Cisco this week announced the release of patches for 33 high- and medium-severity vulnerabilities impacting enterprise firewall products running Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software.
The most severe of the security defects is CVE-2022-20927, a bug in the dynamic access policies (DAP) functionality of ASA and FTD software, allowing a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
Due to improper processing of data received from the Posture (HostScan) module, an attacker could send crafted HostScan data to cause the affected device to reload, Cisco explains.
Equally severe (CVSS score of 8.6) is CVE-2022-20946, a DoS vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of FTD software releases 6.3.0 and later.
The issue exists because of memory handling errors during the processing of GRE traffic. An attacker can exploit the flaw by sending crafted GRE payloads through an affected device, causing it to restart.
Three other high-severity DoS vulnerabilities that Cisco resolved this week impact the Simple Network Management Protocol (SNMP) feature and the SSL/TLS client of ASA and FTD, and the processing of SSH connections of FMC and FTD.
According to Cisco, these bugs exist due to insufficient input validation, improper memory management when SSL/TLS connections are initiated, and improper error handling when the establishment of an SSH session fails, respectively.
Other high-severity flaws Cisco resolved this week include a default credentials issue in ASA and FMC, and a secure boot bypass in Secure Firewalls 3100 series running ASA or FTD.
Cisco this week issued advisories for a total of 26 medium-severity vulnerabilities in its enterprise firewall products.
The most important of the advisories deals with 15 cross-site scripting (XSS) bugs in the web-based management interface of FMC. The issues exist due to insufficient validation of user-supplied input, allowing an attacker to execute code in the context of the vulnerable interface, or even leak browser-based information.
Cisco patched the flaws as part of its semiannual set of fixes for ASA, FTD, and FMC software. The patches were scheduled for publication on October 26, but the company delayed their release by roughly two weeks.
The tech giant says it is not aware of any public exploits targeting any of these vulnerabilities. Additional information on the flaws can be found on Cisco’s product security page.