BugZero | Cisco BugID CSCwd91536 - NGIPS, FMC, and FTD showing indications of being a...

Cisco - Defect ID: CSCwd91536

NGIPS, FMC, and FTD showing indications of being affected by CVE-2004-0230

Cisco - Defect ID: CSCwd91536

NGIPS, FMC, and FTD showing indications of being affected by CVE-2004-0230

Last updated on 7/31/2024

Overall: 4.84.8

Severity: 5.55.5

Lifecycle: 44.0

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 4.84.8

Severity: 5.55.5

Lifecycle: 44.0

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Security vulnerability scanners report Cisco Next-Generation Intrusion Prevent System (NGPIS) Software, Cisco Firepower Management Center (FMC) Software, or Cisco Firepower Threat Defense (FTD) Software to be affected by the vulnerability identified by Common Vulnerability and Exposures (CVE) ID CVE-2004-0230.

Conditions

Device with default configuration. This is seen with the HTTPS service (tcp/443) only. The SSH service (tcp/22) does not experience this issue.

Workaround

Not available or not applicable. Restrict access to TCP port 443 on the device's management IP address to reduce the attack surface.

Further Problem Description

Cisco confirmed this to be a false positive: The Apache2 HTTP Server by default enables the TCP_DEFER_ACCEPT option on the TCP socket. This causes the TCP stack to not complete the TCP handshake with empty ACK segments. Instead, the TCP stack discards the empty ACK segment and will await the first ACK segment that includes data. Security vulnerability scanners probing for CVE-2004-0230 typically attempt to complete the TCP handshake with an empty ACK segment, wait for a short amount of time, then send another SYN segment within the allowed window range, and finally listen for a RST segment coming back from the target device. When the probed TCP socket uses the TCP_DEFER_ACCEPT option, the TCP handshake won't yet be considered complete by the target device when the second SYN segment is received. As result, the second SYN segment triggers the RST response. This only happens

before

the TCP connection is considered fully established by the target and will not happen for fully established TCP connections even on sockets that have the TCP_DEFER_ACCEPT option enabled.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is: 5.3 https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID CVE-2004-0230 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCvk32563
Catalyst 9400 cmand memory leak
9.65Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.65Defect ID: CSCwk61938
ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion"
9.65Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.65Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwd91536

NGIPS, FMC, and FTD showing indications of being affected by CVE-2004-0230

Cisco - Defect ID: CSCwd91536

NGIPS, FMC, and FTD showing indications of being affected by CVE-2004-0230

Last updated on 7/31/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

before

PSIRT Evaluation

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?