Cisco Firepower Threat Defense/ASA 6.2.1 Snort Process IP Fragment resource consumption

Summaryinfo

A vulnerability identified as problematic has been detected in Cisco Firepower Threat Defense and ASA 6.2.1. This vulnerability affects unknown code of the component Snort Process. The manipulation as part of IP Fragment leads to resource consumption. This vulnerability is uniquely identified as CVE-2018-0230. The attack is possible to be carried out remotely. No exploit exists.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Cisco Firepower Threat Defense and ASA 6.2.1 (Firewall Software). This issue affects some unknown functionality of the component Snort Process. The manipulation as part of a IP Fragment leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is:

A vulnerability in the internal packet-processing functionality of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Security Appliances could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service (DoS) condition. The vulnerability is due to the affected software improperly validating IP Version 4 (IPv4) and IP Version 6 (IPv6) packets after the software reassembles the packets (following IP Fragmentation). An attacker could exploit this vulnerability by sending a series of malicious, fragmented IPv4 or IPv6 packets to an affected device. A successful exploit could allow the attacker to cause Snort processes on the affected device to hang at 100% CPU utilization, which could cause the device to stop processing traffic and result in a DoS condition until the device is reloaded manually. This vulnerability affects Cisco Firepower Threat Defense (FTD) Software Releases 6.2.1 and 6.2.2, if the software is running on a Cisco Firepower 2100 Series Security Appliance. Cisco Bug IDs: CSCvf91098.

The bug was discovered 04/18/2018. The weakness was disclosed 04/19/2018 as cisco-sa-20180418-fp2100 as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. The identification of this vulnerability is CVE-2018-0230 since 11/27/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 01/29/2020). The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 103931†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• Cisco

Name

• ASA
• Firepower Threat Defense

Version

• 6.2.1

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion