Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Published: 2017-04-20
Updated: 2017-05-06
Summary
A vulnerability in the detection engine parsing of Pragmatic General Multicast (PGM) protocol packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process unexpectedly restarting. The vulnerability is due to improper input validation of the fields in the PGM protocol packet. An attacker could exploit this vulnerability by sending a crafted PGM packet to the detection engine on the targeted device. An exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or traffic is dropped. This vulnerability affects Cisco Firepower System Software that has one or more file action policies configured and is running on any of the following Cisco products: Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services; Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls; Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances; Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances; Firepower 4100 Series Security Appliances; FirePOWER 7000 Series Appliances; FirePOWER 8000 Series Appliances; Firepower 9300 Series Security Appliances; FirePOWER Threat Defense for Integrated Services Routers (ISRs); Industrial Security Appliance 3000; Sourcefire 3D System Appliances; Virtual Next-Generation Intrusion Prevention System (NGIPSv) for VMware. Fixed versions: 5.4.0.10 5.4.1.9 6.0.1.3 6.1.0 6.2.0. Cisco Bug IDs: CSCuz00876.
Vulnerable Configurations
| Part | Description | Count |
| Application | Cisco | 4 |
Common Weakness Enumeration (CWE)
Nessus
| NASL family | CISCO |
| NASL id | CISCO-SA-20170419-FPSNORT.NASL |
| description | According to its version, the Cisco Firepower Threat Defense (FTD) software installed on the remote host is 5.4.0.x prior to 5.4.0.10, 5.4.1.x prior to 5.4.1.9, or 6.0.1.x prior to either 6.0.1.3, 6.1.0, or 6.2.0. It is, therefore, affected by a denial of service vulnerability in the packet detection and inspection engine due to improper validation of fields in Pragmatic General Multicast (PGM) protocol packets. An unauthenticated, remote attacker can exploit this, via a specially crafted PGM protocol packet, to cause the Snort process to restart, allowing traffic inspection to be bypassed or traffic to be dropped. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 100424 |
| published | 2017-05-25 |
| reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/100424 |
| title | Cisco Firepower Detection Engine Pragmatic General Multicast Protocol Decoding DoS (cisco-sa-20170419-fpsnort) |