There are no workarounds that mitigate this vulnerability. Disabling the FTP service will reduce the exposure to this vulnerability because it could prevent replacing the SLBL database file with a malicious one.
To disable the FTP service via the GUI, navigate to Network > IP Interfaces. For each interfaces click on the interface name and uncheck FTP check box in the services area of the Edit window.
Alternatively, the CLI can be used. To disable the FTP service via the CLI, use the interfaceconfig command and choose to EDIT the interfaces configuration. When prompted, type N to disable the FTP service and commit the changes using the commit command. The following example shows how to disable the FTP service on Cisco ESA:
ciscoesa> interfaceconfig
Currently configured interfaces:
1. Management (192.168.42.42/24 on Management: ciscoesa)
Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]> edit
Enter the number of the interface you wish to edit.
[]> 1
IP interface name (Ex: "InternalNet"):
[Management]>
Would you like to configure an IPv4 address for this interface (y/n)? [Y]>
IPv4 Address (Ex: 192.168.1.2 ):
[192.168.42.42]>
Netmask (Ex: "24", "255.255.255.0" or "0xffffff00"):
[24]>
Would you like to configure an IPv6 address for this interface (y/n)? [N]>
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[3]>
Hostname:
[ciscoesa]>
Do you want to enable Telnet on this interface? [N]>
Do you want to enable SSH on this interface? [Y]>
Which port do you want to use for SSH?
[22]>
Do you want to enable FTP on this interface? [Y]> (Set option to 'N') this will disable the service once change has been committed.
Which port do you want to use for FTP?
[21]>
Do you want to enable Cluster Communication Service on this interface? [N]>
Do you want to enable HTTP on this interface? [Y]>
Which port do you want to use for HTTP?
[80]>
Do you want to enable HTTPS on this interface? [Y]>
Which port do you want to use for HTTPS?
[443]>
Do you want to enable Spam Quarantine HTTP on this interface? [Y]>
Which port do you want to use for Spam Quarantine HTTP?
[82]>
Do you want to enable Spam Quarantine HTTPS on this interface? [Y]>
Which port do you want to use for Spam Quarantine HTTPS?
[83]>
Do you want to enable RSA Enterprise Manager Integration on this interface? [N]>
The "Demo" certificate is currently configured. You may use "Demo", but this will not be secure. To assure privacy, run "certconfig" first.
Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]>
Both Spam Quarantine HTTP and Spam Quarantine HTTPS are enabled for this interface, should Spam Quarantine HTTP requests redirect to the secure service? [Y]>
Do you want Management as the default interface for your Spam Quarantine? [N]>
Currently configured interfaces:
1. Management (192.168.42.42/24 on Management: ironport.example.com)
Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]>
ciscoese> commit
Please enter some comments describing your changes:
[]> disabled FTP
In addition to disabling the FTP service, disabling the SLBL service will reduce the exposure to this vulnerability because it could prevent the execution of content of the malicious SLBL database file.
The only method to disable SLBL is by using the GUI. Navigate to Monitor > Spam Quarantine and click the Edit Setting button under the End-User Safelist/Blocklist (Spam Quarantine) area. In the Edit window, uncheck the Enable End User Safelist/Blocklist Feature check-box and click Submit.