CVE-2019-15992
📋 TL;DR
This vulnerability allows authenticated remote attackers to execute arbitrary code with root privileges on Cisco ASA and FTD devices by exploiting insufficient restrictions in the Lua interpreter. Attackers can trigger a heap overflow through specially crafted Lua scripts. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
📦 What is this software?
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of affected network security devices, allowing attackers to establish persistent access, pivot to internal networks, intercept traffic, and disable security controls.
Likely Case
Attackers with valid credentials gain root access to affected devices, enabling them to modify configurations, create backdoors, and potentially access protected network segments.
If Mitigated
With proper access controls and network segmentation, impact is limited to the affected device itself, though root compromise still represents significant risk.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of Lua scripting. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions depending on specific ASA/FTD release - see Cisco advisory for exact mapping
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce
Restart Required: Yes
Instructions:
1. Check current ASA/FTD version. 2. Consult Cisco advisory for appropriate fixed version. 3. Download and apply the update from Cisco. 4. Reboot the device as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Lua Scripting
allDisable the Lua interpreter feature if not required for your deployment
no call-home profile <profile-name> lua <script-name>
no call-home
no lua
Restrict Access Controls
allImplement strict access controls and limit authenticated access to trusted sources only
access-list <name> permit ip <trusted-networks> any
aaa authentication ssh console <method>
aaa authorization exec default local
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from critical assets
- Enforce strong authentication mechanisms and regularly rotate credentials
🔍 How to Verify
Check if Vulnerable:
Check ASA/FTD version against affected versions listed in Cisco advisory CVE-2019-15992Check Version:
show version | include VersionVerify Fix Applied:
Verify device is running a fixed version from the Cisco advisory and that Lua scripting is either disabled or properly restricted📡 Detection & Monitoring
Log Indicators:
- Unusual Lua script execution
- Authentication attempts followed by Lua-related commands
- System log entries indicating heap corruption or memory issues
Network Indicators:
- Unexpected outbound connections from ASA/FTD devices
- Traffic patterns inconsistent with normal device operation
SIEM Query:
source="asa" OR source="ftd" AND (lua OR heap OR memory) AND (error OR crash OR overflow)