ID CVE-2018-0244
Summary A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass a configured file action policy to drop the Server Message Block (SMB) protocol if a malware file is detected. The vulnerability is due to how the SMB protocol handles a case in which a large file transfer fails. This case occurs when some pieces of the file are successfully transferred to the remote endpoint, but ultimately the file transfer fails and is reset. An attacker could exploit this vulnerability by sending a crafted SMB file transfer request through the targeted device. An exploit could allow the attacker to pass an SMB file that contains malware, which the device is configured to block. This vulnerability affects Cisco Firepower System Software when one or more file action policies are configured, on software releases prior to 6.2.3. Cisco Bug IDs: CSCvc20141.
References
Vulnerable Configurations
  • cpe:2.3:a:cisco:firepower_threat_defense:-:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:-:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:5.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:5.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:5.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:5.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.0.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.1.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:cisco:firepower_threat_defense:6.2.2.5:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 09-10-2019 - 23:31)
Impact:
Exploitability:
CWE CWE-693
CAPEC
  • Escaping a Sandbox by Calling Signed Code in Another Language
    The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.
  • Signature Spoofing by Mixing Signed and Unsigned Content
    An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
  • Sniff Application Code
    An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
  • Manipulating User State
    The adversary modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.
  • Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Try Common or Default Usernames and Passwords
    An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.
  • Escaping Virtualization
    An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.
  • Cross Site Tracing
    Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The adversary first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.
  • Poison Web Service Registry
    SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Password Brute Forcing
    In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.
  • Rainbow Table Password Cracking
    An attacker gets access to the database table where hashes of passwords are stored. He then uses a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system. A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.
  • Dictionary-based Password Attack
    An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
  • Using Malicious Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Encryption Brute Forcing
    An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
  • Using Unpublished APIs
    An adversary searches for and invokes APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.
  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Exploiting Trust in Client
    An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Forceful Browsing
    An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
refmap via4
bid 103945
confirm https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-fss1
Last major update 09-10-2019 - 23:31
Published 19-04-2018 - 20:29
Last modified 09-10-2019 - 23:31
Back to Top