BugZero | Cisco BugID CSCvf75135 - Configure "sysopt connection permit-vpn" using Fle...

Cisco - Defect ID: CSCvf75135

Configure "sysopt connection permit-vpn" using FlexConfig to prevent unintended clear-text traffic

Cisco - Defect ID: CSCvf75135

Configure "sysopt connection permit-vpn" using FlexConfig to prevent unintended clear-text traffic

Last updated on 7/19/2023

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Clear-text traffic, that matches the access-control rule intended to permit RA or S2S VPN traffic only, is permitted when it should not be allowed.

Conditions

By default, to ensure that all traffic is subject to access-control, Firepower Threat Defense devices do not permit the flow of decrypted Remote Access or Site-to-site VPN traffic. A pre-filter or access-control rule must be added to permit VPN traffic. Although the pre-filter or access-control rule is added intending to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.

Workaround

Execute the "sysopt connection permit-vpn command" on the Firepower Threat Defense device using FlexConfig. This command allows all decrypted VPN traffic, and only decrypted VPN traffic, to bypass access-control. Use the Remote Access VPN Group Policy filter to identify VPN traffic you want screened. Without filters and rules defined, clear-text traffic has no chance of bypassing. Following are the steps to configure "sysopt connection permit-vpn": 1. Create a text object variable, for example: $vpnSysVar a single entry with value "sysopt" 2. Create another FlexConfig object with CLI "connection permit-vpn" 3. Insert the text object variable in flexconfig object at the start of CLI as "$vpnSysVar connection permit-vpn" 4. Apply the FlexConfig object as 'append' and select to 'deploy always' in the FlexConfig Policy assigned to the device. 5. Deploy the configuration to provision "sysopt connection permit-vpn" command on the device.

Further Problem Description

None

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.8: https://tools.cisco.com/security/center/cvssCalculator.x?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvf75135

Configure "sysopt connection permit-vpn" using FlexConfig to prevent unintended clear-text traffic

Cisco - Defect ID: CSCvf75135

Configure "sysopt connection permit-vpn" using FlexConfig to prevent unintended clear-text traffic

Last updated on 7/19/2023

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

PSIRT Evaluation

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?