJlb5ldq/GOIKr1sFe63 LKkyt9UjnHN36ooL7DwcxymFIGX2IgZE/rgFYoFtPNZIh83cwKhysi1H9SRAHnA+ cwivh5wmzENcv1LlisATujWNPeykuXtbbTBASbbIc19X9u33kBNpFcbBg9MLPbjE kQhzsOL1uazFfV87lr+LUheeiru1U1ZNcjPnOzde5UDEjgkTzdkydCL+Ta3xwY7R p5Drz7zKQ8RwXGN7J7nyiioDMKrzh+b+Okm6Sdv2+H1zflY7mJJRyk6L5+qfaIaP wsnlE8V0xBDAjDkZU5IXhRI5hCO02gNTwBDNJgoMELpDJsGmehHAreau6nyK/xoP LX+9fXmjdbCTHjkTcDRJR44Azix7C7/p1ZrJYiyHZvc6jpSLAZikQgPMcDHRy013 GdpFRuHQ2vU= =bfMN -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5769 Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20949 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th Comment: CVSS (Max): 6.5 CVE-2022-20949 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability Priority: Medium Advisory ID: cisco-sa-ftd-mgmt-privesc-7GqR2th First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb52401 CVE Names: CVE-2022-20949 CWEs: CWE-399 Summary o A vulnerability in the management web server of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with high privileges to execute configuration commands on an affected system. This vulnerability exists because access to HTTPS endpoints is not properly restricted on an affected device. An attacker could exploit this vulnerability by sending specific messages to the affected HTTPS handler. A successful exploit could allow the attacker to perform configuration changes on the affected system, which should be configured and managed only through Cisco Firepower Management Center (FMC) Software. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco FTD Software managed by Cisco FMC Software and had HTTPS access enabled. For information about which Cisco software releases are vulnerable at the time of publication, see the Fixed Software section of this advisory. Determine the HTTPS Management Access Configuration To identify the status and port of the HTTPS management access, use the show running-config http CLI command. The following example shows the output of the show running-config http command on a device that has HTTPS management access enabled on the inside and outside interfaces using TCP port 8443: firepower# show running-config http http server enable 8443 http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside If the line starting with http server enable does not include a port, the default port 443 is used. The exact port value does not affect the vulnerability status of the device. If the line starting with http server enable is missing, or the output does not include an HTTP access control list (ACL) associated with an interface, HTTPS management access is disabled. The exact value of the HTTP ACL does not affect the vulnerability status of the device. However, for successful exploitation, the attacker must be able to connect to the HTTPS management server of the device from an IP address that is permitted by the HTTP ACL. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Appliance (ASA) Software FMC Software Next-Generation Intrusion Prevention System (NGIPS) Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-privesc-7GqR2th Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yB9skNZI30y1K9AQgC8A//VtW+RwKQX2/bjxqQ7ZXUeW0HYQReOT0V U14R0GJ87/Ly+kIa1uAFKEqPCUlB/C4xhlCexljeQJuaf/0J02nUr3vw6YIBTSW9 u2fZnOsQUGvDetWL/SMLnKC1Sw7x2CdQ8EMag9w//Nsz5bQlBq61IGO6J0JLlifZ ZUq6jN0bAYo/U0i4BtvvPScriFmiMHLyQoDk02JK1eko3myM/3Uo9xKzORmAa2Iz Lycc4MMfvjY9wHk6CvDvkjPVl1b+CbAOlQ0hPuAvakRXOBDmOTbbRrUlGn/EJraR D04xu3GtGJ+Q0B6Mc0wlPRYw614r1eioUTlP9aJ8V6GptN4sMIW9nrCMFTi7SVlR FmzMwgGjgIwjnFFDzsYu399ibjdYqhgjAbasUld6Pc+A6eiwWqH5QWtzWZu0lhgQ L9DmM/SdCNyYejmsiSHfg4+qKZdOaYJvB6aufoEemY8dCGNji9sBDJtppiXdcoZ9 VZxzCDmL8yB1BTAROaGACbd6mfE78X05a9dAbQXkVvqo3uxPKDY2nT0egW/lJvoG 2aYVHgrykrHHhmhuUR1k4aIN+aM0BiS8TlQBvNZByzzXSM1IUE0ACbEFGzBPMKbH h45V3oMnNpZOkfBMVGffurdr6UiAnKag7cOn0wspRDvngEk6xuDKywZxCalSrmUm MaZnkrCvb8E= =QCBx -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5768 Cisco Firepower Threat Defense Software Generic Routing Encapsulation Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20946 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM Comment: CVSS (Max): 8.6 CVE-2022-20946 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Threat Defense Software Generic Routing Encapsulation Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-ftd-gre-dos-hmedHQPM First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb66761 CVE Names: CVE-2022-20946 CWEs: CWE-122 Summary o A vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a memory handling error that occurs when GRE traffic is processed. An attacker could exploit this vulnerability by sending a crafted GRE payload through an affected device. A successful exploit could allow the attacker to cause the device to restart, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco FTD Software releases 6.3.0 and later. Note: GRE tunnel decapsulation in the LINA engine was introduced in Cisco FTD Software Release 6.3.0. This feature is enabled by default and cannot be disabled. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Appliance (ASA) Software Firepower Management Center (FMC) Software Next-Generation Intrusion Prevention System (NGIPS) Software Workarounds o There are no workarounds that address this vulnerability. However, administrators may choose to bypass decapsulation for GRE-tunneled flows by following these steps from the Cisco FMC GUI: 1. Click Policies and choose Prefilter under Access Control . 2. Click Edit under the Prefilter Policy that is associated with the access policy assigned to the device. 3. Change the GRE tunnel rule type action to Fastpath . 4. Click Save . 5. Click Deploy . Note: This configuration will bypass the detection engine for GRE-tunneled traffic. While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Satheeshkumar Eswaramoorthy of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-gre-dos-hmedHQPM Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yBsMkNZI30y1K9AQi3hQ//XXoi5X+UD47MvBEUA+Q39cCglQ97kxK1 pIy+P1nHS6FgPwANy3p/xn519C1relrgRhl5Xpno+TW1HjYLCT/sYF5Nvq+rXaIj d85P+2XYJqHr2JYzVXuo67jbaZz/5hKJad/nWiXgRuee+iPY+/zNKv84THT+JX17 532dDOAq0/Dslm1Tu3iC8lj4aN3GRJudhhpYbbSb4UwTDkUBxrv8wZpn2p8zK5cy 919f+bdU12USQAXbwsQuBilPCKpirAdfXILsAaXkQpa6l5m8w6ya3CwalgduuzN0 363yroewawIJpD5CdTfX7uCk3ydsyhwP6+wI+uSOYroM7dme9XU123ZCevqoZAei 0JjV81lbuQrPOCBEBcfGVozKqdH4qbNkSfe6ojQHKe8EL/m6mQEAHsNWotooO+u8 UB+rIA4yMaQpifF3bTVZGz2leozxdf4FKM6nArLGwV3kaS+2gE48fONHC1YY9hU6 GIoNjL7oPL2m97SBy5E5Nt+Xu65RMdy6MZ/VOLTZ+B/YmjSjOI1k6KbeVWJSPxFP RrJgWCF0D9P9yYdJMJpE3Y/0Yxtnd5rt5ECi6hfwyUVAMUEXQa9utgK4CJm7+7Jk m1yf/z9TnkEmE+bn5TxrjkFSXjem5LH+yCmdyxodMb8iybgECYKAAC7NevncHUxJ akYN1GOM7TQ= =Ek+x -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5767 Cisco Firepower Management Center and Firepower Threat Defense Software SSH Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firepower Management Center Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20854 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN Comment: CVSS (Max): 7.5 CVE-2022-20854 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center and Firepower Threat Defense Software SSH Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-fmc-dos-OwEunWJN First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy95520 CVE Names: CVE-2022-20854 CWEs: CWE-400 Summary o A vulnerability in the processing of SSH connections of Cisco Firepower Management Center (FMC) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when an SSH session fails to be established. An attacker could exploit this vulnerability by sending a high rate of crafted SSH connections to the instance. A successful exploit could allow the attacker to cause resource exhaustion, resulting in a reboot on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco FMC Software or Cisco FTD Software that is in the default configuration. SSH is enabled by default on the FMC management interface. SSH is not enabled by default on the data interfaces. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Adaptive Security Appliance (ASA) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dos-OwEunWJN Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yBdskNZI30y1K9AQhcthAAhYtQ27qgfh8NcW0jVPA2IAJgx0doUmkm d4RAn1uM4GdZON8+mA5bbrgPW/5JAvB3OUzxaeYRtHJ4KJwDXiNRb2mkEPfm5PXn dZzs3KVUvWMXGbmoEDdrWuHlepont2U00NM2W+I0y+0VKZx7uKuXHltwl6V9J/mN PMb9MCnXmLQa2Dt4bnzGgT0Jr+vxq/JhM7w/2EBOicn+AefMCEhpYLK+bbBKvmik NUhbiOzx8Ve0LcmfetGjWWFLbblxIhipQCmliwF2xQXNd7y3WCx0gSKE60PLebO/ 6FZe2dpkG7vmD2B3ppjhtpUDlyWAaCwNUFR/HuMUKqu+bdIDT1WYHtPJdH9yhK7r gmNIQ/+eX00vBApkK0LJvkPmG/NNb5gmmcG/qvRTUmvd9kg45LqQH/bQd5riET8F lO6LvkeBEYkf3wi6Tm8XjqkJ4RX8JNxIE5c+Uhz9SiFQo4MELOl6znGumV5YIXkD G8r997L+lF1oRUOKhmx1Mr0r1jL2oEpPdwOqusbvn9vdxzwjc989P20M2mAaT2KR v6ia+rrbG25XUOv5nGoWEU/oD9sOfcXTN9DobIY0ZTKAZOL/3APGOFT/WVOUIRwc zS+X0HkeU3aBqWaYZMkJduwUo72KUacj2HyR+CChYcWMe1jvuXMHIx7PdRyYZtHx e8tD4G37Pzw= =3JaE -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5766 Cisco Firepower Management Center Software XML External Entity Injection Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Management Center Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20938 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd Comment: CVSS (Max): 4.3 CVE-2022-20938 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center Software XML External Entity Injection Vulnerability Priority: Medium Advisory ID: cisco-sa-fmc-xxe-MzPC4bYd First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb53694 CVE Names: CVE-2022-20938 CWEs: CWE-611 Summary o A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a module. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the function. A successful exploit could allow the attacker to read sensitive data that would normally not be revealed. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco FMC Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Sanmith Prakash of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xxe-MzPC4bYd Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yBO8kNZI30y1K9AQgLkg/8DEgTyNlZdrmSPYJvuCik10xGDIUJ2a4h eOxLdVHWRgnDLTMqtiDsDsHOxlwS3j0JdftVUGzFrAkkaYQSqZKZyGNjeHZM3VZW DKnTZ7KHg4ud2FRl6vHXmXMt8SR99UjYlpXKlmsh1bWzx7BT8V8CeDEeq7ixqzOM Wni+zFfPRitPtq+PTX8FHGajd3aOWZBU1vz0eq2r8UE8nwdyiLr/4VJIyi+iagTD r/Ch8d4/GOMYXEIsDk2bpmU6apEPv7LspCmteNM3OfsumbbYg61SpXIRYmAZkLuf MqXzbf7WTehzrn6xg8Xq/ExRAin46ue/RMAKQrfJFQQpzfphtnKzaekz+awC5zMi LDJHCTG4CM5ZQ0XqxO6meThAbp07onorEzTjU4j8sJDx8q3xzBiKbCNr+O33btJ3 VFUiPZnNHEyZtwuqQ1N3KGp+eA+n+1iZrLx7Tgb2lgXESc0TR3fzjGsMoj9cA1cD h/lSyzSt3dJETU3mPNXVRb1HgXXf/xMoo7IFbH2hA9aEQWi9GAu9WbvLcwXW9YKJ Ehbw9q8YXQYTs6wB9LJcWpqfyJyQmJE5hJoTLV2nRT+SuMVBbu9LiY+KiT2YVPNS UzwuVDtyc8lcpc4CbXjf0ngkg/ViAjkuNE1d3stxSXsQAEjqZ8/+eJRS85S/yMhL bS0VI5hyZYY= =ua4c -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5765 Cisco Firepower Management Center Software Information Disclosure Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Management Center Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20941 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP Comment: CVSS (Max): 5.3 CVE-2022-20941 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center Software Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-fmc-info-disc-UghNRRhP First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa85709 CVE Names: CVE-2022-20941 CWEs: CWE-334 Summary o A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco FMC Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Adaptive Security Appliance (ASA) Software Firepower Threat Defense (FTD) Software Next-Generation Intrusion Prevention System (NGIPS) Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank security researcher Albert Sanchez for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yA+skNZI30y1K9AQhomxAAvQZUQqARXAQUKq5RysILQnuUIyFkWbLP yuvqtsniSzb1+7i/or1iGddaFf6E31uu1WMkTioDlrn7kVrcKmVyZ/yxvwZV6zLM jPYbU0QVO+HcGNCwqWFflUzqIoPhx0pfO6satQpmcvwsdb50iskJCuifD+w9YidK Ad+0xiMdjeAZzC8XPWuFzSYFspzGE1/S+8xhnEuZ1Lyg9iRfwge2GHkwazpD4G9i WauBmTwFo4SOoarPZj37INOgjBFcgdhzm63Dnn1p9jX5bCghDd4kusXbGwqzunRP LKo3O6YmEkoeMHTSZ7NqX2BCXZcKzPVP0tNRBftxIzpbXywJEBUmf547N9GUKTvU QLJSILrZi3NLpBScEpnNw7OcE1aPx8eSDfNOf/oyzAZ8uQokI6gaF+kOfugaiHY2 y3+Ob5keHGfeuhqa8xzkY0TaJ87V/jSdQC2Uy2YVyCiVcKE6DdXC7LSqtv6cDlSz WzOVPEv6LZkF6C1MGDOnD4En8KpTHjefXbkgI4qkVfjcU4Iz8gPlj7d5fBlXjLAa 5U/rhTDcyumlVaPNq++I26t+ZorCczOmDd/Yx70kfNWbOXLTbgByGBJ6gB0+6omo Xm5et3YmJo2ofA9fgGq3eAuzo4MD5R6ijNwOBSDtMUuPc6NLRFjfQ3E97tSWq0hU nXhDmzmyoho= =g0t/ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5764 Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Management Center Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20936 CVE-2022-20935 CVE-2022-20932 CVE-2022-20905 CVE-2022-20872 CVE-2022-20843 CVE-2022-20840 CVE-2022-20839 CVE-2022-20838 CVE-2022-20836 CVE-2022-20835 CVE-2022-20834 CVE-2022-20833 CVE-2022-20832 CVE-2022-20831 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs Comment: CVSS (Max): 4.8 CVE-2022-20936 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities Priority: Medium Advisory ID: cisco-sa-fmc-xss-LATZYzxs First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa64739 CSCwa93499 CSCwb01976 CSCwb01983 CSCwb01990 CSCwb01995 CSCwb02006 CSCwb02018 CSCwb02020 CSCwb02026 CSCwb61901 CSCwb61908 CSCwb61919 CSCwb88587 CSCwc10037 CVE Names: CVE-2022-20831 CVE-2022-20832 CVE-2022-20833 CVE-2022-20834 CVE-2022-20835 CVE-2022-20836 CVE-2022-20838 CVE-2022-20839 CVE-2022-20840 CVE-2022-20843 CVE-2022-20872 CVE-2022-20905 CVE-2022-20932 CVE-2022-20935 CVE-2022-20936 CWEs: CWE-79 Summary o Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Cisco FMC Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software. Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o CVE-2022-20932: Cisco would like to thank Thuy Nguyen and Kien Luong of Cybersecurity Research as well as Albert Sanchez for reporting this vulnerability. The remainder of the vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication Cross-Site Scripting URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-LATZYzxs Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yAvskNZI30y1K9AQiioA//Xf6OKNMmxO11DT9SpKX78whn6sG/WGJj lMpSqKeqG9lsgd56NKe/QrIJwlXW7nKFxXcq1bCxImHklhafWzbVhV/3GgDr9hTo T9klSUGP7s1hhGsj9gEg5R5MarEKGHgUhCs8j/cUugx1uBC2kL/fLx3k5nmNp4ul 8YM2DWeQYN3uogYoqyFjqnVZS/It6+WgWv5mtUGSwB0aE3WRtAg/mSyUI9CDK2uP 3An6mQaFwZFtL191SMNpFDNTvEWOOa0TiuacxchotHVzGs27k+VJygwE/94aLBnN 1kw8jhp3gyJGYK/UW2Cs5JgF1x/2awpT20fPmoykOfJknEQmwkjtVGoGw62gd5LW uvDE6XMn94C3uQYrCYsYvzBXXWOTIafS21IQPKNOh1yhU6be+3abGXIWTviAEEJq fZSlEqtr6xJZobhwElJAzYuhRmGcwWvmD5UY8zJS3L/ZQphWW+8eGJ7ZidD5ewt2 yQCOcPbHO6c1rkbJ+y9YyJCxVjMzAP1AvTp4UeVHWXg0r3W0h+NjzM9rdQ3hOMrU 433SrfOfRahNUeI2UVQ/cUOqzMNUeHaz0PwVIQ+8OCI6cGurqSOTRbTkCg1nsZc/ dsWZO+ywJKhaWVdIEIgZFIJ+4MeGXGAB0R2qJykogDkRyoDJW0ZC20HzTJFdEk78 H+YRNEIRFL4= =2yNv -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5763 Cisco Firepower Management Center Software Command Injection Vulnerabilities 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Firepower Management Center Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20926 CVE-2022-20925 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35 Comment: CVSS (Max): 6.3 CVE-2022-20926 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Firepower Management Center Software Command Injection Vulnerabilities Priority: Medium Advisory ID: cisco-sa-fmc-cmd-inj-Z3B5MY35 First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb23029 CSCwb23048 CVE Names: CVE-2022-20925 CVE-2022-20926 CWEs: CWE-77 Summary o Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. These vulnerabilities are due to insufficient validation of user-supplied parameters for certain API endpoints. An attacker could exploit these vulnerabilities by sending crafted input to an affected API endpoint. A successful exploit could allow an attacker to execute arbitrary commands on the device with low system privileges. To successfully exploit these vulnerabilities, an attacker would need valid credentials for a user who has Devices permissions. By default, only Administrator, Security Approver and Network Admin roles have these permissions. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35 This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, these vulnerabilities affected Cisco FMC Software. For information about which Cisco software releases are vulnerable at the time of publication, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following Cisco products: Firepower Threat Defense (FTD) Software Adaptive Security Appliance (ASA) Software Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform (for Cisco ASA and FTD Software only). 4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . Exploitation and Public Announcements o The Cisco Product Security Incident Response team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found by Brandon Sakai of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-Z3B5MY35 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yAgckNZI30y1K9AQhfzxAAsUQGP9nNLY11B1dQnON5uu8poF4WlKnh 5h40DSEeY0mtDeb7NT4f3LIgZP6wCfeOTo1ni9m17ohXayU0WQ/YRikrqUFJeNWv nv8TJAD7SQ0yi0ORbukwu3SGXf3B8U3Nm4cyg1C6X+3lEJS/vhfBt6bPBzonk+LG xfRitu7JN+S/UIZ2+Hi8IN6LuO3+QhtNH1vM0Sz4elAir5PXEZFhaBRWZjWRLuH1 5ryASPty6mf6p4RJeo1af3vND5LTnfAy8fGoMPI/POuip9iQvDVdl42FahZCWcBr 2i69+4P+e1Vf3NcCv/By8k6IsIvlBf6PT/n5ogZE0nhqolt60fQZyVEnD/Qd3aXn bNTiwWTLnsIF2cOXbACrTekjb0ePX25qByromhLTEmldDiesm48uvp12tVj8oE3/ iDtydYtr4FDei+QNRzLs46+FzVBxSVJ9YpyYi5G7bglBcWA+k46dKQmGzLQXm8b5 svgPFVH+ZGNSHJOb2YOInS9RsiG+DTniIxNa77tGhGPy1OMkXezzBl2rgG9bfr2/ o67xDylAP1hU9nUgypOYxJ5zIhbli10UbS80V8Jz3Hmrl9aVji0ZkiH3V6YZQWS/ VeeWSKhZBehiOBS/RAs0kJw+kW6fCe+TcX1x5siryDLjQL1ezuTHk6gpUG2/YelT I0Abcnawf6I= =U8Hz -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5760 TITLE: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Client Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adaptive Security Appliance Software Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20927 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA Comment: CVSS (Max): 7.7 CVE-2022-20927 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Client Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-ssl-client-dos-cCrQPkA First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz98540 CVE Names: CVE-2022-20927 CWEs: CWE-120 Summary o A vulnerability in the SSL/TLS client of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper memory management when a device initiates SSL/TLS connections. An attacker could exploit this vulnerability by ensuring that the device will connect to an SSL/TLS server that is using specific encryption parameters. A successful exploit could allow the attacker to cause the affected device to unexpectedly reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software: ASA 5500-X Series Firepower 4100 Series Firepower 9300 Series For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: 3000 Series Industrial Security Appliances (ISAs) ASA Virtual Appliance Firepower 1000 Series Firepower 2100 Series Firepower Management Center (FMC) Software Firepower Threat Defense Virtual (FTDv) Next-Generation Intrusion Prevention System (NGIPS) Software Secure Firewall 3100 Series Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-client-dos-cCrQPkA Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yAPMkNZI30y1K9AQi2/Q//afDbET4PH4G887kn81ejekL74fxRqLSy yrQERgeAIB+du0DcicfFS2ynBw6cLfIe9aSei9AEdmGHt3kKxNetYOSYMWrmgFk0 rzrx6scCk4t8PcuXQO6dqTJua13ke2kyRkVZUOt9yLBwWV7Q/k7e3bTFWtlFdC1s 5h6hF4CgUjcAe4NV/jq5C774gqOMlfxRPjKd5D1H8ITT9xzQTA2asl3x1ZpcXx8E DYETto9j1LOXDbWwUQ7mpAce0FTYO0QenWxsC/kqMrf6Irru3RZD+1f8t+CY9S4Q XPz/P/K1fpx7Ze5+B4Avrf3QEcFlOPs1mLh8m0dY+UilBUHYWYhC5WFCpI0vuWGw t06fItcHS4K7/NRqE87yfXuUos9J9imsMBYO0jQcJmOAOWIhVyoWko3PZmxzqJA9 RFvrmhOpY3nMm2vwyj+Qbgb2U6imeOyaoIDRARVW5Q0jxkODnmymGJ9GIUGzN8GH ES5Enp8n5VrO2Mcb9cPu7bSMdOq6R2hOEdB3sqFcz7BrSTRJ6Esf/51wSTfcIyOO b6DRMEX2WnlB6eM9YLQICNf3k1exarYEPcOf1VPO4nX8+11eF8FdQx8BvPBZ5oj2 IU9/S93UMVFZf+W6HygJ85JfRpqhWtvuBD51RDW+73Rm47golCoLX0YMcIi/e4XS 404n0JTz4aM= =b56/ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5762 Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management Center Software, and NGIPS Software SNMP Default Credential Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FirePOWER Software for ASA FirePOWER Module NGIPS Software Firepower Management Center Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20918 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S Comment: CVSS (Max): 7.5 CVE-2022-20918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management Center Software, and NGIPS Software SNMP Default Credential Vulnerability Priority: High Advisory ID: cisco-sa-fmcsfr-snmp-access-6gqgtJ4S First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCwa97541 CVE Names: CVE-2022-20918 CWEs: CWE-284 Summary o A vulnerability in the Simple Network Management Protocol (SNMP) access controls for Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Cisco Firepower Management Center (FMC) Software, and Cisco Next-Generation Intrusion Prevention System (NGIPS) Software could allow an unauthenticated, remote attacker to perform an SNMP GET request using a default credential. This vulnerability is due to the presence of a default credential for SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). An attacker could exploit this vulnerability by sending an SNMPv1 or SNMPv2 GET request to an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the device using the default credential. This attack will only be successful if SNMP is configured, and the attacker can only perform SNMP GET requests; write access using SNMP is not allowed. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects devices that are running Cisco FirePOWER Software for ASA FirePOWER module, Cisco FMC Software, or Cisco NGIPS Software releases 7.0.0 through 7.0.4 if they have any version of SNMP enabled. This vulnerability is fixed in software Release 7.0.5 and later. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Device Configuration To determine whether SNMP is enabled on Cisco FirePOWER Software for ASA FirePOWER module or Cisco NGIPS Software using devices that are managed by Cisco FMC Software, choose Devices > Platform Settings > Enable SNMP Servers . If the interface of an SNMP server in the SNMP Host tab is configured for the Cisco FirePOWER Software for ASA FirePOWER module management interface, then the device is considered vulnerable. To determine whether SNMP is enabled on Cisco FMC Software, choose Devices > Device Management . If Admin State is checked, SNMP is enabled. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco ASA Software or Cisco Firepower Threat Defense (FTD) Software. Workarounds o A user with Administrator privileges can execute the following commands in expert mode to apply a workaround for this vulnerability: # expert # sudo su - # sed -i 's/^com2sec/#com2sec/' /etc/snmp/snmpd.conf # pmtool restartbyid snmpd If SNMP is not needed on the device, the administrator can remove the SNMP configuration so the device will not be affected by this vulnerability. The administrator can also reduce the attack surface by allowing SNMP connections only from trusted SNMP monitoring hosts. While this workaround and mitigation have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . Cisco FirePOWER Software for ASA FirePOWER Module and Cisco NGIPS Software At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability. Cisco FirePOWER Software Release First Fixed Release Earlier than 7.0 Not vulnerable 7.0 ^1 7.0.5 1. Cisco FirePOWER Software Release 7.0 is the final release for the Cisco ASA FirePOWER module and Cisco NGIPS Software. Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2x/3MkNZI30y1K9AQjNoBAAoQaUZb9/nhtmRvC7e2O78q56sYG5+Xu+ N3nO6bXV3FIs8e2BUbNkh+FFu9TXd8mHFBFhLtZJRoC63gL4rtt6wPLyHamWg7S+ 0RJ0g6WXX4OVjhXYQN3RWpqKfNT/fUlkaMTN0XG1vaf+/GEzQZ5spYmN+VI/Y7pD EP18xXeHDTxW8H0doQInuwOgIi+vq7BJaNxFYViXmkFnPA0yynv/KnaoQjlwP+dJ Cpp5Sjsb0RsiE+xMqX3lRdOAOp7XI85cnnFIZHGd45sQ1/08K+eUAIxMl4/aQB0w eHKidwV+a4+rRz0Z5rwJzpNQwMZEUQRzM1UOxcv3BXFJyOWnc2H0bvX+TvEMH35r m2HrmnmmE0K83O9nMt/Qb/ZZNnNu65CWdpllkdC2v0OQxc86WgaIx0arkoeKpOpJ AyLwIJZ9ep/QJJ0Bdvuoxz0cOjZkpRM7ewIttkhJejnJofF9X4NVMwk8UKQkaLaX pzhpH15yhGZAbTb961gzGNC6qrScH+/AKMWJhiycFuMfMmZUDYqXB9pc+hDjJ0a5 ONm5seVVgpp4jiNe5wKNJwkeVj59s2Ge7AGWn2X2PZ/S7IroGMZQGKSa3aKpRaWH wTlttwXUBXcCg+nyy0BRkH63Tcd5dDn0gFstPAOCX5Ux6o5wv5cO428SzzHxB5sG aSlMfe4KGxg= =1LX+ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5761 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN Authorization Bypass Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adaptive Security Appliance Software Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20928 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6 Comment: CVSS (Max): 5.8 CVE-2022-20928 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN Authorization Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-asa-ftd-vp-authz-N2GckjN6 First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa81795 CVE Names: CVE-2022-20928 CWEs: CWE-863 Summary o A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to a flaw in the authorization verifications during the VPN authentication flow. An attacker could exploit this vulnerability by sending a crafted packet during a VPN authentication. The attacker must have valid credentials to establish a VPN connection. A successful exploit could allow the attacker to establish a VPN connection with access privileges from a different user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6 This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco ASA Software or Cisco FTD Software and had VPN with multi-factor authentication (MFA) enabled. For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management (FMC) Software. Details o Exploitation of this vulnerability could allow an attacker to establish a VPN connection as a different user. If authorization is enabled, it could allow the attacker to bypass network access protections by obtaining access privileges from a different user. The overall impact of exploitation is organization specific because it depends on the importance of the assets that the different authorization levels were supposed to protect. Customers should evaluate how exploitation of this vulnerability would impact their network and proceed according to their own processes for handling and remediating vulnerabilities. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform (for Cisco ASA and FTD Software only). 4. Enter a release number-for example, 16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vp-authz-N2GckjN6 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2x/aMkNZI30y1K9AQghhw/+MYEQYIV/9GfOobatnsA5ZSf0TfqUkfxt +Mu/cZIw9eKlxK2Pv5jgCQc4Ig4PrfcxRayebMJe1bzQv2UETYsPq76P0l3JzBYp lHuxusBjx7v7CEgeOIv9Lw7/V6QvKiBljwff1e9K9226cZcGExOQX5lgPWZ3X3gL 14iX0pJZY0jrHBul7Ei2kRrsdd3MVHSFFJosgeVAdF7LvrHGPAvVTdn1r4va6U0J v4a0JL0HRIszLdlqbho4yJFLPypdvVOEWnOQZPMSXRVpjaOMBo/sfoXi/0l7NCkV sL8FhL7+aB6BJvwtaPBkAyEXuVZuCXQ8Y+NInBNWzg4hg1OWLNgWZxSZTehXGyIN wuMRygMixG+r84SCr7MxNW1FWtYySKw9ssFA/7PFpwXveRawydomlkTGK0ZJrv4t fI8TJLWH3lJBfKHSRPcWG5Hrz4bLkcc+FhrGKZZnWnHt8flEBDqSZoY23Fdl5OFE bBpZVPgzTHgEqY0iniSglsXXyFNd3RAV+mZVRzZfmazu4ZFspFnqYPAV0qLk13Mb lPDXPv1ZpLEifD8+8KjuXu71TMuOfw1mQw1GFZDkoTePBA7VtErjKTEFyOxmLp/E +j/zguJ/REYKKZ3GU0mg9lNSLePnnWnhR2uLf0SFAAP3jnylMlXNVFrbUiR/9Mfn JsNzD00XvZY= =QFH+ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5759 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SNMP Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adaptive Security Appliance Software Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20924 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x Comment: CVSS (Max): 7.7 CVE-2022-20924 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SNMP Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asaftd-snmp-dos-qsqBNM6x First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb05148 CVE Names: CVE-2022-20924 CWEs: CWE-703 Summary o A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco ASA Software and Cisco FTD Software if they have remote SNMP management enabled. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether SNMP is Enabled To determine if SNMP is enabled on a device, do one of the following options. Option 1: Use the CLI Use the show running-config snmp-server command. This option works for both Cisco ASA Software and Cisco FTD Software. If the output includes an snmp-server entry, the system is affected by this vulnerability, regardless of which version of SNMP is configured. The following example shows the output for a device that has SNMP access configured for SNMP Version 2c: ASA# show running-config snmp-server snmp-server host mgmt 10.10.10.10 community snmpro version 2c ASA# Option 2: Use the Cisco Firepower Management Center GUI For Cisco FTD devices that are managed by Cisco Firepower Management Center (FMC) Software, do the following: 1. Log in to Cisco FMC. 2. Choose Devices > Platform Settings . 3. Choose a policy object to review. 4. In the left-hand column, choose SNMP . If the Enable SNMP Servers check box is checked and there are entries on the Hosts tab, devices that have the selected policy deployed are vulnerable. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: FMC Software Next-Generation Intrusion Prevention System (NGIPS) Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Additional Resources For help determining the best Cisco ASA, FTD, or FMC Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco ASA Compatibility Cisco Secure Firewall ASA Upgrade Guide Cisco Secure Firewall Threat Defense Compatibility Guide Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-snmp-dos-qsqBNM6x Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2x/G8kNZI30y1K9AQhghw/8D1vvwrRaCNM31lGa1JcXUL9UcjQ3WAqD D+6GlsLF1IwAyaVDih1GfrguZ1RIM25GADI5DSTdsiYc9Lo9AY9HEZSR75Od1Om/ SBb8K9A4vVBV8tVtCKGdL8a5CLlnJNQlma1BbWlJLn+xYu6XdvxApwMBq9uuc7Z9 V0uhvKdLahx1LvORe9hZj/lXCxcHx2atFb+uGkuQRwyyfVCqmWfQpe9ZoerffG9p A7m+wAUfWiywTfvR6RgW4wdaLVOfhbW8+UD7kaln2kM9J/cWHQPtXURgCwtdynTg 3Om/VAEWxFepdwh3id8QaHXGoUJd9VSEndgePiwC2HALH5cIpITw29F2HoyDQsoh +JQ9MVvYeEwqlLToTSnECuFjywvV2rbLP9u7ogoF0Nw8aDrf9jiDWsWZY94z+B6n hEF8nNEsS4erLVB3nSDKbsFV5dJC/pHAAr8b3lOQB+SObz4kRBv73kvyhVGCF0u4 l1YcOPHqQ1uEwSTdToKpBvwQua0LlwANDyNhRNzHdQT+e+xT4i/finXh7Poqor2D K6OND/ho/gL5v9Zyry2D5Jn4GNYcSpStOCjVUE8FXHwTL2qt1W2uBHCLumBeB32E 3VFk7wCl7GzelxD+nVqvKzuqj7Xrt4UA79I5/pmQJKLFtyr5XUaWAlgoHVZPEr2O By7vUTWKpFg= =0kwJ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5758 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Dynamic Access Policies Denial of Service Vulnerability 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adaptive Security Appliance Software Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20947 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU Comment: CVSS (Max): 8.6 CVE-2022-20947 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Dynamic Access Policies Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asa-ftd-dap-dos-GhYZBxDU First Published: 2022 November 9 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa47041 CVE Names: CVE-2022-20947 CWEs: CWE-119 Summary o A vulnerability in dynamic access policies (DAP) functionality of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to improper processing of HostScan data received from the Posture (HostScan) module. An attacker could exploit this vulnerability by sending crafted HostScan data to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU This advisory is part of the November 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software and all of the following conditions are true: Remote access SSL VPN is enabled. HostScan is enabled. At least one custom DAP is configured. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Remote Access SSL VPN and HostScan Configuration Use the show running-config webvpn | include enable command on the device CLI to assess the remote access SSL VPN configuration and the HostScan configuration. If the output of that command contains at least one line starting with enable , remote access SSL VPN is configured. If the output of that command contains a line with hostscan enable , HostScan is configured. The following example shows the output of the show running-config webvpn command on a device that has both remote access SSL VPN enabled on the outside interface and HostScan enabled: asa# show running-config webvpn | include enable webvpn enable outside hostscan enable Empty output for this command indicates that neither remote access SSL VPN nor HostScan are configured. If either of these lines is missing, the respective feature is not configured. Determine the DAP Configuration Use the show running-config dynamic-access-policy-record command on the device CLI to assess the DAP configuration. If the output of that command contains at least one record in addition to the DfltAccessPolicy record, a custom DAP is configured. The following example shows the output of the show running-config dynamic-access-policy-record command on a device that has the custom DAP named DAP_TEST_POLICY configured: asa# show running-config dynamic-access-policy-record dynamic-access-policy-record DfltAccessPolicy dynamic-access-policy-record DAP_TEST_POLICY user-message "NO WAY IN!" action terminate Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management (FMC) Software. Workarounds o There are no workarounds that address this vulnerability. However, administrators may disable HostScan by issuing the no hostscan enable command in the configuration mode of the device. While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco ASA, FMC, and FTD Software To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker . This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies ("Combined First Fixed"). To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps: 1. Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR) , or only this advisory. 2. Choose the appropriate software. 3. Choose the appropriate platform. 4. Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software. 5. Click Check . For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: November 2022 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-dap-dos-GhYZBxDU Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-NOV-09 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2x+MMkNZI30y1K9AQh9iBAAkydg24NmCLv1wrgJn9vXktZ4VsjLit+B 7cQ4/nF7tSkJI0TXrOH/CGwGkH6wPf12jJCB7lCmow2hY1vuMVLetgvIxOZMbYZ8 3lMM8o779kC8H9X4trPfVQQjel2yz+Gh44a3KzbpVFpMivPfogeNTu6ZmzOG2FT+ wARGaFHN0tjWUzCYSdxNZEP9hA7QPZDxtPMug+5Yro33th3JhmjKy+rOKS3igDl6 pIGspgbBtL4BiOzge9A+djQyxC5qdzOZBbJ4dq8R6pNYSsDl5Qp3ir7vmUXZsgtr jDOsqqZ4yUAxPELmnLW94t6Imx6L5c7xrbZF+XkSn3m0PXbYHfKGogQtHKMw4eqf 75JfnOE5TKn1OJsV6k4+/G0Q+xs/JUQl4MjZuFFk8ts7tekL34fyXMGh549T5vgC NtLc282aBQWFG8UxhjI6QPqfwP2vdfncwv47JkHaosBL15b8JvqlBUjdBL1sYZX6 o/pPJ0E/O3Zv3JTdvSCbzyrfS9F7j3IznhYTdfz/iJQD92DXakaRRfFA4HT6GLYN OsJ5eTwN4H2qVU5kARHhMm600g87fdnFdpX84aGnbxFwFFyGkIC9nbPPXg4jmQ9E Am1a7fcwK4u6YCHv79dNrlzbF1Jd3PdaQvMjwi/FhY1g8nM4MWKaaBuvSHNSsM5O v9BAzQ2uIXc= =vjKw -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5477.4 K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 Products Publisher: F5 Networks Operating System: Network Appliance Resolution: None Original Bulletin: https://support.f5.com/csp/article/K44030142 Revision History: November 10 2022: F5 updated severity of the vulnerability November 3 2022: Vendor updated bulletin November 2 2022: F5 updated advisory with CVE details and product vulnerability details November 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602 Original Publication Date: 29 Oct, 2022 Latest Publication Date: 10 Nov, 2022 Security Advisory Description o CVE-2022-3786 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). o CVE-2022-3602 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Note: For more details about CVE-2022-3786 and CVE-2022-3602, refer to OpenSSL Security Advisory [01 November 2022]. Impact For products with None in the Versions known to be vulnerable column, there is no impact. For products with ** in the various columns, F5 will update this article after confirming the required information. F5 Support has no additional information about this issue. Security Advisory Status To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following tables. You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems. For more information about using iHealth, refer to K27404821: Using F5 iHealth to diagnose vulnerabilities. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. In this section o BIG-IP and BIG-IQ o F5OS o NGINX o Other products BIG-IP and BIG-IQ BIG-IP is Not vulnerable because OpenSSL 3.x is not included in BIG-IP releases. To see the OpenSSL versions that run on BIG-IP systems, refer to K11398383: BIG-IP third-party software matrix. If the preceding article does not apply to your version, follow the links in the article to the third-party software article for your BIG-IP release. Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. +------------+------+--------------+----------+----------+------+-------------+ | | |Versions known|Fixes | |CVSSv3|Vulnerable | |Product |Branch|to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IP (all |All |None |Not |Not |None |None | |modules) | | |applicable|vulnerable| | | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IP SPK |1.x |** |** |** |** |** | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IQ | | |Not |Not | | | |Centralized |All |None |applicable|vulnerable|None |None | |Management | | | | | | | +------------+------+--------------+----------+----------+------+-------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. **Confirmation of vulnerability or non-vulnerability is not presently available. F5 will update this article with the most current information as soon as it has been confirmed. F5 Support has no additional information on this issue. F5OS +-------+------+----------------+----------+----------+-------+---------------+ | | |Versions known |Fixes | |CVSSv3 |Vulnerable | |Product|Branch|to be vulnerable|introduced|Severity |score^2|component or | | | |^1 |in | | |feature | +-------+------+----------------+----------+----------+-------+---------------+ |F5OS-A |All |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ |F5OS-C |All |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. NGINX +---------+------+---------------+----------+----------+------+---------------+ | | |Versions known |Fixes | |CVSSv3|Vulnerable | |Product |Branch|to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +---------+------+---------------+----------+----------+------+---------------+ |NGINX | | |Not |Not | | | |(all |All |None |applicable|vulnerable|None |None | |products)| | | | | | | +---------+------+---------------+----------+----------+------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Other products +-------+------+----------------+----------+----------+-------+---------------+ | | |Versions known |Fixes | |CVSSv3 |Vulnerable | |Product|Branch|to be vulnerable|introduced|Severity |score^2|component or | | | |^1 |in | | |feature | +-------+------+----------------+----------+----------+-------+---------------+ |Traffix|All |None |Not |Not |None |None | |SDC | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Supplemental Information o K41942608: Overview of security advisory articles o K12201527: Overview of Quarterly Security Notifications o K51812227: Understanding security advisory versioning o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K8986: F5 product support policies o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yY88kNZI30y1K9AQjPhg//U5ChofNMX+Ucj0a8NyH21aeIlpX7SGD7 oa/DLiANm4T7RJ3NUbXoRJY7EpdPoSbszK7oyfhiMO34zFK601SPPah05+QrEWz7 nm3y6SF+h3g8z/AvDOHOMOpbCoOZso0Akyzc7AzUUs8zx71UG1o1f+eX3guuazfD /8vBooX++tuLQOjzUrWDfXR3IZMP3IqldLdOdQL90y+09XWDlG0JPRaeY750qhOQ x/gPiejzZ1H5zKtAZ2Nqx7eaV6VWEHJ+KpD0fffbUGPBNnliaF7jG8MGh+E4dV6m qR5VUK5LfE1l1uNhFxDFtezwR3V7Lp8Vy0biftGmUPkY0Ih5OC9P3RnLkmkSCk3k faHRpWPDWqXywRWHe639YD1pF/bsPgW4xrlZMo8ztX0MiSBAUKK9CY0+JEA7wHBM MdhyrApiOC7E9LU5dI5ufZR+4gK4LP0LUk2tiOhXIC1nkwoSTMpfCWTEawDkli3S t5FnYExl4yDsH7ZlylkILg0TmJ8mbyzie8tAG2vl5xgzXjskRRVXx2D0vcLQ0Tct Fx69b9DAnGfl/YyV/spwrAcvCossEkrqgZGSbvBMWqefHGsL2IMKBOK2p22aHvYR yeHDdfAHsHQPfOHh61BH4X6lx4hzTORyADzFxMQSyQagwSaed3kYr2xDL7LKqS/c 9RvOvDkw8hI= =qgln -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5677.2 cSRX Series: Storing Passwords in a Recoverable Format and software permissions issues allows a local attacker to elevate privileges (CVE-2022-22251) 9 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Resolution: Patch/Upgrade CVE Names: CVE-2022-22251 Original Bulletin: https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-cSRX-Series-Storing-Passwords-in-a-Recoverable-Format-and-software-permissions-issues-allows-a-local-attacker-to-elevate-privileges-CVE-2022-22251 Comment: CVSS (Max): 7.8 CVE-2022-22251 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Revision History: November 9 2022: Correcting the typo in the Title November 8 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Article ID: JSA69908 Product Affected: This issue affects Junos OS 20.2, 20.3, 20.4, 21.1. Affected platforms: cSRX Series. Severity Level: High CVSS Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Problem: On cSRX Series devices software permission issues in the container filesystem and stored files combined with storing passwords in a recoverable format in Juniper Networks Junos OS allows a local, low-privileged attacker to elevate their permissions to take control of any instance of a cSRX software deployment. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2022-22251. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 21.2R1, and all subsequent releases. Additionally, customers using Docker or Kubernetes must contact JTAC to receive additional guidance on applying commands manually to deployments to provide a complete fix. This issue is being tracked as 1564383 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). IMPLEMENTATION: Software Releases, patches and updates are available at https://support.juniper.net/support/downloads/. Workaround: There are no viable workarounds for this issue. To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to the cSRX instance to only trusted administrative networks, hosts and users. Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Modification History: 2022-10-12: Initial Publication. Related Information: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team Last Updated: 2022-10-12 Created: 2022-10-12 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2tRAMkNZI30y1K9AQgreg/+LBFA1pMxDrkg5B4Mh/LT7pI90D32y2FV gm0zgfnOOKs6HH+Cc7njEoFGb4ltXNhOYKuHSNPbzPjRsT2igRK9NBKq54joRo9N GYg9nEab7kueLD8CR+HCz0CvPEZ6sc6tZ7fYtqU7tixXCDRNDRcP1xscXZ3xMm2W CZH36p6iclX/wRcEJ/EAIjM2NecGZIc5uqWp9Nj5eY5W4eGtspprXBsshe1WDI25 3Xyi2EMwlBsgxKFaXBaKTxJl8isFYK1IpL6VeWLBJ+sQtOHZxH/BCBNNAWf4vw8f d4pFDBZTDTu90GwjlVAdprUTzDFxcPup9DQvQpg9ncynHCmPWY12NH0Q/cbj2wWG nGiHD/wq0aNLvzxSposA5shHqAAtGNP3FrN3KItR+bIOncu54UPgwDpSkuEanuEz juILTZBJ0hyn6OvR/U5JGjtp0scbZEv3xpMVKqbTb4pxYQWKvtdHGRf8fQkccxZi uG16o3A0THRrCsAdBEdkbcU2gc2GZ3uROEl7Fa5BYflr9rFQW/XYoVR5lyFzdUlj aUjV1aFNzWFUJNFZjF755VWmgLtFCnWhKIeW2AXdL2yppxJ1fkAfElo8rCEucD73 FfT/2eh7eRDbIYMR5TvzBe9X5CHto5e7nVZGPdi3OasrP77PRW/3UUEgy2cQRITB 9aSgO1X0zbo= =iinB -----END PGP SIGNATURE-----