A vulnerability in TCP processing in Cisco FirePOWER system software could allow an unauthenticated, remote attacker to download files that would normally be blocked.

The vulnerability is due to out-of-order TCP segments (retransmissions out of the current window, which have already been acknowledged) not being properly processed before being passed to HTTP inspection, which for GZIP compressed streams causes GZIP decompression to fail.

This results in an incorrect SHA-256 hash being calculated and potential malware not being detected.

An attacker could exploit this vulnerability by tricking a user into downloading a file containing malware via HTTP from a specifically prepared server.

An exploit could allow the attacker to bypass the malware protection provided by the FirePOWER system software.

Workarounds that address this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-fpwr
A vulnerability in TCP processing in Cisco FirePOWER system software could allow an unauthenticated, remote attacker to download files that would normally be blocked.

The vulnerability is due to out-of-order TCP segments (retransmissions out of the current window, which have already been acknowledged) not being properly processed before being passed to HTTP inspection, which for GZIP compressed streams causes GZIP decompression to fail.

This results in an incorrect SHA-256 hash being calculated and potential malware not being detected.

An attacker could exploit this vulnerability by tricking a user into downloading a file containing malware via HTTP from a specifically prepared server.

An exploit could allow the attacker to bypass the malware protection provided by the FirePOWER system software.

Workarounds that address this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-fpwr

Security Impact Rating: Medium

CVE: CVE-2016-9209

Leave a Reply