Re: Determine Patch Version to resolve FMC vulnerability

subrun.jamil · ‎01-24-2020

Hello,

Currently I am running FMC 4000 with 6.4.0.4 ( Build 34 ). Planning to Patch FMC so that I can remove below both Vulnerability

1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce ----where fix is at Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.7-3

2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth ---- where fix is at Cisco_Firepower_Mgmt_Center_Hotfix_T-6.4.0.5-1.sh.REL.tar (for releases 6.4.0.4 and earlier)

If I patch into 6.4.0.7-3 does it resolve 2nd Vulnerability ( CVE-2019-16028 ) as well ?

Marvin Rhoads · ‎01-24-2020

I believe if you upgrade to 6.4.0.7 (build 53) and then apply hotfix AA it will address both vulnerabilities.

Build 53 incorporated the earlier 6.4.0.7 hotfix U (which addressed CVE-2019-16028). Then AA additionally covers the issue reported in CVE-2019-15992.

If you have doubt, you can confirm by opening a TAC case.

subrun.jamil · ‎02-03-2020

Hello Marvin,

As per attached image i do not see any Hotfix Numbered as 6.4.0.7-3 but I see 6.4.0.8 ( Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4.sh.REL.tar ) when I hit to Link for 6.4.0.7-3. Why is that can you advise ?

subrun.jamil · ‎02-03-2020

Reference Link for 6.4.0.7-3 Hotfix

https://software.cisco.com/download/home/286313415/type/286271056/release/6.4.0.7?catid=268438162

Marvin Rhoads · ‎02-03-2020

That's correct. Once Cisco published patch 6.4.0.7-53 it removed the earlier hotfix for the earlier 6.4.0.7 build.

So patching to 6.4.0.7-53 and then adding hotfix AA will bring your system to the latest (as of today) publicly available releases in the 6.4 release train. Doing that will address the vulnerabilities you cited in your original post.

subrun.jamil · ‎02-04-2020

Which means actually it will land on to 6.4.0.8 not stay at 6.4.0.7 right Marvin ?

I thought it will stay at 6.4.0.7 after hotfix but its not.

Marvin Rhoads · ‎02-04-2020

Even though they confusingly named the hotfix "Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4.sh.REL.tar", I believe the GUI will continue to say you are running 6.4.0.7.

Once it's applied, the cli should report the actual hotfix(es) applied. (From the FMC cli, switch to expert mode and then use the command "rpm -qa".)

subrun.jamil · ‎02-05-2020

Appreciate your rely here Marvin. Sorry for nagging questions.

So to see Vulnerabilities considering final version we will land on after patching with 6.4.0.8-4 which version I should verify with for the existing known issues ? is it 6.4.0.7 or 6.4.0.8 ?

subrun.jamil · ‎02-05-2020

Appreciate your reply here Marvin. Sorry for nagging questions.

So to see Vulnerabilities considering final version we will land on after patching with 6.4.0.8-4 which version I should verify with for the existing known issues ? is it 6.4.0.7 or 6.4.0.8 ?

Marvin Rhoads · ‎02-05-2020

The GUI will show 6.4.0.7 and the cli command I mentioned will show the hotfix ...AA_6.4.0.8 if you patch it to current levels in the 6.4 train.