A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.
Cisco Security Manager is an end-to-end security management application for enterprise administrators, which gives them the ability to enforce various security policies, troubleshoot security events and manage a wide range of devices. The application has a vulnerability that could allow remote, unauthenticated attackers to access sensitive data on affected systems. The flaw (CVE-2020-27130) has a CVSS score of 9.1 out of 10, making it critical.
“An attacker could exploit this vulnerability by sending a crafted request to the affected device,” according to Cisco, in a Tuesday analysis. “A successful exploit could allow the attacker to download arbitrary files from the affected device.”
According to Cisco, the flaw stems from the improper validation of directory traversal character sequences within requests to an affected device. A path-traversal attack aims to access files and directories that are stored outside the web root folder. If an attacker manipulates variables referencing files (with “dot-dot-slash (../)” sequences), it is possible to access arbitrary files and directories stored on file system, such as application source code, or configuration and critical system files.
PoC exploits for the flaw – as well as 11 other issues in Cisco Security Manager – were published online Monday by security researcher Florian Hauser. Hauser said in a Monday tweet that he had previously reported the flaws 120 days ago – however, Cisco “became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities.”
— frycos (@frycos) November 16, 2020
In a follow-up tweet on Tuesday, Hauser said: “Just had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing. SP1 will be released in the next few weeks. We found a good mode of collaboration now.”
The flaw affects Cisco Security Manager releases 4.21 and earlier; the issue is fixed in Cisco Security Manager Release 4.22.
Other Security Manager Bugs
Cisco on Tuesday also disclosed two high-severity vulnerabilities in Cisco Security Manager. One of these (CVE-2020-27125) stems from insufficient protection of static credentials in the affected software. This flaw could allow a remote, unauthenticated attacker to access sensitive information on an affected system, according to Cisco.
“An attacker could exploit this vulnerability by viewing source code,” according to Cisco. “A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.”
The other flaw exists in the Java deserialization function that is used by Cisco Security Manager, and could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
That flaw (CVE-2020-27131) stems from insecure deserialization of user-supplied content by the affected software, according to Cisco.
“An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system,” said Cisco’s advisory. “A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”
Cisco has recently dealt with various flaws across its product line. Last week, the networking giant warned of a high-severity flaw in Cisco’s IOS XR software that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). Cisco also recently disclosed a zero-day vulnerability in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.