Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution With Root Privileges

MS-ISAC ADVISORY NUMBER:

2019-104

DATE(S) ISSUED:

10/04/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution with root privileges on the affected system. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Adaptive Security Virtual Appliance (ASAv)
• Cisco FMC Software
• Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software that is configured to perform FTP inspection.
• Cisco products that are running a vulnerable release of Cisco ASA Software and that have either the Clientless SSL VPN or AnyConnect SSL VPN enabled.
• Cisco products that are running a vulnerable release of Cisco ASA Software or Cisco FTD Software that is configured to support OSPF routing.
• Firepower 2100 Series Appliances
• Firepower 4100 Series Security Appliances
• Firepower 9300 Series Security Appliances
• Firepower Threat Defense Virtual (FTDv)

RISK:

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution with root privileges on the affected system. Details of these vulnerabilities are as follows:

• A vulnerability in the FTP inspection engine of Cisco Adaptive Security (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. (CVE-2019-12673)
• A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to trigger a reload of an affected device resulting in a denial of service (DoS) condition. (CVE-2019-15256)
• A vulnerability in the Open Shortest Path First (OSPF) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated adjacent attacker to cause a reload of an affected device resulting in a denial of service (DoS) condition. (CVE-2019-12676)
• A vulnerability in the Session Initiation Protocol (SIP) inspection module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. (CVE-2019-12678)
• A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated remote attacker to cause a denial of service (DoS) condition that prevents the creation of new SSL/Transport Layer Security (TLS) connections to an affected device. (CVE-2019-12677)
• A vulnerability in the web UI of the Cisco Firepower Management Center (FMC) could allow an authenticated remote attacker to inject arbitrary commands that are executed with the privileges of the root user of the underlying operating system. (CVE-2019-12690)
• A vulnerability in the web UI of the Cisco Firepower Management Center (FMC) could allow an authenticated remote attacker to execute arbitrary commands on an affected device. (CVE-2019-12687, CVE-2019-12688)
• A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated remote attacker to execute arbitrary code on the underlying operating system of an affected device. (CVE-2019-12689)
• Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated remote attacker to execute arbitrary SQL injections on an affected device. (CVE-2019-12679, CVE-2019-12680, CVE-2019-12681, CVE-2019-12682, CVE-2019-12683, CVE-2019-12684, CVE-2019-12685, CVE-2019-12686)
• Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. (CVE-2019-12674, CVE-2019-12675)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution with root privileges on the affected system. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Install the update provided by Cisco immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES: