04-30-2024 04:44 AM
Hello everybody,
the customer has FMCv 7.2.5.1 running and I need to upgrade it because
devices need to be upgrade too.
The Cisco Software Checker shows me the rel. 7.2.6 in this release train
as the successor but the download page does not offer 7.2.6 but 7.2.7.
Rel. 7.2.7 is still not in the Software Checker.
My question: Is rel. 7.2.7 fixed regarding the new vulnerabilities
CVE-2024-20353 and CVE-2024-20359 ?
Thanks a lot!
Bye
R.
Solved! Go to Solution.
04-30-2024 05:00 AM
@swscco001 as a guess, 7.2.6 had a problem and was removed from download, possibly this continuous boot loop after upgrading to 7.2.6 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi63113
7.2.7 resolved that issue https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html#Cisco_Reference.dita_6a2396fc-79e6-49ca-a9ac-b1ad28f974eb
7.2.7 would likely contain the bug fixes for the new vulnerabilities you refer to.
It's likely that documentation has not caught up yet, if you require offical confirmation log a call with TAC.
04-30-2024 04:56 AM
I just saw the same for device Firepower 1120. Only rel. 7.2.7 can be downloaded
but is still not in the software checker.
04-30-2024 05:00 AM
@swscco001 as a guess, 7.2.6 had a problem and was removed from download, possibly this continuous boot loop after upgrading to 7.2.6 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi63113
7.2.7 resolved that issue https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html#Cisco_Reference.dita_6a2396fc-79e6-49ca-a9ac-b1ad28f974eb
7.2.7 would likely contain the bug fixes for the new vulnerabilities you refer to.
It's likely that documentation has not caught up yet, if you require offical confirmation log a call with TAC.
05-01-2024 04:47 AM
See - i assume that 7.2.6 was released due to CSCwj10955 - but then introduced CSCwi63113 - and the recommended version for the FTD's (well at least for the 21xx and 41xx) is still 7.2.5 - what level would you suggest to upgrade the FMC (a FMC2600) to be prepared for the next (short) future like a half year or so?
05-01-2024 08:18 AM - edited 05-01-2024 08:33 AM
Cisco is reportedly dropping a 7.2.5.2 patch for 7.2.5 on May 6th, which according to them is essentially just 7.2.5.1 but with the added fixes for the three "ArcaneDoor" vulnerabilities. If you can stand to wait until then, that would be your play, otherwise your next best move would probably be to install version 7.2.7. At your own risk, of course, considering it isn't the suggested release at this moment in time.
7.2.6 is buggy and was likely removed from download because of complaints about it. Our FMC's search feature stopped working after we upgraded to 7.2.6 and we're also at risk for the SNMP boot loop bug detailed here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi63113. We're going to revert our FTDs back to the previously installed version 7.2.4 and then upgrade to 7.2.5 and patch it up to 7.2.5.2 once it's available.
EDIT:
Here's the article mentioning the plans to release the 7.2.5.2 patch (read the Background section): https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221947-protect-against-cscwi63113-and-cscwi6862.html
05-01-2024 11:14 PM
Hi Matthew,
as I found rel. 7.2.7 in the software checker without indicating vulnerabilities I assume
that this is the release that we can upgrade to the installed base of our customers to
fix the "ArcaneDoor" vulnerabilities without running into a boot loop. Correct me
when I am wrong.
Thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide