Cisco fixes exploitable RCEs in Cisco Security Manager

Pierluigi Paganini December 07, 2020

Cisco released security updates to fix multiple pre-authentication RCE flaws with public exploits affecting Cisco Security Manager.

Cisco has released security updates to address multiple pre-authentication remote code execution vulnerabilities with public exploits affecting Cisco Security Manager (CSM). CSM provides a comprehensive management solution for CISCO devices, including intrusion prevention systems and firewalls (i.e. Cisco ASA appliances, Cisco Catalyst 6000 Series Switches).

The Cisco Product Security Incident Response Team confirmed that it is aware of the public availability of Proof-of-concept exploits since November. The good news is that the company is not aware of any ongoing attacks exploiting these flaws.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about these vulnerabilities,” reads the advisory.

“Cisco PSIRT is not aware of malicious use of the vulnerabilities that are described in this advisory.”

The vulnerabilities reported by Code White security researcher Florian Hauser in August and the IT giant disclosed them on November 16.

The researcher also published proof-of-concept exploits for all 12 the vulnerabilities in the Cisco Security Manager because Cisco PSIRT stopped replying his requests.

These flaws impact CSM releases 4.22 and earlier.

The IT firm addressed two of the 12 vulnerabilities, tracked as CVE-2020-27125 and CVE-2020-27130

“A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system.” reads the description for CVE-2020-27125.

“The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by viewing source code. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.”

The company has yet to fix the remaining security flaws, collectively tracked as CVE-2020-27131.

“Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the advisory published by Cisco.

“These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”

A remote, unauthenticated attacker could exploit the flaws to execute arbitrary commands on impacted devices.

Cisco has addressed the flaws with the release of CSM Release 4.22 Service Pack 1.

In mid-November, Cisco published multiple security advisories related to critical vulnerabilities affecting the Cisco Security Manager (CSM), including the recently released version 4.22.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment