Cisco on Wednesday introduced software program updates that handle a complete of 27 vulnerabilities in Adaptive Safety Equipment (ASA), Firepower Administration Middle (FMC), and Firepower Risk Protection (FTD) merchandise.
As a part of its semiannual bundled publication, the tech firm printed a complete of twenty-two security advisories describing critical-, high-, and medium-severity flaws within the three community security merchandise.
Essentially the most extreme of those points is CVE-2023-20048 (CVSS rating of 9.9), a command injection bug in FMC ensuing from the “inadequate authorization of configuration instructions which can be despatched by way of the online service interface” of the impacted product.
An authenticated attacker might use crafted HTTP requests to use the vulnerability and execute configuration instructions on a focused FTD machine, Cisco explains.
On Wednesday, Cisco printed seven advisories detailing eight high-severity flaws in ASA, FMC, and FTD software program. 5 of the bugs might result in denial-of-service (DoS) circumstances and the remaining three permit for command injection.
The DoS bugs affect the ICMPv6 processing, distant entry VPN, inner packet processing, and ICMPv6 inspection with Snort 2 detection options, and a logging API of the impacted merchandise.
The 18 medium-severity flaws that Cisco addressed this week in ASA, FMC, and FTD might result in DoS circumstances, arbitrary file obtain, SAML assertion hijack, cross-site scripting (XSS) assaults, coverage bypass, detection engine bypass, certificates authentication bypass, and geolocation filtering bypass.
The medium-severity challenge that stands out from the gang is CVE-2022-20713, a distant, unauthenticated client-side request smuggling vulnerability within the VPN internet shopper companies part of ASA and FTD software program.
The difficulty was initially flagged on August 10, 2022, however Cisco wanted greater than a 12 months to supply patches for it. Nonetheless, regardless of the general public availability of proof-of-concept (PoC) exploit code, the bug doesn’t look like exploited in malicious assaults.
In truth, the tech large says it’s not conscious of in-the-wild assaults focusing on any of the vulnerabilities addressed with the most recent ASA, FMC, and FTD software program updates.
Extra data might be discovered on Cisco’s security advisories web page.
