漏洞分享 - 思科產品存在多個漏洞

                                                                                                                                               

 思科產品存在多個漏洞

一、摘要

        思科產品存在多個漏洞，允許遠端攻擊者利用這些漏洞，於目標系統觸發阻斷服務、遠端執行程式碼、繞過保安限制及權限提升。

二、存在風險

        思科產品存在多個漏洞，允許遠端攻擊者利用這些漏洞，於目標系統觸發阻斷服務、遠端執行程式碼、繞過保安限制及權限提升，其影響系統或版本如下：

• 受影響之系統/漏洞描述：
• Cisco Adaptive Security Appliance and Firepower Threat Defense Software Inactive-to-Active ACL Bypass Vulnerability
• CVE編號：CVE-2024-20293
• 漏洞描述：Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD) 的存取控制清單(ACL) 啟動過程中存在漏洞，其可允許未經授權之遠端攻擊者繞過已配置的ACL。
• 影響系統/版本：
• ASA Software releases 9.19.1 to 9.19.1.24, 9.20.1, or 9.20.1.5
• FTD Software releases 7.3.0 to 7.4.0
  
  
• Cisco Adaptive Security Appliance and Firepower Threat Defense Software Authorization Bypass Vulnerability
• CVE編號：CVE-2024-20355
• 漏洞描述：Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD) 中用於VPN服務的SAML2.0單一登入(SSO)存在漏洞，其可允許已取得授權之遠端攻擊者在易受影響的設備上建立VPN會話。
• 影響系統/版本：有啟用SAML2.0功能的Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD) 設備。註：可以透過下方指令檢查是否為2。
• 檢查：show running-config tunnel-group | count authentication.*saml
  
  
• Cisco Firepower Management Center Software Object Group Access Control List Bypass Vulnerability
• CVE編號：CVE-2024-20361
• 漏洞描述：Cisco Firepower Management Center (FMC) 的存取控制清單(ACL)存在漏洞，允許遠端攻擊者繞過已配置的ACL。
• 影響系統/版本：有啟用high availability的Cisco Firepower Management Center (FMC) 。註：可透過下方指令確認是否有回傳failover字串，如有回傳，可能存在漏洞。
• 檢查：show running-config failover
  
  
• Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability
• CVE編號：CVE-2024-20261
• 漏洞描述：Cisco Firepower Threat Defense (FTD)的加密存檔檔案的檔案策略功能中存在漏洞，允許未經授權之遠端攻擊者繞過已配置的檔案政策，進而阻擋檔案加密。
• 影響系統/版本：Cisco Firepower Management Center (FMC)設備中有運行檔阻止加密檔案的政策，該裝備可能會受影響。
• 檢查：
• (1) Policies > Access Control > Malware & File
• (2) To view archive file inspection options, choose Advanced Settings in the file policy editor.
• (3) Look at the Block Encrypted Archives check box. If it is checked, the device is considered vulnerable.
  
  
• Multiple Cisco Products Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability
• CVE編號：CVE-2024-20363
• 漏洞描述：多種Cisco產品產品中的Snort Intrusion Prevention System(IPs)規則引擎存在漏洞，允許未經授權之遠端攻擊者繞過已配置的規則。
• 影響系統/版本：有運行Open Source Snort 3的設備。
• 1000 Series Integrated Services Routers (ISRs)
• 4000 Series ISRs
• Catalyst 8000V Edge Software
• Catalyst 8200 Series Edge Platforms
• Catalyst 8300 Series Edge Platforms
• Catalyst 8500L Edge Platforms
• Cloud Services Routers 1000V
• Integrated Services Virtual Router (ISRv)
• 檢查：show utd engine standard status，註：如有輸入UTD enable的資訊，則可能是受影響的設備。
  


• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 2100 Series Appliances SSL/TLS Denial of Service Vulnerability
• CVE編號：CVE-2023-20006
• 漏洞描述：Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD)的hardware-based SSL/TLS cryptography功能存在漏洞，允許未授權之遠端攻擊者在易受影響之系統重新啟動系統並導致阻斷服務(DoS)狀況。
• 影響系統/版本：有啟用SSL/TLS的Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD)設備
• 檢查：show asp table socket | include SSL|DTLS

三、建議改善措施：

           企業及使用者如有上述漏洞版本應盡速更新。

    情資報告連結：

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ogsnsg-aclbyp-3XB8q6jX
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-bypass-KkNvXyKW
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-object-bypass-fTH8tDjq
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-archive-bypass-z4wQjwcN
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-ips-bypass-uE69KBMd
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ssl-dos-uu7mV5p6