Vulnerabilities > CVE-2018-0383 - Protection Mechanism Failure vulnerability in Cisco Firepower Management Center 6.2.2.1/6.2.3/6.3.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
cisco
CWE-693
nessus

Summary

A vulnerability in the detection engine of Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass a file policy that is configured to block the transfer of files to an affected system via FTP. The vulnerability exists because the affected software incorrectly handles FTP control connections. An attacker could exploit this vulnerability by sending a maliciously crafted FTP connection to transfer a file to an affected device. A successful exploit could allow the attacker to bypass a file policy that is configured to apply the Block upload with reset action to FTP traffic. Cisco Bug IDs: CSCvh70130.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Clickjacking
    In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he's clicking on versus what he or she is actually clicking on.
  • Cross Site Tracing
    Cross Site Tracing (XST) enables an attacker to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The attacker first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the attackers' malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an attacker can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an attacker can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the attackers' malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An attacker will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Dictionary-based Password Attack
    An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180711-FIREPOWER.NASL
descriptionAccording to its self-reported version, the Cisco Firepower Threat Defense Software is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen2020-06-01
modified2020-06-02
plugin id111211
published2018-07-20
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/111211
titleCisco Firepower and FireSIGHT Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111211);
  script_version("1.2");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id(
    "CVE-2018-0370",
    "CVE-2018-0383",
    "CVE-2018-0384",
    "CVE-2018-0385"
  );
  script_bugtraq_id(
    104725,
    104726,
    104727,
    104728
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi09219");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi29845");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh70130");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh84511");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi36434");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180711-firepower-dos");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180711-firesight-file-bypass");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180711-firesight-url-bypass");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180711-firepwr-ssl-dos");
  script_xref(name:"IAVA", value:"2018-A-0236");

  script_name(english:"Cisco Firepower and FireSIGHT Multiple Vulnerabilities");
  script_summary(english:"Checks the Cisco Firepower Threat Defense Software version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Firepower Threat
Defense Software is affected by one or more vulnerabilities. Please
see the included Cisco BIDs and the Cisco Security Advisory for more
information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firepower-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b62bc4eb");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-file-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fee237aa");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-url-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f84e9916");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firepwr-ssl-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ad82087");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi09219");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29845");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh70130");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh84511");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi36434");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvi09219, CSCvi29845, CSCvh70130, CSCvh84511, and CSCvi36434.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0383");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:firepower");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:firepower_threat_defense");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

show_ver = get_kb_item_or_exit('Host/Cisco/show_ver');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

VULN = FALSE;
override = 0;

fdm_ver = pregmatch(string:show_ver, pattern:"\s*Model\s*:\s+Cisco.*Threat\s+Defense.*Version\s+([0-9.]+)");
if (isnull(fdm_ver)) audit(AUDIT_HOST_NOT, "affected");

if (
  fdm_ver[1] == "5.4.0" ||
  fdm_ver[1] == "6.0.0" ||
  fdm_ver[1] == "6.1.0" ||
  fdm_ver[1] == "6.1.0.7" ||
  fdm_ver[1] == "6.2.0" ||
  fdm_ver[1] == "6.2.0.5" ||
  fdm_ver[1] == "6.2.1" ||
  fdm_ver[1] == "6.2.2" ||
  fdm_ver[1] == "6.2.2.1" ||
  fdm_ver[1] == "6.2.2.2" ||
  fdm_ver[1] == "6.2.3" ||
  fdm_ver[1] == "6.3.0"
)  vuln = TRUE;

# Cisco hasn't stated a fix, but lists the latest versions as vuln.
if (vuln)
{
  report =
  '\n  Bug               : CSCvi09219, CSCvi29845, CSCvh70130, CSCvh84511, and CSCvi36434' +
  '\n  Installed version : ' + fdm_ver[1] +
  '\n  Fix               : ' +"See advisory";
  security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
} else audit(AUDIT_HOST_NOT, "affected");