CVE-2016-6460 in Firepower System Software
Summary
by MITRE
A vulnerability in the FTP Representational State Transfer Application Programming Interface (REST API) for Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass FTP malware detection rules and download malware over an FTP connection. Cisco Firepower System Software is affected when the device has a file policy with malware block configured for FTP connections. More Information: CSCuv36188 CSCuy91156. Known Affected Releases: 5.4.0.2 5.4.1.1 5.4.1.6 6.0.0 6.1.0 6.2.0. Known Fixed Releases: 6.0.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2019
The vulnerability identified as CVE-2016-6460 represents a critical weakness in Cisco Firepower System Software that specifically impacts the FTP REST API implementation. This flaw enables unauthenticated remote attackers to circumvent security controls designed to detect and block malicious files transferred via File Transfer Protocol connections. The vulnerability manifests when the system employs file policies configured with malware blocking capabilities for FTP traffic, creating a significant security gap that adversaries can exploit to deliver malware without detection.
The technical nature of this vulnerability stems from improper validation within the FTP REST API component of the Firepower system. When malware detection rules are configured for FTP connections, the system fails to properly enforce these security measures during file transfer operations. This allows attackers to establish FTP connections and download malicious payloads while bypassing the intended protection mechanisms. The flaw essentially creates a pathway for threat actors to evade network security controls that should prevent the transfer of known malware through FTP channels. The vulnerability specifically affects versions 5.4.0.2, 5.4.1.1, 5.4.1.6, 6.0.0, 6.1.0, and 6.2.0 of the Cisco Firepower System Software, indicating a widespread impact across multiple release lines.
The operational impact of this vulnerability extends beyond simple malware delivery, as it undermines the fundamental security posture of organizations relying on Cisco Firepower for network protection. Attackers can exploit this weakness to establish persistent access through FTP channels while remaining undetected by malware blocking rules, potentially leading to data exfiltration, system compromise, or further lateral movement within the network. The vulnerability affects the integrity of the security policy enforcement mechanism, creating a false sense of security for organizations that depend on the system's ability to block malicious FTP transfers. This weakness particularly concerns organizations with strict compliance requirements where the failure to detect malware through FTP connections could result in regulatory violations and security breaches.
Organizations affected by CVE-2016-6460 should immediately implement the remediation measures provided in the fixed release version 6.0.0, which addresses the underlying flaw in the FTP REST API implementation. Security teams should conduct comprehensive network assessments to identify any exploitation attempts and implement additional monitoring for unusual FTP activity patterns. The vulnerability aligns with CWE-284 Access Control Issues, specifically representing inadequate access control mechanisms within the FTP API interface. From an ATT&CK framework perspective, this vulnerability maps to technique T1071.004 Application Layer Protocol FTP, enabling adversaries to use legitimate protocols for malicious purposes while evading detection mechanisms. Organizations should also consider implementing network segmentation and additional FTP traffic monitoring to reduce the attack surface and improve detection capabilities for similar vulnerabilities in other protocol implementations.