Cisco Adaptive Security Appliance (ASA) 软件和 Cisco Firepower Threat Defense (FTD) 软件中的访问控制列表 (ACL) 激活存在漏洞，可能允许未经身份验证的远程攻击者绕过受影响设备上配置的 ACL 提供的保护。该漏洞是由于受影响设备运行配置中 ACL 从非活动状态变为活动状态时发生的逻辑错误造成的。攻击者可以通过受影响设备发送应被配置的 ACL 拒绝的流量来利用此漏洞。反之亦然，应允许的流量可能会被配置的 ACL 拒绝。成功利用此漏洞可能允许攻击者绕过受影响设备上配置的 ACL 保护，从而允许攻击者访问该设备可能正在保护的受信任网络。

😨 **漏洞描述:** Cisco ASA 和 FTD 软件中的访问控制列表 (ACL) 激活存在漏洞，可能允许未经身份验证的远程攻击者绕过受影响设备上配置的 ACL 提供的保护。该漏洞是由于受影响设备运行配置中 ACL 从非活动状态变为活动状态时发生的逻辑错误造成的。 攻击者可以通过受影响设备发送应被配置的 ACL 拒绝的流量来利用此漏洞，例如，攻击者可以发送通常被阻止的流量，例如来自已知恶意 IP 地址的流量，并绕过 ACL 规则，从而访问受保护的网络。反之亦然，应允许的流量可能会被配置的 ACL 拒绝，这会导致合法用户无法访问网络资源。 成功利用此漏洞可能允许攻击者绕过受影响设备上配置的 ACL 保护，从而允许攻击者访问该设备可能正在保护的受信任网络。 该漏洞影响 IPv4 和 IPv6 流量以及配置了 IPv4 和 IPv6 ACL 的双栈 ACL 配置。

🤔 **影响:** 该漏洞可能允许攻击者绕过受影响设备上配置的 ACL 保护，从而允许攻击者访问受信任网络，例如内部网络或关键服务器。攻击者可以利用此漏洞窃取敏感数据、安装恶意软件或发动拒绝服务攻击。

💡 **解决方案:** Cisco 已发布解决此漏洞的软件更新。此外，还有一种解决方法可以解决此漏洞。建议用户及时更新其设备以修复此漏洞。

✅ **缓解措施:** 在更新设备之前，用户可以采取以下措施来缓解此漏洞： * 限制对受影响设备的访问。 * 监控网络流量以检测任何可疑活动。 * 定期备份重要数据。

🚀 **总结:** Cisco ASA 和 FTD 软件中的 ACL 激活漏洞是一个严重的安全问题，可能允许攻击者绕过网络安全保护。建议用户及时更新其设备以修复此漏洞，并采取必要的缓解措施来降低风险。

A vulnerability in the activation of an access control list (ACL) on Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device.

This vulnerability is due to a logic error that occurs when an ACL changes from inactive to active in the running configuration of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. The reverse condition is also true—traffic that should be permitted could be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting.

Note: This vulnerability applies to both IPv4 and IPv6 traffic as well as dual-stack ACL configurations in which both IPv4 and IPv6 ACLs are configured on an interface.

Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ogsnsg-aclbyp-3XB8q6jX

This advisory is part of the May 2024 release of the Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: Medium
CVE: CVE-2024-20293