Cisco Firepower System Software Detection Engine RTF and RAR Malware and File Policy Bypass Vulnerabilities

CVE number – CVE-2019-12697 and CVE-2019-12696

Multiple vulnerabilities in the Cisco Firepower System Software Detection Engine could allow an unauthenticated, remote attacker to bypass configured Malware and File Policies for RTF and RAR file types.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Affected Products

  • Vulnerable Products
  • These vulnerabilities affect the following Cisco products if running a vulnerable release of Cisco Firepower Software:
    • 3000 Series Industrial Security Appliances (ISAs)
    • Adaptive Security Appliance (ASA) 5500-X Series Firewalls
    • ASA 5500-X Series with FirePOWER Services
    • Advanced Malware Protection (AMP) for Networks for FirePOWER 7000 Series Appliances
    • AMP for Networks for FirePOWER 8000 Series Appliances
    • Firepower 2100 Series
    • Firepower 4100 Series
    • Firepower 1000 Series Appliances
    • FirePOWER 7000 Series Appliances
    • FirePOWER 8000 Series Appliances
    • Firepower 9300 Security Appliances
    • Firepower Threat Defense for Integrated Services Routers (ISRs)
    • FTD Virtual (FTDv)
    • Next-Generation Intrusion Prevention System (NGIPS)

Cisco Firepower System Software Detection Engine RTF File Policy Bypass Vulnerability

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass a configured Malware and File Policy for an RTF file type.The vulnerability is due to incorrect detection of the RTF file syntax. An attacker could exploit this vulnerability by sending a malicious RTF file through the targeted device. A successful exploit could allow the attacker to bypass a configured Malware and File Policy for an RTF file type.The CVE ID for this vulnerability is CVE-2019-12697.The SIR for this vulnerability is Medium.

Cisco Firepower System Software Detection Engine RAR File Policy Bypass Vulnerability

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass a configured Malware and File Policy for a RAR file type.The vulnerability is due to incorrect detection of the RAR file syntax. An attacker could exploit this vulnerability by sending a malicious RAR file through the targeted device. A successful exploit could allow the attacker to bypass a configured Malware and File Policy for a RAR file type.The CVE ID for this vulnerability is CVE-2019-12696.The SIR for this vulnerability is Medium.

Workarounds

  • There are no workarounds that address this vulnerability.

Fixed Releases

In the following table, the left column lists releases of Cisco FTD Software. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.

Cisco FTD Software

Cisco FTD Software ReleaseFirst Fixed Release for These Vulnerabilities
 Earlier than 6.1.01Migrate to a fixed release.
 6.1.0Migrate to a fixed release.
 6.2.0Migrate to a fixed release.
 6.2.1Migrate to a fixed release.
 6.2.2Migrate to a fixed release.
 6.2.36.2.3.15
 6.3.06.3.0.5
 6.4.06.4.0.6
 6.5.0Not vulnerable.

Further details – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-firepwr-bypass

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: