CVE Vulnerabilities

CVE-2017-12245

Missing Release of Resource after Effective Lifetime

Published: Oct 05, 2017 | Modified: Oct 09, 2019
CVSS 3.x
8.6
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability in SSL traffic decryption for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause depletion of system memory, aka a Firepower Detection Engine SSL Decryption Memory Consumption Denial of Service vulnerability. If this memory leak persists over time, a denial of service (DoS) condition could develop because traffic can cease to be forwarded through the device. The vulnerability is due to an error in how the Firepower Detection Snort Engine handles SSL traffic decryption and notifications to and from the Adaptive Security Appliance (ASA) handler. An attacker could exploit this vulnerability by sending a steady stream of malicious Secure Sockets Layer (SSL) traffic through the device. An exploit could allow the attacker to cause a DoS condition when the device runs low on system memory. This vulnerability affects Cisco Firepower Threat Defense (FTD) Software Releases 6.0.1 and later, running on any of the following Cisco products: Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls, Firepower 2100 Series Security Appliances, Firepower 4100 Series Security Appliances, Firepower 9300 Series Security Appliances. Cisco Bug IDs: CSCve02069.

Weakness

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Affected Software

Name Vendor Start Version End Version
Firepower_management_center Cisco 6.0.1 (including) 6.0.1 (including)
Firepower_management_center Cisco 6.0.1.3 (including) 6.0.1.3 (including)
Firepower_management_center Cisco 6.1.0 (including) 6.1.0 (including)
Firepower_management_center Cisco 6.1.0.3 (including) 6.1.0.3 (including)
Firepower_management_center Cisco 6.1.0.6 (including) 6.1.0.6 (including)
Firepower_management_center Cisco 6.2.0 (including) 6.2.0 (including)
Firepower_management_center Cisco 6.2.0.2 (including) 6.2.0.2 (including)
Firepower_management_center Cisco 6.2.1 (including) 6.2.1 (including)
Firepower_management_center Cisco 6.2.2 (including) 6.2.2 (including)

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
  • Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
  • When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
  • Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).

References