Vulnerabilities > CVE-2020-3285 - Unspecified vulnerability in Cisco Firepower Threat Defense

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
cisco
nessus
NVD
Published: 2020-05-06
Updated: 2021-10-12

Summary

A vulnerability in the Transport Layer Security version 1.3 (TLS 1.3) policy with URL category functionality for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured TLS 1.3 policy to block traffic for a specific URL. The vulnerability is due to a logic error with Snort handling of the connection with the TLS 1.3 policy and URL category configuration. An attacker could exploit this vulnerability by sending crafted TLS 1.3 connections to an affected device. A successful exploit could allow the attacker to bypass the TLS 1.3 policy and access URLs that are outside the affected device and normally would be dropped.

Vulnerable Configurations

Part Description Count
Application
Cisco
9

Nessus

NASL familyCISCO
NASL idCISCO-SA-SSL-BYPASS-O5TGUM2N.NASL
descriptionAccording to its self-reported version, Cisco Firepower Threat Defense Software is affected by a remote code execution vulnerability in Transport Layer Security. This is due to logic error withing SNORT handling. An unauthenticated, remote attacker can exploit this to bypass web traffic policies blocking specific URLs.
last seen2020-05-21
modified2020-05-15
plugin id136623
published2020-05-15
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/136623
titleCisco Firepower Threat Defense Software SSL/TLS URL Category Bypass Vulnerability (cisco-sa-ssl-bypass-O5tGum2n)
code
#TRUSTED a490a9a8e3cb90526f6de2bd99c9dc6f4097b47d7cc4e29d0349d2efcded5ad08c2c3b29c31ad610628f9ca36f4036cdd3e2128916db58481800226884bb8aff73072986ff724cad309d771d6ba0014869a4af3f7d42dbbe389d70633fffaa5600a1d71bfca0e775d14f86a14f9632624f1161f36a93b845b9687c35301432a574df2b2619e914597d6cdcd347289d1ed6b919c3f9239fbb1fffd80f7532d990822d883c58a130cf78a464fc793da2e3b92e041aaf2836ae7f6f3e4b9420260d24598c08bc5a2f6710a349a4f171749c2e47c8668da6aa44f591b75b7785e98c1c7397fcd59c093d099574402c90b834ca63d7da96896ce5c001a842ac04476b816893f34312dc09c52161d4068c1d346434a345d797c2bb672b2737c9883b19efc01ad84a194d030451d6f640ee73389415de1401ef3531d495beee42a80d3c4d3b821a852d01272a1bc4baac580ada6e609f33bb95df723c56e2fc74f3abdc83cfcc19511874420172e8b3af1efb8255c2d51d32b79d3c8dba5fb8e568f4004cc665ff344a6f81e75d6e6f2d3ec7f87dd19d3bf8d7eb08e55f094030d479925ee6082fb2adc84d9289f0be4aa39a4b13bfdfa506aaa17d94b11b4283ef6a4ea1f2e2220835e291df6c6a157719b57c24ebf223775f1dcda02effc04a054629f2e35dc45a00db0a27f57b875ce9b20f6535fe22faf1c9f74b500bfa364cd403
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136623);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/18");

  script_cve_id("CVE-2020-3285");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq93669");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ssl-bypass-O5tGum2n");
  script_xref(name:"IAVA", value:"2020-A-0205");

  script_name(english:"Cisco Firepower Threat Defense Software SSL/TLS URL Category Bypass Vulnerability (cisco-sa-ssl-bypass-O5tGum2n)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Firepower Threat Defense Software is 
affected by a remote code execution vulnerability in Transport Layer Security. 
This is due to logic error withing SNORT handling. An unauthenticated, remote attacker 
can exploit this to bypass web traffic policies blocking specific URLs.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssl-bypass-O5tGum2n
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?14e8f395");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq93669");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq93669");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3285");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:firepower_threat_defense");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl", "cisco_enumerate_firepower.nbin", "cisco_asa_firepower_version.nasl");
  script_require_keys("installed_sw/Cisco Firepower Threat Defense");

  exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');

vuln_ranges = [
  {'min_ver' : '6.4.0',  'fix_ver': '6.4.0.9'}
];


reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq93669',
  'disable_caveat', TRUE
);

  cisco::check_and_report(
  product_info:product_info, 
  reporting:reporting, 
  vuln_ranges:vuln_ranges
);

References