In-the-wild attacks inevitable within weeks, if not days, one security pro warns

Exploitation of Cisco Security Manager RCE flaws 'imminent'

UPDATED A plethora of pre-authentication security vulnerabilities have been discovered in Cisco Security Manager’s web interface, most of which lead directly to remote code execution (RCE).

Cisco Security Manager is used by enterprises to manage and monitor Cisco security and network devices.

Security researcher Florian Hauser of threat intel and penetration testing firm Code White found a dozen flaws in total, including a critical path traversal vulnerability, a high-risk static credential bug, and multiple high severity Java deserialization flaws.

‘Multiple attack vectors’

Cisco fixed the first two vulnerabilities in Security Manager version 4.2.2, which is now available to install. The networking tech giant said it will apply fixes for the Java deserialization flaws in 4.2.3, but offered no workarounds in the meantime.

Rody Quinlan, security response manager at cybersecurity firm Tenable, said the “vulnerabilities are relatively easy to exploit” and present “multiple attack vectors that a threat actor could potentially exploit to take control of affected systems”.

Read more of the latest network security news

Given the potentially grave implications and the fact that Hauser has now dropped proofs-of-concept four months after creating them, Quinlan warned: “It is imperative organizations patch as soon as updates are released as it’s inevitable that we will see in-the-wild attacks in the coming weeks, if not days.”

Quinlan said the path traversal vulnerability “could allow an attacker to arbitrarily download and upload files to a vulnerable device by sending a specially crafted directory traversal request”, while the static credential vulnerability allowed attackers “to view the source code of a file and harvest credentials, which could be leveraged in further attacks”.

The Java deserialization vulnerabilities, meanwhile, “require an attacker to send a malicious serialized Java object as part of a specially crafted request resulting in arbitrary code execution with NT Authority\SYSTEM privileges”.

November patch

Hauser said he first alerted Cisco to the flaws on July 13, and was told that patches had been applied to version 4.22 of Security Manager on November 10.

However, he publicly disclosed his research on November 16 because Cisco PSIRT had been “unresponsive” and apparently published release 4.22 without mentioning “any of the vulnerabilities”.

But then, on the same day, Cisco did acknowledge the vulnerabilities and Hauser’s contribution in three advisories, for CVE-2020-27125, CVE-2020-27130, and CVE-2020-27131.

And yesterday (November 17) Hauser tweeted a more positive update: “Just had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing.”

He added: “SP1 will be released in the next few weeks. We found a good mode of collaboration now.”

The 12 flaws “are tracked and addressed through four Cisco bug IDs,” a Cisco spokesperson told The Daily Swig.

“Cisco has released free software updates that address the vulnerabilities described in the CSM path traversal vulnerability advisory and the CSM static credential vulnerability advisory.

“Cisco will release free software updates as soon as possible that address the vulnerabilities described in the CSM Java deserialization vulnerabilities advisory. We ask our customers to please review the advisories for complete detail.

“Cisco PSIRT is not aware of malicious use of the vulnerabilities.”

The Daily Swig has contacted Florian Hauser for further comment and will update the article if we receive a response.

READ MORE Citrix patches RCE flaw in SD-WAN Center that could lead to network takeover