Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now
Cisco has disclosed a critical security flaw affecting its Cisco Security Manager software, along with two other high-severity vulnerabilities in the product.
Cisco has flagged that the three security vulnerabilities are fixed in version 4.22 of Cisco Security Manager, which was released last week.
Networking
Cisco Security Manager helps admins manage security policies on Cisco security devices and provision Cisco's firewall, VPN, Adaptive Security Appliance (ASA) devices, Firepower devices, and many other switches and routers.
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
The most serious issue addressed in release 4.22 is a path-traversal vulnerability, tracked as CVE-2020-27130, which could allow a remote attacker without credentials to download files from an affected device.
The issue, with a severity rating of 9.1 out of 10, affects Cisco Security Manager releases 4.21 and earlier.
"The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device," Cisco explains in the advisory.
The company appears to have published the advisory after Florian Hauser of security firm Code White, who reported the bugs to Cisco, published proof of concept (PoC) exploits for 12 vulnerabilities affecting Cisco Security Manager.
Hauser, who uses the Twitter handle @frycos, said in a tweet that he reported 12 flaws affecting the web interface of Cisco Security Manager 120 days ago, on July 13.
He says he decided to release the PoCs because Cisco didn't mention the vulnerabilities in 4.22 release notes and had not published advisories.
Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities, here are 12 PoCs in 1 gist:https://t.co/h31QO5rmde https://t.co/xyFxyp7cJr
— frycos (@frycos) November 16, 2020
"Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payloads are processed in the context of NT AUTHORITY\SYSTEM," he wrote.
Among them are multiple vulnerabilities in the Cisco Security Manager's Java deserialization function, which could allow remote attackers without credentials to execute commands of their choice on the affected device.
Unfortunately, Cisco hasn't fixed these Java deserialization vulnerabilities in the 4.22 release but plans to fix them in the next 4.23 release. Cisco also says there are no workarounds and has not listed any mitigations that could be used until a fix arrives.
SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem
These issues affect releases 4.21 and earlier and have a severity rating of 8.1 out of 10. Cisco issued the identifier CVE-2020-27131 to the bugs, which are due to insecure deserialization of user-supplied content.
"An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host," Cisco explains.
A third flaw affecting Cisco Security Manager releases 4.21 and earlier, tracked as CVE-2020-27125, can allow an attacker to view insufficiently protected static credentials on the affected software. The credentials are viewable to an attacker looking at source code.
This issue, with a severity rating of 7.1, is fixed in release 4.22.
Cisco's Product Security Incident Response Team (PSIRT) said it is aware of public announcements about these vulnerabilities. However, it was not aware of any malicious use of them.