Cisco, Snort scramble to plug malware hole
Firepower devices might let attackers through
A URL sanitisation bug has Cisco pushing a patch for its Firepower system software.
As the advisory for CVE-2016-1345 explains, the software doesn't properly validate fields in HTTP headers.
A crafted HTTP request can bypass malicious file detection, or could block policies configured on the system.
Sysadmins can check whether they've configured file actions in software in the system dashboard: the Malware and File menu displays file action policies in place, with the rules and actions in place.
“If one or more policies specify a Block Files, Block Malware, or Detect Files action, the system is vulnerable”, the advisory states.
The bug is also present in some Snort installations, if the version is older than 18.104.22.168 and the source code was compiled with the --enable-file-inspect configuration flag set.
Cisco notes that the bug is present in any system using Firepower System Software with file action policies configured. The products affected include the ASA 5500-X Series, AMP for Networks 7000 Series and 8000 Series appliances, FirePOWER 7000 and 8000 Series appliances, FirePOWER Threat Defense for integrated services routers, Blue Coat X-Series with NGIPS (next generation intrusion prevention system), Sourcefire 3D System appliances, and Virtual Next-Generation Intrusion Prevention System for VMware.
The fixed Firepower System Software versions are 22.214.171.124 and later; 126.96.36.199 and later; and 6.0.1 and later. ®