Cisco has released security updates to address multiple pre-authentication remote code execution vulnerabilities with public exploits affecting Cisco Security Manager (CSM). CSM provides a comprehensive management solution for CISCO devices, including intrusion prevention systems and firewalls (i.e. Cisco ASA appliances, Cisco Catalyst 6000 Series Switches).
The Cisco Product Security Incident Response Team confirmed that it is aware of the public availability of Proof-of-concept exploits since November. The good news is that the company is not aware of any ongoing attacks exploiting these flaws.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about these vulnerabilities,” reads the advisory.
“Cisco PSIRT is not aware of malicious use of the vulnerabilities that are described in this advisory.”
The vulnerabilities reported by Code White security researcher Florian Hauser in August and the IT giant disclosed them on November 16.
The researcher also published proof-of-concept exploits for all 12 the vulnerabilities in the Cisco Security Manager because Cisco PSIRT stopped replying his requests.
These flaws impact CSM releases 4.22 and earlier.
“A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system.” reads the description for CVE-2020-27125.
“The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by viewing source code. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.”
The company has yet to fix the remaining security flaws, collectively tracked as CVE-2020-27131.
“Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the advisory published by Cisco.
“These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”
A remote, unauthenticated attacker could exploit the flaws to execute arbitrary commands on impacted devices.
Cisco has addressed the flaws with the release of CSM Release 4.22 Service Pack 1.
(SecurityAffairs – hacking, Cisco)