弱點通告:Cisco 多個產品存在阻斷服務攻擊(DoS) 安全性弱點,建議請管理者儘速評估更新!
2017/10/06
風險等級: 高度威脅
摘  要:

Cisco 多個產品存在安全性弱點,可能使遠端攻擊者利用該弱點規避身份驗證,進而對受影響的主機阻斷服務攻擊(DoS) ,官方已發佈更新程式。

目前已知會受到影響的版本為Cisco Adaptive Security Appliance(ASA) (9.1.0 - 9.8.0)、Cisco Firepower System Software (6.0.0 - 6.2.0)、Cisco Firepower Threat Defense(FTD) Software (6.0.0 - 6.2.0),HiNet SOC 建議請管理者儘速評估更新,以降低受駭風險。

影響系統:
  • Adaptive Security Appliance (ASA) (9.1.0 - 9.8.0)
  • Cisco ASA 5500-X Series Next-Generation Firewalls
    Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
    Cisco ASA 1000V Cloud Firewall
    Cisco Adaptive Security Virtual Appliance (ASAv)
    Cisco Firepower 4110 Security Appliance
    Cisco Firepower 9300 ASA Security Module
    Cisco ISA 3000 Industrial Security Appliance

  • Firepower System Software (6.0.0 - 6.2.0)
  • Cisco 3000 Series Industrial Security Appliances (ISR)
    Cisco ASA 5500-X Series with FirePOWER Services
    Cisco ASA 5500-X Series Next-Generation Firewalls
    Cisco Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances
    Cisco Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances
    Cisco Firepower 7000 Series Appliances
    Cisco Firepower 8000 Series Appliances
    Cisco Firepower Threat Defense for Integrated Services Routers (ISRs)
    Cisco Firepower 2100 Series Security Appliances
    Cisco Firepower 4100 Series Security Appliances
    Cisco Firepower 9300 Series Security Appliances
    Cisco Virtual Next-Generation Intrusion Prevention System (NGIPSv) for VMware

  • Firepower Threat Defense (FTD) Software (6.0.0 - 6.2.0)
  • Cisco Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls
    Cisco Firepower 2100 Series Security Appliances
    Cisco Firepower 4100 Series Security Appliances
    Cisco Firepower 9300 Series Security Appliances
解決辦法:
細節描述:

Cisco 官方近日發佈更新以解決多個產品的安全性弱點:(1)Cisco Adaptive Security Appliance (ASA) 的直接軟體中驗證(direct authentication) 功能,由於HTTP標頭的輸入驗證不完整,可能導致受影響的設備意外重載或中止,以致伺服器主機阻斷服務(DoS) 。 (2)Cisco Firepower System Software 的偵測引擎(detection engine) 由於未正確驗證IPv6 的擴充封包標頭,可能使攻擊者利用該弱點發出惡意IPv6 封包導致主機流量回應忙碌,進而造成阻斷服務攻擊(DoS) 。 (3)Cisco Firepower Threat Defense (FTD) 執行SSL 封包流量解密存在弱點,攻擊者可能利用該弱點持續發送惡意SSL 封包流量,以致主機系統記憶體耗盡而造成阻斷服務攻擊(DoS) 。

惡意人士可透過前述弱點規避身份驗證、造成主機阻斷服務...等影響。HiNet SOC 建議管理者應儘速評估更新,以降低受駭風險。

參考資訊:

Cisco Adaptive Security Appliance (2017/10/05)
Cisco Firepower System Software (IPv6) (2017/10/04)
Cisco Firepower Threat Defense (SSL Decryption Memory Consumption) (2017/10/04)
US-CERT (2017/10/04)