Vulnerabilities > CVE-2020-3283 - Out-of-bounds Write vulnerability in Cisco products

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-787
nessus

Summary

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler of Cisco Firepower Threat Defense (FTD) Software when running on the Cisco Firepower 1000 Series platform could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to a communication error between internal functions. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message to an affected device. A successful exploit could allow the attacker to cause a buffer underrun, which leads to a crash. The crash causes the affected device to reload.

Vulnerable Configurations

Part Description Count
Application
Cisco
9
Hardware
Cisco
16
OS
Cisco
24

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-FTD-TLS-DOS-4V5NMWTZ.NASL
descriptionAccording to its self-reported version, Cisco Firepower Threat Defense Software is affected by a denial of service (DoS) vulnerability in its SSL/TLS handler component due to a communication error between internal functions. An unauthenticated, remote attacker can exploit this issue, by sending a crafted SSL/TLS message to an affected host, to cause the application to stop responding. Please see the included Cisco BIDs and Cisco Security Advisory for more information.
last seen2020-06-05
modified2020-05-26
plugin id136891
published2020-05-26
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/136891
titleCisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability (cisco-sa-ftd-tls-dos-4v5nmWtZ)
code
#TRUSTED 228ede2880c0b82c6d3cae5347fd57b671a1acd8dec75210ee08fcadb0333ae2d9b5b96e8c21ead4342328c6d340eed76cc12ff3ac6b480f0cb36e95e41e51631c8e30d0218ab4833aeb82b88dd944ad43740d455f6a711ecc1ab07d202e75ebe4f73cf9f42cd27441ad991605ebf958e923040c4c43d85fba9bf09259b0cef33b76f36e3d68874e5fafb2adb4934fa66e97789840153c12a164a2bf9aa14f0cd6fa0a6d4e8c1c05c4c4724b9fb96d288076bc06cf5383288212731034b0bb33d42ca81063476caeef5c05a2f23fea1b8c95c984c70c186615ed78513119caad026236475e96823e67ae2d41b0da703fc28e54ba6234b6ec3659a5603886510f40a4edef9423c5db46648eee7d9052828e81fde5bf06f30efc82f82762025516f680a09c373faa0dbd42ff6da9815d8b19a8b3b8bd0d44eea4e7c4eba53da09a601df50aa247fc0adb26ed0dd77b7bc70c77b6e998535954c9199d9f0fff9ed516a944fc406f811111d88dc638bedd9c6302d9d1e12b0132ec55ef11231e6d60f8f2d3c13a1ea6d9949d704e8d40ef10382e0a3243335b6abde134ee4e3d224dc45ef6ad0784d3dd40561b4a7f721487eee000ca62d40661f17c0d46055615183206d5e75d5429390ca288c5aa4a2fecdbb29ae35b634f5c43731731307e677c0b8980ec48b3f4f5f4839db145a45eef6f208f4572a521185d1308fe56448ac1
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136891);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2020-3283");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq89361");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ftd-tls-dos-4v5nmWtZ");
  script_xref(name:"IAVA", value:"2020-A-0205");

  script_name(english:"Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability (cisco-sa-ftd-tls-dos-4v5nmWtZ)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Firepower Threat Defense Software is affected by a denial of service 
  (DoS) vulnerability in its SSL/TLS handler component due to a communication error between internal functions. An 
  unauthenticated, remote attacker can exploit this issue, by sending a crafted SSL/TLS message to an affected host, 
  to cause the application to stop responding.

  Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-dos-4v5nmWtZ
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7b40117e");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73830");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq89361");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq89361");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3283");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:firepower_threat_defense");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl", "cisco_asa_firepower_version.nasl", "cisco_enumerate_firepower.nbin");
  script_require_keys("installed_sw/Cisco Firepower Threat Defense", "Settings/ParanoidReport");

  exit(0);
}

include('ccf.inc');
include('cisco_workarounds.inc');

product_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');
product_info['model'] = product_info['Model'];

# Hotfix detection not yet in place.
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

if(isnull(product_info['model']) || product_info['model'] !~ "^10[0-9]{2}")
  audit(AUDIT_HOST_NOT, 'an affected model');

vuln_ranges = [{'min_ver' : '6.4.0',  'fix_ver': '6.4.0.9'}];
workarounds = make_list(CISCO_WORKAROUNDS['asa_ssl_tls']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq89361'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);