<p>A vulnerability in the DNS inspection handler of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device.</p> <p>This vulnerability is due to a lack of proper processing of incoming requests. An attacker could exploit this vulnerability by sending crafted DNS requests at a high rate to an affected device. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.&nbsp;</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-nJVAwOeq" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-nJVAwOeq</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20760

<p>Multiple vulnerabilities in the web-based management interface of Cisco&nbsp;Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.</p> <p>These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.</p> <p>Cisco&nbsp;has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-qXz4uAkM" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-qXz4uAkM</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20627,CVE-2022-20628,CVE-2022-20629

<p>A vulnerability in the web management interface of Cisco&nbsp;Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system.</p> <p>This vulnerability is due to improper validation of files uploaded to the web management interface of Cisco&nbsp;FMC Software. An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with <em>root</em> privileges.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-security-bypass-JhOd29Gg" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-security-bypass-JhOd29Gg</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20743

<p>A vulnerability in the input protection mechanisms of Cisco&nbsp;Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view data without proper authorization.</p> <p>This vulnerability exists because of a protection mechanism that relies on the existence or values of a specific input. An attacker could exploit this vulnerability by modifying this input to bypass the protection mechanism and sending a crafted request to an affected device. A successful exploit could allow the attacker to view data beyond the scope of their authorization.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-infdisc-guJWRwQu" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-infdisc-guJWRwQu</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20744

<p>A vulnerability in the Snort rule evaluation function of Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>The vulnerability is due to improper handling of the DNS reputation enforcement rule. An attacker could exploit this vulnerability by sending crafted UDP packets through an affected device to force a buildup of UDP connections. A successful exploit could allow the attacker to cause traffic that is going through the affected device to be dropped, resulting in a DoS condition.&nbsp;</p> <p><strong>Note:</strong> This vulnerability only affects Cisco&nbsp;FTD devices that are running Snort 3.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FTD-snort3-DOS-Aq38LVdM">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FTD-snort3-DOS-Aq38LVdM</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20767

<p>A vulnerability in CLI of Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject XML into the command parser.</p> <p>This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted input in commands. A successful exploit could allow the attacker to inject XML into the command parser, which could result in unexpected processing of the command and unexpected command output.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-xmlinj-8GWjGzKe" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-xmlinj-8GWjGzKe</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20729

<p>A vulnerability in the TCP proxy functionality of Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition.</p> <p>This vulnerability is due to improper handling of TCP flows. An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-tcp-dos-kM9SHhOu">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-tcp-dos-kM9SHhOu</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20746

<p>A vulnerability in the Snort detection engine integration for Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause unlimited memory consumption, which could lead to a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to insufficient memory management for certain Snort events. An attacker could exploit this vulnerability by sending a series of crafted IP packets that would generate specific Snort events on an affected device. A sustained attack could cause an out of memory condition on the affected device. A successful exploit could allow the attacker to interrupt all traffic flowing through the affected device. In some circumstances, the attacker may be able to cause the device to reload, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort-dos-hd2hFgM" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort-dos-hd2hFgM</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20751

<p>A vulnerability in the Security Intelligence feed feature of Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the Security Intelligence DNS feed.</p> <p>This vulnerability is due to incorrect feed update processing. An attacker could exploit this vulnerability by sending traffic through an affected device that should be blocked by the affected device. A successful exploit could allow the attacker to bypass device controls and successfully send traffic to devices that are expected to be protected by the affected device.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-sidns-bypass-3PzA5pO" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-sidns-bypass-3PzA5pO</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20730

<p>A vulnerability in the connection handling&nbsp;function in Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to improper traffic handling when platform limits are reached. An attacker could exploit this vulnerability by sending a high rate of UDP traffic through an affected device. A successful exploit could allow the attacker to cause all new, incoming connections to be dropped, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-JnnJm4wB">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-JnnJm4wB</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20757

<p>A vulnerability in the local malware analysis process of Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.</p> <p>This vulnerability is due to insufficient error handling in the local malware analysis process of an affected device. An attacker could exploit this vulnerability by sending a crafted file through the device. A successful exploit could allow the attacker to cause the local malware analysis process to crash, which could result in a DoS condition.&nbsp;&nbsp;</p> <p><strong>Notes</strong>:</p> <ol> <li>Manual intervention may be required to recover from this situation.</li> <li>Malware cloud lookup and dynamic analysis will not be impacted.</li> </ol> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-amp-local-dos-CUfwRJXT" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-amp-local-dos-CUfwRJXT</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tvce.cisco.com/security/aims/PublicationPreview.aspx?ID=74836&amp;Version=1&amp;Revision=26">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20748

<p>A vulnerability in the web-based management interface of Cisco&nbsp;Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack.</p> <p>This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks and gain access to sensitive browser-based information.</p> <p>Cisco&nbsp;has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-SfpEcvGT">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-SfpEcvGT</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20740

<p>A vulnerability in the web services interface for remote access VPN features of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.</p> <p>This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco&nbsp;Adaptive Security Device Manager (ASDM) or the Cisco&nbsp;Security Manager (CSM).</p> <p><strong>Note:</strong> With Cisco&nbsp;FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-mgmt-privesc-BMFMUvye">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-mgmt-privesc-BMFMUvye</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20759

<p>A vulnerability in an IPsec VPN library of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel.</p> <p>This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipsec-mitm-CKnLr4">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipsec-mitm-CKnLr4</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20742

<p>A vulnerability in the web services interface for remote access VPN features of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.</p> <p>This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a crafted HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20745

<p class="line874">A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco&nbsp;Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or to obtain portions of process memory from an affected device.</p> <p><span class="more">This vulnerability is due to insufficient bounds checking when parsing specific HTTP authentication messages. An attacker could exploit this vulnerability by sending malicious traffic to an affected device acting as a VPN Gateway. To send this malicious traffic, an attacker would need to control a web server that can be accessed through the Clientless SSL VPN portal. </span>A successful exploit could allow the attacker to <span class="more">cause the device to reload, resulting in a DoS condition, or to retrieve bytes from the device process memory that may contain sensitive information.<br></span></p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20737

<p>A vulnerability in the remote access SSL VPN features of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to improper validation of errors that are logged as a result of client connections that are made using remote access VPN. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to cause the affected device to restart, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-tL4uA4AA">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-tL4uA4AA</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;ASA, FMC, and FTD Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20715

Original release date: April 27, 2022
Summary

This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. 

The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.

Click here for a PDF version of this report. 

Technical DetailsKey Findings

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.

To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

Top 15 Routinely Exploited Vulnerabilities

Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:

• CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.
• CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., “vulnerability chaining”) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.
• CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. 
• CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.

Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.

Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021

CVE

Vulnerability Name

Vendor and Product

Type

CVE-2021-44228

Log4Shell

Apache Log4j

Remote code execution (RCE)

CVE-2021-40539

 

Zoho ManageEngine AD SelfService Plus

RCE

CVE-2021-34523

ProxyShell

Microsoft Exchange Server

Elevation of privilege

CVE-2021-34473

ProxyShell

Microsoft Exchange Server

RCE

CVE-2021-31207

ProxyShell

Microsoft Exchange Server

Security feature bypass

CVE-2021-27065

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26858

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26857

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26855

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26084

 

 

Atlassian Confluence Server and Data Center

Arbitrary code execution

CVE-2021-21972

 

VMware vSphere Client

RCE

CVE-2020-1472

ZeroLogon

Microsoft Netlogon Remote Protocol (MS-NRPC)

Elevation of privilege

CVE-2020-0688

 

Microsoft Exchange Server

RCE

CVE-2019-11510

 

Pulse Secure Pulse Connect Secure

Arbitrary file reading

CVE-2018-13379

 

Fortinet FortiOS and FortiProxy

Path traversal

Additional Routinely Exploited Vulnerabilities

In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. 

These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also routinely exploited in 2020: CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.

Table 2: Additional Routinely Exploited Vulnerabilities in 2021

CVE

Vendor and Product

Type

CVE-2021-42237

Sitecore XP

RCE

CVE-2021-35464

ForgeRock OpenAM server

RCE

CVE-2021-27104

Accellion FTA

OS command execution

CVE-2021-27103

Accellion FTA

Server-side request forgery

CVE-2021-27102

Accellion FTA

OS command execution

CVE-2021-27101

Accellion FTA

SQL injection

CVE-2021-21985

VMware vCenter Server

RCE

CVE-2021-20038

SonicWall Secure Mobile Access (SMA)

RCE

CVE-2021-40444

Microsoft MSHTML

RCE

CVE-2021-34527

Microsoft Windows Print Spooler

RCE

CVE-2021-3156

Sudo

Privilege escalation

CVE-2021-27852

Checkbox Survey

Remote arbitrary code execution

CVE-2021-22893

Pulse Secure Pulse Connect Secure

Remote arbitrary code execution

CVE-2021-20016

SonicWall SSLVPN SMA100

Improper SQL command neutralization, allowing for credential access

CVE-2021-1675

Windows Print Spooler

RCE

CVE-2020-2509

QNAP QTS and QuTS hero

Remote arbitrary code execution

CVE-2019-19781

Citrix Application Delivery Controller (ADC) and Gateway

Arbitrary code execution

CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX

Code execution

CVE-2018-0171

Cisco IOS Software and IOS XE Software

Remote arbitrary code execution

CVE-2017-11882

Microsoft Office

RCE

CVE-2017-0199

Microsoft Office

RCE

MitigationsVulnerability and Configuration Management

• Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. 
  • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
• Use a centralized patch management system.
• Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
• Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources.
  • CISA Insights Risk Considerations for Managed Service Provider Customers
  • CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses
  • ACSC advice on How to Manage Your Security When Engaging a Managed Service Provider

Identity and Access Management

• Enforce multifactor authentication (MFA) for all users, without exception.
• Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. 
• Regularly review, validate, or remove privileged accounts (annually at a minimum).
• Configure access control under the concept of least privilege principle.
  • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).

Note: see CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC guidance on Implementing Multi-Factor Authentication for more information on hardening authentication systems.

Protective Controls and Architecture 

• Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. 
  • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
  • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
  • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
• Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. 
• Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
  • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.
  • Monitor the environment for potentially unwanted programs.
• Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.
• Implement application allowlisting. 

Resources

• For the top vulnerabilities exploited in 2020, see joint CSA Top Routinely Exploited Vulnerabilities
• For the top exploited vulnerabilities 2016 through 2019, see joint CSA Top 10 Routinely Exploited Vulnerabilities. 
• See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

Purpose 

This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

References

[1] CISA’s Apache Log4j Vulnerability Guidance

Appendix: Patch Information and Additional Resources for  Top Exploited Vulnerabilities

CVE

Vendor

Affected Products

Patch Information

Resources

CVE-2021-42237

Sitecore

Sitecore XP 7.5.0 - Sitecore XP 7.5.2

Sitecore XP 8.0.0 - Sitecore XP 8.2.7

Sitecore Security Bulletin SC2021-003-499266

ACSC Alert Active Exploitation of vulnerable Sitecore Experience Platform Content Management Systems

 

CVE-2021-35464

ForgeRock

Access Management (AM) 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3

OpenAM 9.x, 10.x, 11.x, 12.x and 13.x

ForgeRock AM Security Advisory #202104

ACSC Advisory Active exploitation of ForgeRock Access Manager / OpenAM servers

CCCS ForgeRock Security Advisory

CVE-2021-27104

Accellion

FTA 9_12_370 and earlier

Accellion Press Release: Update to Recent FTA Security Incident

Joint CSA Exploitation of Accellion File Transfer Appliance

ACSC Alert Potential Accellion File Transfer Appliance compromise

 

 

CVE-2021-27103

FTA 9_12_411 and earlier

CVE-2021-27102

FTA versions 9_12_411 and earlier

CVE-2021-27101

FTA 9_12_370 and earlier

 

CVE-2021-21985

VMware

vCenter Server 7.0, 6.7, 6.5

Cloud Foundation (vCenter Server) 4.x and 3.x

VMware Advisory VMSA-2021-0010

CCCS VMware Security Advisory

CVE-2021-21972

VMware

vCenter Server 7.0, 6.7, 6.5

Cloud Foundation (vCenter Server) 4.x and 3.x

VMware Advisory VMSA-2021-0002

ACSC Alert VMware vCenter Server plugin remote code execution vulnerability

CCCS VMware Security Advisory

CCCS Alert APT Actors Target U.S. and Allied Networks - Update 1

CVE-2021-20038

SonicWall

SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv

SonicWall Security Advisory SNWLID-2021-0026

ACSC Alert Remote code execution vulnerability present in SonicWall SMA 100 series appliances

CCCS SonicWall Security Advisory

 

CVE-2021-44228

Apache

Log4j, all versions from 2.0-beta9 to 2.14.1

For other affected vendors and products, see CISA's GitHub repository.

Log4j: Apache Log4j Security Vulnerabilities

For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

CISA webpage Apache Log4j Vulnerability Guidance

CCCS Active exploitation of Apache Log4j vulnerability - Update 7

CVE-2021-40539

Zoho ManageEngine

ADSelfService Plus version 6113 and prior

Zoho ManageEngine: ADSelfService Plus 6114 Security Fix Release

Joint CSA APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

CCCS Zoho Security Advisory

CVE-2021-40444

Microsoft

Multiple Windows products; see Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444

Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444

 

CVE-2021-34527

Microsoft

Multiple Windows products; see Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527

Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527

Joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

CCCS Alert Windows Print Spooler Vulnerability Remains Unpatched – Update 3

CVE-2021-34523

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Updates 19 and 20

Microsoft Exchange Server 2019 Cumulative Updates 8 and 9

Microsoft Security Update Guide: Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523

Joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

ACSC Alert Microsoft Exchange ProxyShell Targeting in Australia

 

CVE-2021-34473

Microsoft

Multiple Exchange Server versions; see: Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473

CVE-2021-31207

Microsoft

Multiple Exchange Server versions; see Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207

Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207

CVE-2021-3156

Sudo

Sudo before 1.9.5p2

Sudo Stable Release 1.9.5p2

 

CVE-2021-27852

Checkbox Survey

Checkbox Survey versions prior to 7

 

 

CVE-2021-27065

Microsoft Exchange Server

Multiple versions; see: Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065

CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities

ACSC Advisory Active exploitation of Vulnerable Microsoft Exchange servers

CCCS Alert Active Exploitation of Microsoft Exchange Vulnerabilities - Update 4

CVE-2021-26858

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858

CVE-2021-26857

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857

CVE-2021-26855

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

CVE-2021-26084

 

Jira Atlassian

Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084

ACSC Alert Remote code execution vulnerability present in certain versions of Atlassian Confluence

CCCS Atlassian Security Advisory

CVE-2021-22893

Pulse Secure

PCS 9.0R3/9.1R1 and Higher

Pulse Secure SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

CCCS Alert  Active Exploitation of Pulse Connect Secure Vulnerabilities - Update 1

CVE-2021-20016

SonicWall

SMA 100 devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)

SonicWall Security Advisory SNWLID-2021-0001

 

CVE-2021-1675

Microsoft

Multiple Windows products; see Microsoft Security Update Guide Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675

Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675

CCCS Alert Windows Print Spooler Vulnerability Remains Unpatched – Update 3

CVE-2020-2509

QNAP

QTS, multiple versions; see QNAP: Command Injection Vulnerability in QTS and QuTS hero

QuTS hero h4.5.1.1491 build 20201119 and later

QNAP: Command Injection Vulnerability in QTS and QuTS hero

 

CVE-2020-1472

Microsoft

Windows Server, multiple versions; see Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

ACSC Alert Netlogon elevation of privilege vulnerability (CVE-2020-1472)

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1

CVE-2020-0688

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688

Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

Joint CSA Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

CCCS Alert Microsoft Exchange Validation Key Remote Code Execution Vulnerability

CVE-2019-19781

Citrix

ADC and Gateway version 13.0 all supported builds before 13.0.47.24

NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12

SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

Citrix Security Bulletin CTX267027

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CCCS Alert Detecting Compromises relating to Citrix CVE-2019-19781

 

 

 

CVE-2019-18935

Progress Telerik

UI for ASP.NET AJAX through 2019.3.1023

Telerik UI for ASP.NET AJAX Allows JavaScriptSerializer Deserialization

ACSC Alert Active exploitation of vulnerability in Microsoft Internet Information Services

 

CVE-2019-11510

Pulse Secure

Pulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

CISA Alert Continued Exploitation of Pulse Secure VPN Vulnerability

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

ACSC Advisory Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert APT Actors Target U.S. and Allied Networks - Update 1

CVE-2018-13379

Fortinet

FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6

Fortinet FortiGuard Labs: FG-IR-20-233

Joint CSA Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

Joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

ACSC Alert APT exploitation of Fortinet Vulnerabilities

CCCS Alert Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) - Update 1

CVE-2018-0171

Cisco

See Cisco Security Advisory: cisco-sa-20180328-smi2

Cisco Security Advisory: cisco-sa-20180328-smi2

CCCS Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

CVE-2017-11882

Microsoft

Office, multiple versions; see Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

CCCS Alert Microsoft Office Security Update

CVE-2017-0199

Microsoft

Multiple products; see Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199

Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199

CCCS Microsoft Security Updates

Contact Information

U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Revisions

• April 27, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

<p>A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj" target="_blank" rel="noopener">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj</a></p>
Security Impact Rating: High
CVE: CVE-2022-20685

<p>A vulnerability in the software upgrade process of Cisco&nbsp;Unified Communications Manager (Unified CM) and Cisco&nbsp;Unified Communications Manager Session Management Edition (Unified CM SME)&nbsp;could allow an authenticated, remote attacker to write arbitrary files on the affected system.</p> <p>This vulnerability is due to improper restrictions applied to a system script. An attacker could exploit this vulnerability by using crafted variables during the execution of a system upgrade. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using <em>root</em>-level privileges.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20789