Summary

• A vulnerability in a policy-based Cisco Application Visibility and Control (AVC) implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to evade the antivirus scanner and download a malicious file onto an endpoint.

  The vulnerability is due to improper handling of a crafted range request header. An attacker could exploit this vulnerability by sending an HTTP request with a crafted range request header through the affected device. A successful exploit could allow the attacker to evade the antivirus scanner and download malware onto the endpoint without detection by Cisco Secure Web Appliance.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-range-bypass-2BsEHYSu

Affected Products

• Vulnerable Products

  At the time of publication, this vulnerability affected Cisco Secure Web Appliance, both virtual and hardware versions, when the Range Request Forward feature was enabled. Range Request Forward is disabled by default.

  Determine Whether Range Request Forward Is Enabled

  To determine whether the Range Request Forward feature is enabled on Cisco Secure Web Appliance, use the rangerequestdownload command as an administrator in the CLI. If the rangerequestdownload command returns Range requests are currently Enabled, then the Range Request Forward feature is enabled, as shown in the following example:

  cisco-wsa> rangerequestdownload
  
  Range requests are currently Enabled.
  Are you sure you want to change the setting? [N]>

  For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

• There are no workarounds that address this vulnerability. However, administrators can mitigate this vulnerability by disabling the Range Request Forward feature.

  Range Request Forward is disabled by default. If Range Request Forward is enabled, administrators can disable it using the steps shown in the following example:

  cisco-wsa> rangerequestdownload
  
  Range requests are currently Enabled.
  Are you sure you want to change the setting? [N]>
  cisco-wsa> Y
  cisco-wsa> commit

  While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment

Fixed Software

• When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Fixed Releases

  At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.

  Cisco AsyncOS for Secure Web Appliance Software Release	First Fixed Release
  14.0 and earlier	Migrate to a fixed release.
  14.5	Migrate to a fixed release.
  15.0	15.0.1-004
  15.1	Migrate to a fixed release.
  15.2	15.2.1-011

  In most cases, the software can be upgraded over the network by using the System Upgrade options in the web interface of the appliance. To upgrade a device by using the web interface, do the following:

  1. Choose System Administration > System Upgrade.
  2. Click Upgrade Options.
  3. Choose Download and Install.
  4. Choose the release to upgrade to.
  5. In the Upgrade Preparation area, choose the appropriate options.
  6. Click Proceed to begin the upgrade. A progress bar displays the status of the upgrade.

  After the upgrade is complete, the device reboots.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during the resolution of a Cisco TAC support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-range-bypass-2BsEHYSu

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	-	Final	2025-FEB-05

  Show Less