"Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products"

Cisco recently announced the release of patches for 33 high and medium-severity vulnerabilities impacting enterprise firewall products running Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software. Cisco noted that the most severe of the security defects is CVE-2022-20927, a bug in the dynamic access policies (DAP) functionality of ASA and FTD software, allowing a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition. Cisco stated that due to improper processing of data received from the Posture (HostScan) module, an attacker could send crafted HostScan data to cause the affected device to reload. Cisco stated that an equally severe (CVSS score of 8.6) is CVE-2022-20946, a DoS vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of FTD software releases 6.3.0 and later. The issue exists because of memory handling errors during the processing of GRE traffic. Cisco noted that an attacker can exploit the flaw by sending crafted GRE payloads through an affected device, causing it to restart. Cisco stated that three other high-severity DoS vulnerabilities that they resolved this week impact the Simple Network Management Protocol (SNMP) feature and the SSL/TLS client of ASA and FTD, and the processing of SSH connections of FMC and FTD. According to Cisco, these bugs exist due to insufficient input validation, improper memory management when SSL/TLS connections are initiated, and improper error handling when the establishment of an SSH session fails, respectively. Cisco noted that the other high-severity flaws resolved this week include a default credentials issue in ASA and FMC and a secure boot bypass in Secure Firewalls 3100 series running ASA or FTD. Cisco this week issued advisories for a total of 26 medium-severity vulnerabilities in its enterprise firewall products. The most important of the advisories deals with 15 cross-site scripting (XSS) bugs in the web-based management interface of FMC.  

SecurityWeek reports: "Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products"