Cisco Advisories for FTD, ASA, Firepower 1000
Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA).
Cisco Adaptive Security Appliance Software
CVE-2020-3259 - Web Services Information Disclosure Vulnerability – High
- An unauthenticated, remote, attacker can access memory and potentially confidential information.
CVE-2020-3298 - Malformed OSPF Packets Denial of Service Vulnerability – High
- An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3196 – SSL/TLS Denial of Service Vulnerability - High
- Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195 – OSPF Packet Processing Memory Leak Vulnerability – High
- Unauthenticated, remote attacker can exhaust memory resources resulting in DOS
Firepower Threat Defense
CVE-2020-3259 - Web Services Information Disclosure Vulnerability – High
- An unauthenticated, remote attacker can access memory and potentially confidential information.
CVE-2020-3298 - Malformed OSPF Packets Denial of Service Vulnerability – High
- An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3255 – Packet Flood Denial of Service Vulnerability – High
- An unauthenticated, remote attacker can cause a DOS on the device.
CVE-2020-3189 – VPN System Logging Denial of Service Vulnerability - High
- Unauthenticated, remote attacker can cause memory leak resulting in device degradation or crash.
CVE-2020-3196 – SSL/TLS Denial of Service Vulnerability - High
- Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195 – OSPF Packet Processing Memory Leak Vulnerability – High
- Unauthenticated, remote attacker can exhaust memory resources resulting in DOS
Firepower 1000
CVE-2020-3283 – SSL/TLS Denial of Service Vulnerability – High
- Unauthenticated, remote attacker can cause buffer underrun resulting in DOS.
Althought Cisco rated all of these vulnerabilities the same, high, most of them require a patient, determined attacker and will result in a DOS condition. The exception to this is CVE-2020-3259 which can result in a breach of sensitive information. Either way the solution is to upgrade to an unaffected version of the software.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments