Vulnerabilities > CVE-2017-3887 - Improper Handling of Exceptional Conditions vulnerability in Cisco Firepower Threat Defense 6.0.1/6.1.0/6.2.0

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
cisco
CWE-755
nessus

Summary

A vulnerability in the detection engine that handles Secure Sockets Layer (SSL) packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition because the Snort process unexpectedly restarts. This vulnerability affects Cisco Firepower System Software prior to the first fixed release when it is configured with an SSL Decrypt-Resign policy. More Information: CSCvb62292. Known Affected Releases: 6.0.1 6.1.0 6.2.0. Known Fixed Releases: 6.2.0 6.1.0.2.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20170405-CFPW.NASL
descriptionAccording to its version, the Cisco Firepower Threat Defense (FTD) software installed on the remote device is prior to 6.1.0.2 or else is 6.2.x prior to 6.2.0.1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the detection engine reassembly of Secure Sockets Layer (SSL) packets due to improper handling of an SSL packet stream. An unauthenticated, remote attacker can exploit this, via a crafted SSL packet stream, to cause the Snort process to consume a high level of CPU resources. (CVE-2017-3885) - A denial of service vulnerability exists in the detection engine due to improper handling of an SSL packet in an established SSL connection. An unauthenticated, remote attacker can exploit this, via a crafted SSL packet stream, to cause the Snort process to restart, allowing traffic inspection to be bypassed or traffic to be dropped. (CVE-2017-3887)
last seen2020-06-01
modified2020-06-02
plugin id100423
published2017-05-25
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/100423
titleCisco Firepower Detection Engine SSL Multiple DoS (cisco-sa-20170405-cfpw) (cisco-sa-20170405-cfpw1)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100423);
  script_version("1.5");
  script_cvs_date("Date: 2018/07/06 11:26:06");

  script_cve_id("CVE-2017-3885", "CVE-2017-3887");
  script_bugtraq_id(97451, 97453);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvc58563");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb62292");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-cfpw");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-cfpw1");

  script_name(english:"Cisco Firepower Detection Engine SSL Multiple DoS (cisco-sa-20170405-cfpw) (cisco-sa-20170405-cfpw1)");
  script_summary(english:"Checks the version of Cisco Firepower System.");

  script_set_attribute(attribute:"synopsis", value:
"The packet inspection software installed on the remote host is
affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the Cisco Firepower Threat Defense (FTD)
software installed on the remote device is prior to 6.1.0.2 or else is
6.2.x prior to 6.2.0.1. It is, therefore, affected by multiple
vulnerabilities :

  - A denial of service vulnerability exists in the
    detection engine reassembly of Secure Sockets Layer
    (SSL) packets due to improper handling of an SSL packet
    stream. An unauthenticated, remote attacker can exploit
    this, via a crafted SSL packet stream, to cause the
    Snort process to consume a high level of CPU resources.
    (CVE-2017-3885)

  - A denial of service vulnerability exists in the
    detection engine due to improper handling of an SSL
    packet in an established SSL connection. An
    unauthenticated, remote attacker can exploit this, via a
    crafted SSL packet stream, to cause the Snort process to
    restart, allowing traffic inspection to be bypassed or
    traffic to be dropped. (CVE-2017-3887)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-cfpw
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6debfa41");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-cfpw1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5bc33ad5");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc58563");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc58563");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvc58563 and CSCvb62292.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/25");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:firepower");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:firepower_threat_defense");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

show_ver = get_kb_item_or_exit('Host/Cisco/show_ver');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

# Affected Models:
# 5500-X Series
if (
   model !~ '^55[0-9][0-9][WH]?-X'
) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product model");

fix = NULL;
override = 0;

fdm_ver = pregmatch(string:show_ver, pattern:"\s*Model\s*:\s+Cisco.*Threat\s+Defense.*Version\s+([0-9.]+)");

if (isnull(fdm_ver)) audit(AUDIT_HOST_NOT, "affected");

else if (fdm_ver[1] =~ "^6\.2\.")
  fix = '6.2.0.1';
else
  fix = '6.1.0.2';

if (fix && (ver_compare(ver:fdm_ver[1], fix:fix, strict:FALSE) < 0))
{
  report =
    '\n  Bug               : CSCvc58563 and CSCvb62292' +
    '\n  Installed version : ' + fdm_ver[1] +
    '\n  Fixed version     : ' + fix;
  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
} else audit(AUDIT_HOST_NOT, "affected");