Cisco fixes 18 high risk vulnerabilities in ASA, FMC and FTD software

Cisco has released ten Cisco Security Advisories that address 18 high risk vulnerabilities in Cisco ASA, FMC and FTD software.

Impacted products include Cisco’s Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) software.

Cisco rates all of the vulnerabilities as High severity and CVSS base scores range from 7.2 to 8.8.

“Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access, gain elevated privileges, execute arbitrary commands, or cause a denial of service (DoS) condition on an affected device,” Cisco stated in the advisory on Wednesday.

ASA and FTD vulnerabilities

Cisco published six advisories for Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) as summarized below.

• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability (CVE-2019-12673)
• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IKEv1 Denial of Service Vulnerability (CVE-2019-15256)
• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPF LSA Processing Denial of Service Vulnerability (CVE-2019-12676)
• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SIP Inspection Denial of Service Vulnerability (CVE-2019-12678)
• Cisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability (CVE-2019-12677)
• Cisco Firepower Threat Defense Software Multi-instance Container Escape Vulnerabilities (CVE-2019-12675, CVE-2019-12674).

FMC vulnerabilities

Cisco also published four security advisories for Firepower Management Center (FMC) as summarized below (with CVEs).

• Cisco Firepower Management Center Command Injection Vulnerability (CVE-2019-12690)
• Cisco Firepower Management Center Remote Code Execution Vulnerability (CVE-2019-12687, CVE-2019-12688)
• Cisco Firepower Management Center Remote Code Execution Vulnerability (CVE-2019-12689)
• Cisco Firepower Management Center SQL Injection Vulnerabilities (CVE-2019-12679, CVE-2019-12680, CVE-2019-12681, CVE-2019-12682, CVE-2019-12683, CVE-2019-12684, CVE-2019-12685, CVE-2019-12686).

Of special note, the FMC remote code execution and SQL injection bugs each sport a CVSS rating of 8.8, the highest among all of the advisories.