(CTN News) – The Cisco company has announced on Wednesday that it has released updates for its Adaptive Security Appliances (ASA), Firepower Management Centers (FMC), and Firepower Threat Defense products which address a total of 27 vulnerabilities.
In its semiannual bundled publication, the tech company published a total of 22 security advisories, which describe critical, high-, and medium-severity flaws in its three network security products as part of its semiannual publication.
One of the most serious of these issues is CVE-2023-20048, which is a command injection bug in FMC as a result of the fact that the configuration commands being sent over the web service interface of the product that is affected were not properly authorized.
It is possible for an authenticated attacker to exploit the vulnerability by sending crafted HTTP requests in an attempt to exploit the vulnerability and run configuration commands on a targeted FTD device, according to Cisco.
There have been eight high-severity vulnerabilities that have been discovered in Cisco’s ASA, FMC, and FTD software in seven advisories published on Wednesday.
There are five bugs that can cause a denial-of-service (DoS) condition, while the remaining three can lead to command injections.
ICMPv6 processing, remote access VPN, internal packet processing, ICMPv6 inspection with Snort 2 detection features, as well as the logging API of the impacted products are impacted by the DoS bugs.
In addition to the 18 medium-severity vulnerabilities Cisco addressed in ASA, FMC, and FTD this week, some of these vulnerabilities could also lead to DoS conditions, arbitrary file downloads, SAML assertion hijacks, cross-site scripting (XSS) attacks, policy bypasses, detection engine bypasses, certificates authentication bypasses, and geolocation filter bypasses.
One medium-severity issue that really stands out from the crowd is CVE-2022-20713, a remote, unauthenticated client-side request smuggling vulnerability in the VPN web client services component of ASA and FTD software.
There was an issue reported on August 10, 2022, but Cisco would take more than a year to provide a patch for it despite it being flagged on August 10, 2022.
Although proof-of-concept (PoC) exploits have been made public, the bug does not appear to be exploited in malicious attacks in spite of the fact that the exploit code has been made public.
According to the tech giant, it is not aware of any in-the-wild attacks targeting any of the vulnerabilities addressed by the latest updates for the ASA, FMC, and FTD software.
On Cisco’s security advisories page, you can find additional information about this issue.