Cisco has emitted a fresh round of software updates to address nearly three dozen security holes in its products.
The patches, released over May 6 and 7, include 12 issues considered high-severity bugs, and another 22 classified as moderate severity. One of the holes has two CVE numbers assigned to it, so that's a total of 35 CVE-listed security vulnerabilities.
Despite the absence of a critical remote code or command execution bug, the patches include a number of serious programming blunders, particularly in the context of the network security appliances where they were found.
The Adaptive Security Appliance (ASA) range – Cisco's fancy term for a firewall – is host to 11 of the bug fixes. Among the more serious is CVE-2020-3125, a Kerberos bypass that can be exploited by "an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access."
"The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received," Cisco said of the flaw.
"An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device."
Then there's CVE-2020-3187, a directory traversal bug that would allow an unauthenticated remote attacker to read or temporarily delete files (they get restored with a reboot) on the Web Services file system. This also serves as a denial of service bug, allowing the aggressor to crash the appliance with a simple HTTP request, by deleting these sensitive files. Given that ASA is often used to protect VPNs, this would be bad.
"This can affect connection between branch offices in a distributed network, disrupt email, ERP, and other critical systems," said Mikhail Klyuchnikov, one of the two Positive Technologies researchers credited with discovering and reporting the flaw.
"Another problem is that internal resources may become unavailable to remote workers. This is especially dangerous now that many employees are working remotely due to the coronavirus outbreak."
ASA is also prone to denial of service errors via OSPF packets (CVE-2020-3298), SSL and TLS connections (CVE-2020-3196), Media Gateway Control Protocol (CVE-2020-3254), IPv6 (CVE-2020-3191), OSPF (CVE-2020-3195), DHCP (CVE-2020-3306), BGP (CVE-2020-3305), and IKEv1 (CVE-2020-3303).
In terms of sheer number of flaws, big target in this latest batch of fixes is the Firepower firewall line, host to 18 CVE-listed vulnerabilities.
These include denial of service via SSL/TLS (CVE-2020-3283), VPN tunnel connection (CVE-2020-3189), Generic Routing Encapsulation (CVE-2020-3179), XML (CVE-2020-3310), remote management (CVE-2020-3188), or even normal IPv4/IPv6 data packets (CVE-2020-3255,).
While not considered a major risk because it requires local network access, one of the more interesting bugs was CVE-2020-3253, a flaw in the support tunnel feature that allows an authenticated attacker to open a shell connection on the firewall. That would allow a rogue user or miscreant breaking in to really get stuck into the network.
"The vulnerability is due to improper configuration of the support tunnel feature. An attacker could exploit this vulnerability by enabling the support tunnel, setting a key, and deriving the tunnel password," Cisco says.
"A successful exploit could allow the attacker to run any system command with root access on an affected device."
CVE-2020-3285, a flaw in the handling of Snort over TLS, could let a remote attacker bypass URL filters on the appliance. Signature verification can be bypassed by exploiting CVE-2020-3308, and information disclosure (unauthorized remote read access) is possible with CVE-2020-3312.
Other fixes include HTTP header injection bugs in Umbrella (CVE-2020-3246), HTTP detection (Snort) security bypass bugs in multiple routers and security appliances (CVE-2020-3315), and a bug in Cisco Content SMA allowing users to be redirected to attack sites (CVE-2020-3178).
Admins are advised to test and install the patches as soon as possible, hopefully before next Tuesday when Microsoft, Intel, Adobe, and SAP are due to deliver their monthly security fixes. ®