Cisco Firewall Vulnerabilities Enable Denial of ServiceNo Workaround Available; Users Urged to Patch Immediately
Vulnerabilities uncovered in Cisco firewall products can allow an unauthenticated attacker to trigger a denial-of-service condition, according to researchers at security firm Positive Technologies.
The flaws can be exploited if a user is running Cisco's ASA - Adaptive Security Appliance - and Cisco FTD -Firepower Threat Defense, with a vulnerable AnyConnect or WebVPN configuration.
The severity level of the vulnerabilities, which are tracked as CVE-2021-34704, was assessed as high, with a CVSS score of 8.6.
So far, there is no workaround that addresses these vulnerabilities, but Cisco has released software updates and asks users to install them immediately.
Cisco's ASA provides users with secure access to data and network resources - anytime, anywhere, using any device. "These devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world," says the company's website.
Cisco's FTD is unified software that is designed to provide next-generation firewall services, including stateful firewall capabilities, static and dynamic routing, next-generation intrusion prevention systems - NGIPS, application visibility and control, URL filtering and advanced malware protection.
A spokesperson for Cisco was not immediately available to comment on the newly discovered vulnerabilities.
Flaws Can Knock Out Firewall, VPN
Researchers claim that if a hacker disrupts the operation of Cisco ASA and Cisco FTD, the user’s company will be left without a firewall and remote access, or VPN.
“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from the outside will be restricted," says Nikita Abramov, researcher at Positive Technologies. "At the same time, firewall failure will reduce the protection of the company. All this can negatively impact company processes, disrupt interactions between departments, and make the company vulnerable to targeted attacks."
Cisco issued a security advisory and states that the vulnerabilities were caused by improper input validation when parsing HTTPS requests.
"An attacker could exploit these vulnerabilities by sending a malicious HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition," Cisco's advisory states.
To determine if a Cisco ASA or Cisco FTD has a vulnerable feature configured, a user needs to run the CLI command "show-running-config" to find out if "crypto ikev2 enable client-services port" or "webvpn enable" are configured.
"If a device is running a vulnerable release and has one of these features configured, it is vulnerable," the advisory notes.
Abramov says that an attacker does not need elevated privileges or special access to exploit the vulnerability.
"It is enough to form a simple request in which one of the parts will be different in size than expected by the device. Further parsing of the request will cause a buffer overflow, and the system will be abruptly shut down and then restarted," Abramov notes.
Positive Technologies researchers recommend using a SIEM solution or a next-generation vulnerability management system, which can help identify suspicious behavior, prevent intruders from moving laterally within the corporate network and provide continuous monitoring of vulnerabilities within the infrastructure.
Other Significant Updates
Cisco released an urgent software update in September 2021 to fix a critical authentication bug that can allow an unauthenticated remote attacker to bypass authentication and log into an affected device as an administrator (see: Cisco Patches Critical Authentication Bypass Bug).
The bug, assigned CVE-2021-34746 with a CVSS score of 9.8, was rated critical. The vulnerability affected the TACACS+ authentication, authorization and accounting feature of Cisco Enterprise NFV Infrastructure Software.