Field Notice: FN - 70318 - Firepower Software - Expired Certificate Authority for Clam AntiVirus Might Reduce Efficacy of Local Malware Analysis - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
06-Dec-18 |
Initial Release |
1.1 |
18-Apr-19 |
Updated the Workaround/Solution Section |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Firepower Management Center Software |
6.0 |
6.0.0.0, 6.0.0.1, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4 |
|
NON-IOS |
Firepower Management Center Software |
6.1 |
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7 |
|
NON-IOS |
Firepower Management Center Software |
6.2 |
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.1, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7 |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvm81052 | local malware detection updates not downloading to FMC due to invalid certificate chain |
Problem Description
An expired certificate for Clam AntiVirus (ClamAV) might cause updates from the updates.vrt.sourcefire.com server to fail, which reduces the security efficacy of the Network Advanced Malware Protection (AMP) feature.
Background
Cisco Firepower software uses a Certificate Authority (CA) to validate ClamAV signature updates for Local Malware Detection and File Pre-Classification from the updates.vrt.sourcefire.com server. The certificate for ClamAV expired on 2018-08-29 and might affect the security efficacy of the Network AMP feature. A revised ClamAV certificate must be installed on Firepower security platforms that run Firepower Software Version 6.0.0 or later.
Problem Symptom
ClamAV updates for both Local Malware Detection and File Pre-Classification for the Network AMP feature of the Firepower solution will fail to update, which reduces the security efficacy of the appliance.
Workaround/Solution
Apply the Firepower Software Hotfix 6.2.0.999 in order to resolve the CA certificate issue for affected platforms.
In order to resolve the issue without an upgrade to the Firepower software, complete these steps to manually import the updated ClamAV certificate and enable signature updates. Do not use this workaround when you use CC Mode. Instead, upgrade to Firepower Software Version 6.2.3.9 or later.
- Enter sudo su - in order to elevate to root.
- Enter mv /etc/sf/keys/sandbox/cacert.pem /etc/sf/keys/sandbox/cacert.pem.bak in order to back up the current certificate.
- Create a new certificate file.
- Enter vim /etc/sf/keys/sandbox/cacert.pem.
- Press the i key in order to enter editing mode.
- Copy and paste this updated certificate into the file.
-----BEGIN CERTIFICATE----- MIIF1DCCA7ygAwIBAgIQNz8Ipy2X8LBL1d0P+acMfzANBgkqhkiG9w0BAQsFADBq MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKc291cmNlZmly ZTETMBEGCgmSJomT8ixkARkWA3ZydDEiMCAGA1UEAxMZVlJUIENlcnRpZmljYXRl IEF1dGhvcml0eTAeFw0xMjA4MjkxODU3MDBaFw0yMjA2MDIxNTM0MjFaMGoxEzAR BgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpzb3VyY2VmaXJlMRMw EQYKCZImiZPyLGQBGRYDdnJ0MSIwIAYDVQQDExlWUlQgQ2VydGlmaWNhdGUgQXV0 aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtYbRWazawM1b nWFG/lqu5dtTLqa2aPKp8spOjwbfEAW6iqdSijUZb9+DhNEZkmDrHHP8l/QaU57v O30plDaoVTDk/v6Gu7h1yluvnLMBPzIu9OQKkRIHQI3EoZDXIY6wS0CJvUk5Xb+D lF8FQjqWc9p16YrUre14gikVAjrkB0ZmODX+SdUYfzfTmCWCrz42DIw02El+saiG 4BEll1lKhGEPhFX/eUmWiZ9DzOUhg0hipKP5BqFHC4rg+OOKlTWe6J4kAdk809mv lK0Dktxm90jYwB8oYYOnMO97Hul65HtlI23J3yasOI1ejUH+6yJdfMkMIQpiH7l6 ltzS5tLyoAe0uZ+hHDbH4YkcIA/X9Yh0GFGfQuLT6ZK3Awp/qTGBCT6ZYYJilUAM 3vL+MtpGNh6juSatrkSAmiJzoMGxp5TM6W5bMNI+QYFRU43o4QFziTPiFkgKwuDI 2gjhQV6oBJPrjcavb9enrSy6ZfqSMXkyJLlNRwf1hsaZNtCure3UDRxu1c0QR6eE myfkJ/TiP/5hzz4qe4LjKMLzVxrCRghddsCVWx/PCWPQ9APeqeJpDzUwIvs1N2/c Cbd9sbNevVaeCVlFbpt0QWU71upR0QKLZ2axqnC/1aPgO6oQ7WF4J5mBqKrx/VPr zfrpu6AKj99UgHpsM7g3UafRjYEBHBECAwEAAaN2MHQwCwYDVR0PBAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCzb5T33BDtz/9mIAc/QXuQlJDmYMBAG CSsGAQQBgjcVAQQDAgECMCMGCSsGAQQBgjcVAgQWBBSbuBN5wvG3LX3mc2ofysni jpxnAjANBgkqhkiG9w0BAQsFAAOCAgEAGmQ9nC1V5qY/Xu8RnITtsgyiJFQnz1k6 VPFdlLzfsuN1mX4eUgseBQj8yN5YmhuE2t8CE2xk7RWC+rYZZBsGhAx7q0ttP8Ja MRXhQCCL89fnlYDIuopzdtJkoSqEk5IF4277Cba7NGxeytsdUG+KglAslDmVjHIk dIRAlVC/E0WRaYVl0Y2qVISBsEA5DIiiuGqbNMUYQAY1oK3+FKH6tyTyXAQ22HQ/ Yr0iXnG9GiPLPfVjJfGwrgYpDfoL4mc328riiCLLvLHoS8gP0SBdWLezMAS6tXXm HYwpTkk1wKrFm4Xfp05Lggy87o9TllO9IelMZD39mhm/45lRMwV1iOuoZnvVD3+V 5DEbvMTFUueFOAsdi7A/RvGUWxWqIuxn1XXgJd3pXhKt8JfE5ebPqloAalnuyslS DSjRGCD28+pBhjPx7vuCaKI3OknNp+7XcYSWFcbY7q7rt1eO7EZlenNMxNzWqvLF fpWQNA6f5fk/c8XCNqMLKhAB1QH9mQ3DN8FL910Z6cCiXYtcdY4GSfoqvni+PuhD KhcX8T+/A73PjuMmdqmvwuq2xFkv8xmbx3gKHfWBi1NoThZViv5PCZtXVAvP09oq hUL94KF32lg3kDzXWLYSTYH5+NW8LmEgjPVUsqEzaTAvnyzZaAjDoNrkC1WZ68XZ rX5zPl5t6sc= -----END CERTIFICATE-----
- Press the ESC key in order to exit editing mode.
- Enter :wq in order to save the file and exit.
- Enter vim /etc/sf/keys/sandbox/cacert.pem.
- Enter pmtool restartbyid CloudAgent in order to restart the service to use the updated ClamAV certificate.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance