T.Ve

**Name of the Vulnerable Software and Affected Versions** Cisco Secure Firewall Adaptive Security Appliance (ASA) Software (affected versions not specified) **Description** A flaw exists in the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall ASA Software. This issue could allow a remote attacker to log in to a Cisco Secure Firewall ASA device and execute commands as a specific user without the user's private SSH key. The vulnerability stems from inadequate validation of user input during the SSH authentication process. An attacker can exploit this by providing crafted input during SSH authentication. To successfully exploit this, the attacker must have a valid username and the corresponding public key. Exploitation does not grant root access. The AAA configuration command auto-enable is not impacted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software (affected versions not specified) Description: A flaw exists in the Remote Access SSL VPN service that may allow a remote attacker with VPN access to trigger an unexpected device reload, leading to a denial of service (DoS) condition. The issue stems from insufficient error checking during the parsing of an HTTP header field value. An attacker can exploit this by sending a specially crafted HTTP request to the affected service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software (affected versions not specified) Description: A vulnerability in the Remote Access SSL VPN service could allow an authenticated, remote attacker to create or delete arbitrary files on the underlying operating system. Manipulation of critical system files could lead to a denial of service (DoS) condition, potentially dropping existing sessions and preventing new ones. An exploited device requires a manual reboot to recover. The issue is due to insufficient input validation when processing HTTP requests. An attacker could exploit this by sending crafted HTTP requests to an affected device. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software (affected versions not specified) Description: A vulnerability exists in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software that may allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. The issue is due to insufficient input validation of commands supplied by the user. An attacker could exploit this by authenticating to a device and submitting crafted input for specific commands, potentially allowing them to execute commands on the underlying operating system as root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software (affected versions not specified) Description: A flaw in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software may allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. The issue stems from insufficient input validation of user-supplied commands. An attacker could exploit this by authenticating to a device and submitting crafted input for specific commands, potentially gaining root-level access to the underlying operating system. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.