CVE-2019-12674
02.10.2019, 19:15
Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.
| Vendor | Product | Version |
|---|---|---|
| cisco | firepower_threat_defense | 𝑥 < 6.4.0.2 |
| cisco | firepower_9300_firmware | - |
| cisco | firepower_4115_firmware | - |
| cisco | firepower_4125_firmware | - |
| cisco | firepower_4145_firmware | - |
| cisco | firepower_4110_firmware | - |
| cisco | firepower_4120_firmware | - |
| cisco | firepower_4140_firmware | - |
| cisco | firepower_4150_firmware | - |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-216 - DEPRECATED: Containment Errors (Container Errors)This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.