OPERATIONAL DEFECT DATABASE
...
...
Clear-text traffic, that matches the access-control rule intended to permit RA or S2S VPN traffic only, is permitted when it should not be allowed.
By default, to ensure that all traffic is subject to access-control, Firepower Threat Defense devices do not permit the flow of decrypted Remote Access or Site-to-site VPN traffic. A pre-filter or access-control rule must be added to permit VPN traffic. Although the pre-filter or access-control rule is added intending to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.
Execute the "sysopt connection permit-vpn command" on the Firepower Threat Defense device using FlexConfig. This command allows all decrypted VPN traffic, and only decrypted VPN traffic, to bypass access-control. Use the Remote Access VPN Group Policy filter to identify VPN traffic you want screened. Without filters and rules defined, clear-text traffic has no chance of bypassing. Following are the steps to configure "sysopt connection permit-vpn": 1. Create a text object variable, for example: $vpnSysVar a single entry with value "sysopt" 2. Create another FlexConfig object with CLI "connection permit-vpn" 3. Insert the text object variable in flexconfig object at the start of CLI as "$vpnSysVar connection permit-vpn" 4. Apply the FlexConfig object as 'append' and select to 'deploy always' in the FlexConfig Policy assigned to the device. 5. Deploy the configuration to provision "sysopt connection permit-vpn" command on the device.
None
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.8: https://tools.cisco.com/security/center/cvssCalculator.x?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
