Cisco Firepower firewalls patched for critical bug

By

As part of larger update covering 27 vulnerabilities.

Cisco has disclosed a critical command injection vulnerability in Firepower Threat Defence (FTD) devices.

Cisco Firepower firewalls patched for critical bug

In its advisory for CVE-2023-20048, the networking vendor said that the bug is rated 9.9 on the Common Vulnerability Scoring System and allows an authenticated remote attacker to execute “certain unauthorised configuration commands” on the target device’s management centre software.

Configuration commands sent through the web service interface are insufficiently authorised, the company explained.

Cisco didn’t reveal which commands can be exploited, but said they’re exploited using “a crafted HTTP request”.

The management centre update is part of a larger security rollup for adaptive security appliance (ASA), Firepower management centre (FMC) and FTD software released today.

That announcement covers a total of 27 vulnerabilities described in 22 advisories.

As well as CVE-2023-20048, there are eight CVEs that carry a high severity rating.

Five are denial-of-service bugs: CVE-2023-20086, in which an IPv6 ICMP message can force a device reload; CVE-2023-20095 in ASA’s and FTD’s VPN software, attacked using crafted HTTPS requests; CVE-2023-20244, a packet inspection bug in the Firepower 2100 series firewalls; CVE-2023-20083, another IPv6 ICMP bug, this time in the FTD when configured with Snort 2; and CVE-2023-20155, a lack of rate limiting in the FMC API exploitable by sending a high rate of HTTP requests. 

There are also two code injection vulnerabilities: CVE-2023-20063 in FTD devices running FMC, allowing local attackers to run code as root; and one for and CVE-2023-20220, a pair of command injection vulnerabilities in FMC.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?