Cisco ASA & FTD¶à¸ö¸ßΣ·ì϶

°ä²¼¹¦·ò 2021-04-29

0x00 ·ì϶¸ÅÊö

2021Äê04ÔÂ28ÈÕ£¬ £¬£¬£¬£¬Cisco°ä²¼°²È«²¼¸æ£¬ £¬£¬£¬£¬½¨¸´ÁËCisco×ÔÊÊÓ¦°²È«É豸£¨ASA£©ºÍFirepowerÍþв·ÀÓù£¨FTD£©ÖеÄ6¸ö¸ßΣ·ì϶£¬ £¬£¬£¬£¬ÆäÖÐ5¸öΪ»Ø¾ø·þÎñ·ì϶£¬ £¬£¬£¬£¬1¸öΪºÅÁî×¢Èë·ì϶¡£¡£¡£¡£¡£

 

0x01 ·ì϶ÏêÇé

image.png

 

·ì϶ÏêÇéÈçÏ£º

Cisco FTD  SSL»Ø¾ø·þÎñ·ì϶£¨CVE-2021-1402£©

ÓÉÓÚÉ豸ִÐлùÓÚÈí¼þµÄSSL½âÃÜʱ¶ÔSSL/TLSÐÂÎÅÑéÖ¤²»¼°£¬ £¬£¬£¬£¬Cisco FTD»ùÓÚÈí¼þµÄSSL/TLSÐÂÎÅ´¦Ö÷¨Ê½ÖдæÔÚÒ»¸ö»Ø¾ø·þÎñ·ì϶£¬ £¬£¬£¬£¬ÆäCVSSÆÀ·Ö8.6¡£¡£¡£¡£¡£Î´¾­ÈÏÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ýÏòÊÜÓ°ÏìµÄÉ豸·¢ËͶñÒâÔì×÷µÄSSL/TLSÐÂÎÅÀ´ÀûÓô˷ì϶£¬ £¬£¬£¬£¬µ«·¢Ë͵½ÊÜÓ°ÏìÉ豸µÄSSL/TLSÐÂÎŲ»»á´¥·¢»Ø¾ø·þÎñ·ì϶£¬ £¬£¬£¬£¬¹¥»÷ÕßÔڳɹ¦ÀûÓô˷ì϶ºó¿Éµ¼Ö¹ý³Ì±ÀÀ££¬ £¬£¬£¬£¬²¢´¥·¢É豸³ÁмÓÔØ£¬ £¬£¬£¬£¬´Ó¶øµ¼Ö»ؾø·þÎñ¡£¡£¡£¡£¡£³ÁмÓÔغó£¬ £¬£¬£¬£¬ÎÞÐèÊÖ¶¯¹ýÎʼ´¿É¸´Ô­É豸¡£¡£¡£¡£¡£

 

Cisco ASA & FTD»Ø¾ø·þÎñ·ì϶£¨CVE-2021-1445¡¢CVE-2021-1504£©

ÓÉÓÚ²»×ã¶ÔHTTPSÒªÇóµÄÕýÈ·ÊäÈëÑéÖ¤£¬ £¬£¬£¬£¬Cisco ASAºÍFTDÖдæÔÚ¶à¸ö»Ø¾ø·þÎñ·ì϶£¬ £¬£¬£¬£¬CVSSÆÀ·Ö¾ùΪ8.6¡£¡£¡£¡£¡£Î´¾­Éí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ýÏòÊÜÓ°ÏìµÄÉ豸·¢ËͶñÒâÔì×÷µÄHTTPSÒªÇóÀ´ÀûÓÃÕâЩ·ì϶£¬ £¬£¬£¬£¬³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷ÕßÄܹ»Ê¹ÊÜÓ°ÏìµÄÉ豸³ÁмÓÔØ£¬ £¬£¬£¬£¬Ôì³É»Ø¾ø·þÎñ¡£¡£¡£¡£¡£

 

Cisco FTDºÅÁî×¢Èë·ì϶£¨CVE-2021-1448£©

ÓÉÓÚ¶ÔÓû§ÌṩµÄºÅÁî²ÎÊýÑéÖ¤²»¼°£¬ £¬£¬£¬£¬Cisco FTDµÄCLIÖдæÔÚÒ»¸öºÅÁî×¢Èë·ì϶£¬ £¬£¬£¬£¬ÆäCVSSÆÀ·Ö7.8¡£¡£¡£¡£¡£¾­¹ýÉí·ÝÑéÖ¤µÄ±¾µØ¹¥»÷ÕßÄܹ»Í¨¹ýÏòÊÜÓ°ÏìµÄºÅÁîÌá·´Ä¿Òâ´úÂëÀ´ÀûÓô˷ì϶£¬ £¬£¬£¬£¬³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷ÕßÄܹ»ÔÚϵͳÉÏÒÔrootȨÏÞÖ´ÐÐËÁÒâºÅÁî¡£¡£¡£¡£¡£

 

Cisco ASA & FTD»º³åÇøÒç¶Âí½Å£¨CVE-2021-1493£©

ÓÉÓÚ¶ÔÌṩ¸øÊÜÓ°ÏìϵͳµÄWeb·þÎñ½Ó¿ÚµÄÌض¨Êý¾ÝµÄÌìǵ²é³­²»¼°£¬ £¬£¬£¬£¬Cisco ASAºÍFTDµÄWeb·þÎñ½çÃæÖдæÔÚ»º³åÇøÒç¶Âí½Å£¬ £¬£¬£¬£¬ÆäCVSSÆÀ·Ö8.5¡£¡£¡£¡£¡£¾­¹ýÉí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ý·¢ËͶñÒâµÄHTTPÒªÇóÀ´ÀûÓô˷ì϶£¬ £¬£¬£¬£¬³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷ÕßÄܹ»ÔÚÊÜÓ°ÏìµÄϵͳÉÏÔì³É»º³åÇøÒç³ö£¬ £¬£¬£¬£¬µ¼ÖÂй¶Êý¾ÝƬ¶Î»òÉ豸³ÁмÓÔØ£¬ £¬£¬£¬£¬´Ó¶øÔì³É»Ø¾ø·þÎñ£¨DoS£©¡£¡£¡£¡£¡£

 

Cisco ASA & FTD»Ø¾ø·þÎñ·ì϶£¨CVE-2021-1501£©

ÓÉÓÚSIP pinholeÏνӵĹþÏ£²éÎʹý³ÌÖвúÉú±ÀÀ££¬ £¬£¬£¬£¬Cisco ASAºÍFTDµÄSIP²é³­ÒýÇæÖдæÔڻؾø·þÎñ·ì϶£¬ £¬£¬£¬£¬ÆäCVSSÆÀ·Ö8.6¡£¡£¡£¡£¡£Î´¾­Éí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ýÏòÊÜÓ°ÏìÉ豸·¢ËͶñÒâÔì×÷µÄSIPÁ÷Á¿À´ÀûÓô˷ì϶£¬ £¬£¬£¬£¬³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷Õ߿ɵ¼ÖÂÊÜÓ°ÏìÉ豸±ÀÀ£²¢³ÁмÓÔØ¡£¡£¡£¡£¡£

 

0x02 ´ëÖý¨Òé

Ä¿Ç°CiscoÒѾ­°ä²¼ÁËCisco ASAºÍ FTDµÄ°²È«¸üУ¬ £¬£¬£¬£¬½¨Òé²Î¿¼¹Ù·½°ä²¼µÄ°²È«¹«¸æʵʱ½¨¸´»òÉý¼¶¡£¡£¡£¡£¡£

CVE-2021-1402£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c

 

CVE-2021-1445¡¢CVE-2021-1504£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

 

CVE-2021-1448£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmdinj-vWY5wqZT

 

CVE-2021-1493£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG

 

CVE-2021-1501£º

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-sipdos-GGwmMerC

 

ÏÂÔØÁ´½Ó£º

https://software.cisco.com/download/find

 

0x03 ²Î¿¼Á´½Ó

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74594

https://tools.cisco.com/security/center/publicationListing.x

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

 

0x04 ¹¦·òÏß

2021-04-28  Cisco°ä²¼°²È«²¼¸æ

2021-04-29  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png