BugZero | Cisco BugID CSCwe87591 - Cisco FTD Software SSL/TLS URL Category and Snort ...

Cisco - Defect ID: CSCwe87591

Cisco FTD Software SSL/TLS URL Category and Snort 3 Detection Engine Bypass and DOS Vulnerability

Cisco - Defect ID: CSCwe87591

Cisco FTD Software SSL/TLS URL Category and Snort 3 Detection Engine Bypass and DOS Vulnerability

Last updated on 3/22/2025

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Snort3 crash on FTD running 7.2.1, after processing a client hello packet like below: Decoded Packet - (Type - 1) Packet (Length: 635) Layer ETH: Destination: 00:50:56:aa:aa:aa Address: 00:50:56:bb:bb:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 00:50:56:aa:aa:aa Type: IPv4 (0x0800) Address: 00:50:56:bb:bb:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Layer IP: 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 621 Identification: 0xf95d (63837) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0xb26f [validation disabled] Header checksum status: Unverified Source: 10.1.1.1 Destination: 153.1.19.1 Layer TCP: Source Port: 58501 Destination Port: 443 Stream index: 0 TCP Segment Len: 581 Sequence number: 1 (relative sequence number) Next sequence number: 582 (relative sequence number) Acknowledgment number: 1 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7AP\xc2\xb7\xc2\xb7\xc2\xb7 Window size value: 1023 Calculated window size: 1023 Window size scaling factor: -1 (unknown) Checksum: 0x0000 [unverified] Checksum Status: Unverified Urgent pointer: 0 SEQ/ACK analysis Bytes in flight: 581 Bytes sent since last PSH flag: 581 Timestamps Time since first frame in this TCP stream: 0.000000000 seconds Time since previous frame in this TCP stream: 0.000000000 seconds TCP payload (581 bytes) Layer SSL: TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 576 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 572 Version: TLS 1.2 (0x0303) Random: 83dbe35e73d64d277f427f03ecc367a5628f7fb3b6c5e82a... GMT Unix Time: Feb 7, 2040 11:11:26.000000000 UTC Random Bytes: 73d64d277f427f03ecc367a5628f7fb3b6c5e82a2204b8e0... Session ID Length: 32 Session ID: b6c4764449a6fe5da8ad2520ac657e21d821ee9a0fddf740... Cipher Suites Length: 44 Cipher Suites (22 suites) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 455 Extension: server_name (len=27) Type: server_name (0) Length: 27 Server Name list length: 25 Server Name Type: host_name (0) Server Name length: 22 Server Name: az667904.vo.msecnd.net Supported Versions length: 8 Supported Version: TLS 1.3 (0x0304) Signature Hash Algorithms Length: 24 Signature Hash Algorithms (12 algorithms) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (4) Data (0 bytes) Supported Groups List Length: 6 Supported Groups (3 groups) Supported Group: x25519 (0x001d) Client Key Share Length: 69 Group: secp256r1 (23) Key Exchange Length: 65 Key Exchange: 0454d6edd468e28c8190e508d09eea67e882bf3bad46b149... Renegotiation info extension length: 0 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Identities Length: 214 Identity Length: 208 Identity: 29db241ec9d9c8a74012673e9c2d166758ebdfdfd9e06211... Obfuscated Ticket Age: 1117342541 PSK Binders length: 49 PSK Binders Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Server Name Indication extension Extension: supported_versions (len=9) Extension: signature_algorithms (len=26) Extension: SessionTicket TLS (len=0) Extension: supported_groups (len=8) Extension: key_share (len=71) Key Share extension Key Share Entry: Group: secp256r1, Key Exchange length: 65 Extension: post_handshake_auth (len=0) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Renegotiation Info extension Extension: psk_key_exchange_modes (len=2) Extension: pre_shared_key (len=267) Pre-Shared Key extension PSK Identity (length: 208) Type: supported_versions (43) Type: signature_algorithms (13) Type: SessionTicket TLS (35) Type: supported_groups (10) Type: key_share (51) Type: post_handshake_auth (49) Type: extended_master_secret (23) Type: renegotiation_info (65281) Type: psk_key_exchange_modes (45) Type: pre_shared_key (41) Length: 9 Length: 26 Length: 0 Length: 8 Length: 71 Length: 0 Length: 0 Length: 1 Length: 2 Length: 267 Supported Version: TLS 1.2 (0x0303) Supported Version: TLS 1.1 (0x0302) Supported Version: TLS 1.0 (0x0301) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: Unknown (5) Signature Hash Algorithm Signature: Unknown (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm Signature: ECDSA (3) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018)

Conditions

SSL inspection needs to be enabled along with Snot3 as the IPS engine

Workaround

None know at this point

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe87591

Cisco FTD Software SSL/TLS URL Category and Snort 3 Detection Engine Bypass and DOS Vulnerability

Cisco - Defect ID: CSCwe87591

Cisco FTD Software SSL/TLS URL Category and Snort 3 Detection Engine Bypass and DOS Vulnerability

Last updated on 3/22/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?