Cisco ASA & FTD¶à¸ö¸ßΣÎó²î

Ðû²¼Ê±¼ä 2021-04-29

0x00 Îó²î¸ÅÊö

2021Äê04ÔÂ28ÈÕ£¬CiscoÐû²¼Ç徲ͨ¸æ£¬ÐÞ¸´ÁËCisco×Ô˳ӦÇå¾²×°±¸£¨ASA£©ºÍFirepowerÍþв·ÀÓù£¨FTD£©ÖеÄ6¸ö¸ßΣÎó²î£¬ÆäÖÐ5¸öΪ¾Ü¾ø·þÎñÎó²î£¬1¸öΪÏÂÁî×¢ÈëÎó²î ¡£

 

0x01 Îó²îÏêÇé

image.png

 

Îó²îÏêÇéÈçÏ£º

Cisco FTD  SSL¾Ü¾ø·þÎñÎó²î£¨CVE-2021-1402£©

ÓÉÓÚ×°±¸Ö´ÐлùÓÚÈí¼þµÄSSL½âÃÜʱ¶ÔSSL/TLSÐÂÎÅÑé֤ȱ·¦£¬Cisco FTD»ùÓÚÈí¼þµÄSSL/TLSÐÂÎÅ´¦Öóͷ£³ÌÐòÖб£´æÒ»¸ö¾Ü¾ø·þÎñÎó²î£¬ÆäCVSSÆÀ·Ö8.6 ¡£Î´¾­ÈÏÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ýÏòÊÜÓ°ÏìµÄ×°±¸·¢ËͶñÒâÖÆ×÷µÄSSL/TLSÐÂÎÅÀ´Ê¹ÓôËÎó²î£¬µ«·¢Ë͵½ÊÜÓ°Ïì×°±¸µÄSSL/TLSÐÂÎŲ»»á´¥·¢¾Ü¾ø·þÎñÎó²î£¬¹¥»÷ÕßÔÚÀÖ³ÉʹÓôËÎó²îºó¿Éµ¼ÖÂÀú³ÌÍ߽⣬²¢´¥·¢×°±¸ÖØмÓÔØ£¬´Ó¶øµ¼Ö¾ܾø·þÎñ ¡£ÖØмÓÔغó£¬ÎÞÐèÊÖ¶¯¸ÉÔ¤¼´¿É»Ö¸´×°±¸ ¡£

 

Cisco ASA & FTD¾Ü¾ø·þÎñÎó²î£¨CVE-2021-1445¡¢CVE-2021-1504£©

ÓÉÓÚȱ·¦¶ÔHTTPSÇëÇóµÄ׼ȷÊäÈëÑéÖ¤£¬Cisco ASAºÍFTDÖб£´æ¶à¸ö¾Ü¾ø·þÎñÎó²î£¬CVSSÆÀ·Ö¾ùΪ8.6 ¡£Î´¾­Éí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ýÏòÊÜÓ°ÏìµÄ×°±¸·¢ËͶñÒâÖÆ×÷µÄHTTPSÇëÇóÀ´Ê¹ÓÃÕâЩÎó²î£¬ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔʹÊÜÓ°ÏìµÄ×°±¸ÖØмÓÔØ£¬Ôì³É¾Ü¾ø·þÎñ ¡£

 

Cisco FTDÏÂÁî×¢ÈëÎó²î£¨CVE-2021-1448£©

ÓÉÓÚ¶ÔÓû§ÌṩµÄÏÂÁî²ÎÊýÑé֤ȱ·¦£¬Cisco FTDµÄCLIÖб£´æÒ»¸öÏÂÁî×¢ÈëÎó²î£¬ÆäCVSSÆÀ·Ö7.8 ¡£¾­ÓÉÉí·ÝÑéÖ¤µÄÍâµØ¹¥»÷Õß¿ÉÒÔͨ¹ýÏòÊÜÓ°ÏìµÄÏÂÁîÌá½»¶ñÒâ´úÂëÀ´Ê¹ÓôËÎó²î£¬ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔÔÚϵͳÉÏÒÔrootȨÏÞÖ´ÐÐí§ÒâÏÂÁî ¡£

 

Cisco ASA & FTD»º³åÇøÒç³öÎó²î£¨CVE-2021-1493£©

ÓÉÓÚ¶ÔÌṩӦÊÜÓ°ÏìϵͳµÄWeb·þÎñ½Ó¿ÚµÄÌض¨Ãü¾ÝµÄ½çÏß¼ì²éȱ·¦£¬Cisco ASAºÍFTDµÄWeb·þÎñ½çÃæÖб£´æ»º³åÇøÒç³öÎó²î£¬ÆäCVSSÆÀ·Ö8.5 ¡£¾­ÓÉÉí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ý·¢ËͶñÒâµÄHTTPÇëÇóÀ´Ê¹ÓôËÎó²î£¬ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔÔÚÊÜÓ°ÏìµÄϵͳÉÏÔì³É»º³åÇøÒç³ö£¬µ¼ÖÂй¶Êý¾ÝƬ¶Ï»ò×°±¸ÖØмÓÔØ£¬´Ó¶øÔì³É¾Ü¾ø·þÎñ£¨DoS£© ¡£

 

Cisco ASA & FTD¾Ü¾ø·þÎñÎó²î£¨CVE-2021-1501£©

ÓÉÓÚSIP pinholeÅþÁ¬µÄ¹þÏ£ÅÌÎÊÀú³ÌÖб¬·¢Í߽⣬Cisco ASAºÍFTDµÄSIP¼ì²éÒýÇæÖб£´æ¾Ü¾ø·þÎñÎó²î£¬ÆäCVSSÆÀ·Ö8.6 ¡£Î´¾­Éí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ýÏòÊÜÓ°Ïì×°±¸·¢ËͶñÒâÖÆ×÷µÄSIPÁ÷Á¿À´Ê¹ÓôËÎó²î£¬ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õ߿ɵ¼ÖÂÊÜÓ°Ïì×°±¸Í߽ⲢÖØмÓÔØ ¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚCiscoÒѾ­Ðû²¼ÁËCisco ASAºÍ FTDµÄÇå¾²¸üУ¬½¨Òé²Î¿¼¹Ù·½Ðû²¼µÄÇ徲ͨ¸æʵʱÐÞ¸´»òÉý¼¶ ¡£

CVE-2021-1402£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c

 

CVE-2021-1445¡¢CVE-2021-1504£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

 

CVE-2021-1448£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmdinj-vWY5wqZT

 

CVE-2021-1493£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG

 

CVE-2021-1501£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-sipdos-GGwmMerC

 

ÏÂÔØÁ´½Ó£º

https://software.cisco.com/download/find

 

0x03 ²Î¿¼Á´½Ó

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74594

https://tools.cisco.com/security/center/publicationListing.x

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

 

0x04 ʱ¼äÏß

2021-04-28  CiscoÐû²¼Ç徲ͨ¸æ

2021-04-29  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png