Home & Office

Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now

Cisco discloses severe flaws in Cisco Security Manager after proof-of-concept exploits are published.
Written by Liam Tung, Contributing Writer

Cisco has disclosed a critical security flaw affecting its Cisco Security Manager software, along with two other high-severity vulnerabilities in the product. 

Cisco has flagged that the three security vulnerabilities are fixed in version 4.22 of Cisco Security Manager, which was released last week. 

Cisco Security Manager helps admins manage security policies on Cisco security devices and provision Cisco's firewall, VPN, Adaptive Security Appliance (ASA) devices, Firepower devices, and many other switches and routers. 

SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)

The most serious issue addressed in release 4.22 is a path-traversal vulnerability, tracked as CVE-2020-27130, which could allow a remote attacker without credentials to download files from an affected device. 

The issue, with a severity rating of 9.1 out of 10, affects Cisco Security Manager releases 4.21 and earlier. 

"The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device," Cisco explains in the advisory

The company appears to have published the advisory after Florian Hauser of security firm Code White, who reported the bugs to Cisco, published proof of concept (PoC) exploits for 12 vulnerabilities affecting Cisco Security Manager. 

Hauser, who uses the Twitter handle @frycos, said in a tweet that he reported 12 flaws affecting the web interface of Cisco Security Manager 120 days ago, on July 13. 

He says he decided to release the PoCs because Cisco didn't mention the vulnerabilities in 4.22 release notes and had not published advisories.  

"Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payloads are processed in the context of NT AUTHORITY\SYSTEM," he wrote. 

Among them are multiple vulnerabilities in the Cisco Security Manager's Java deserialization function, which could allow remote attackers without credentials to execute commands of their choice on the affected device. 

Unfortunately, Cisco hasn't fixed these Java deserialization vulnerabilities in the 4.22 release but plans to fix them in the next 4.23 release. Cisco also says there are no workarounds and has not listed any mitigations that could be used until a fix arrives. 

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

These issues affect releases 4.21 and earlier and have a severity rating of 8.1 out of 10. Cisco issued the identifier CVE-2020-27131 to the bugs, which are due to insecure deserialization of user-supplied content.

"An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host," Cisco explains. 

A third flaw affecting Cisco Security Manager releases 4.21 and earlier, tracked as CVE-2020-27125, can allow an attacker to view insufficiently protected static credentials on the affected software. The credentials are viewable to an attacker looking at source code. 

This issue, with a severity rating of 7.1, is fixed in release 4.22.

Cisco's Product Security Incident Response Team (PSIRT) said it is aware of public announcements about these vulnerabilities. However, it was not aware of any malicious use of them.

More on Cisco and network security

  • Windows 10: Using Cisco's Webex Meetings for remote work? Patch now, warns Cisco  
  • Cisco security warning: Patch Webex Teams for Windows and surveillance camera now  
  • Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software  
  • Patch now: Cisco warns Jabber IM client for Windows has a critical flaw  
  • Cisco bug warning: Critical static password flaw in network appliances needs patching  
  • Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows  
  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise'  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes 'call center in a box', patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards