SB2020050706 - Multiple vulnerabilities in Cisco Firepower Threat Defense Software
Published: May 7, 2020 Updated: May 7, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Protection Mechanism Failure (CVE-ID: CVE-2020-3285)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic error with Snort handling of the connection with the Transport Layer Security (version 1.3) policy and URL category configuration. A remote attacker can send a specially crafted TLS connections to an affected device, bypass the TLS policy and access URLs that are outside the affected device and normally would be dropped.
2) Resource management error (CVE-ID: CVE-2020-3188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the default session timeout period for specific to-the-box remote management connections is too long. A remote attacker can send a large and sustained number of crafted remote management connections and perform a denial of service (DoS) attack.
3) Resource exhaustion (CVE-ID: CVE-2020-3189)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the VPN System Logging functionality. A remote attacker can create or delete a VPN tunnel connection, which could leak a small amount of system memory for each logging event, trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2020-3255)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the packet processing functionality. A remote attacker can send a high rate of IPv4 or IPv6 traffic through an affected device, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-bypass-O5tGum2n
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-Rdpe34sd8
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-N2vQZASR