Cisco released security advisories to address the vulnerabilities in Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software. Several vulnerabilities are caused by cryptographic collision and implementation flaws in Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for VPN connection. An attacker could exploit the vulnerabilities by sending a specially crafted request, packet, traffic stream or establish sessions to an affected system; or entice a user to open malicious link.
Cisco products running a vulnerable release of ASA software or FTD software, including:
The above is only a sample list of affected systems and is not considered exhaustive. For detailed information of the affected products, please refer to the section "Affected Products" of corresponding security advisory at vendor's website.
Successful exploitation of the vulnerabilities could lead to VPN authentication bypass, cross-site request forgery (CSRF) attack, cross-site scripting (XSS) attack, privilege escalation, denial of services, or system reload on an affected system.
Software updates for affected systems are now available. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
Users should contact their product support vendors for the fixes and assistance.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-csrf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-entropy
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftds-ldapdos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftdtcp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ipsec-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-vpn-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-firepower-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-cmd-inj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-ftd-cmd-inject
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sd-cpu-dos
https://www.us-cert.gov/ncas/current-activity/2019/05/01/Cisco-Releases-Security-Updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1694 (to CVE-2019-1697)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1703 (to CVE-2019-1706)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1713 (to CVE-2019-1715)