SB2020050709 - Multiple vulnerabilities in Cisco Firepower Threat Defense Software and Cisco Adaptive Security Appliance (ASA) Software
Published: May 7, 2020 Updated: May 7, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-3312)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the application policy configuration. A remote attacker can send a specially crafted traffic to an affected device and gain unauthorized read access to sensitive data.
2) Double Free (CVE-ID: CVE-2020-3179)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory handling error when the generic routing encapsulation (GRE) over IPv6 traffic is processed. A remote attacker can send a specially crafted GRE over IPv6 packets with either IPv4 or IPv6 payload, trigger double free error and cause a denial of service condition on the target system.
3) Resource exhaustion (CVE-ID: CVE-2020-3305)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the implementation of the Border Gateway Protocol (BGP) module. A remote attacker can send a specially crafted BGP packet, trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Resource management error (CVE-ID: CVE-2020-3303)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the application in the Internet Key Exchange version 1 (IKEv1) feature. A remote attacker can send malicious IKEv1 traffic to an affected device and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-infodis-kZxGtUJD
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-2-sS2h7aWe
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-P43GCE5j
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-BqYFRJt9