At the time of publication, this vulnerability affected Cisco ASA FirePOWER modules if they were running a vulnerable release of Cisco FirePOWER Software and were configured to block all access to the Linux shell using the system lockdown[-sensor] CLI command.
Note: The attack vector through an HTTPS request is open only if HTTPS management access is enabled on the Cisco ASA that is hosting the ASA FirePOWER module.
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine the ASA FirePOWER Module Lockdown Configuration
To determine if lockdown mode is enabled on the ASA FirePOWER module, log in to the ASA FirePOWER module with administrative privileges and enter ?. If the expert command does not appear in the list of available commands, lockdown mode is enabled.
Determine the HTTPS Management Access Configuration
To identify the status of HTTPS management access, use the show running-config http CLI command. The following example shows the output of the show running-config http command on a device that has HTTPS management access enabled on the inside interface:
asa# show running-config http
http server enable
http 0.0.0.0 0.0.0.0 inside
The HTTPS management access is disabled if one of the following is true:
- The line that starts with http server enable is missing.
- The output of the show running-config http command does not include an HTTP access control list (ACL) that is associated with an interface.
If the output does include an HTTP ACL, the exact value of the HTTP ACL does not affect the vulnerability status of the device. However, for successful exploitation, the attacker must be able to connect to the HTTPS management server of the device from an IP address that is permitted by the HTTP ACL.
If the line that starts with http server enable does not include a port, as in the example above, the default port 443 is used. The exact port value does not affect the vulnerability status of the device.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- ASA Software
- Firepower Management Center (FMC) Software
- Firepower Threat Defense (FTD) Software
- Next-Generation Intrusion Prevention System (NGIPS) Software