Cisco has revealed a critical security flaw and two other high-severity vulnerabilities in its Cisco Security Manager software.
The three security vulnerabilities are fixed in version 4.22 of Cisco Security Manager, which was released last week.
Cisco Security Manager helps admins manage security policies on Cisco security devices and provision Cisco’s firewall, VPN, Adaptive Security Appliance (ASA) devices, Firepower devices, and many other switches and routers.
The most critical issue patched in the latest release 4.22 is a path-traversal vulnerability that has been dubbed as CVE-2020-27130. It could let a remote attacker without credentials to download files from an affected device.
The flaw that has been given a severity rating of 9.1 out of 10, affects Cisco Security Manager versions 4.21 and earlier.
Cisco stated in the advisory that the vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a specially crafted request to the affected device.
Cisco published the advisory after Florian Hauser of security firm Code White, who reported the bugs to Cisco, published proof of concept (PoC) exploits for 12 vulnerabilities affecting Cisco Security Manager.
Hauser, known as @frycos in Twitter tweeted that he reported 12 flaws affecting the web interface of Cisco Security Manager 120 days ago, on July 13.
He stated that he had released the PoCs as Cisco did not state anything about the vulnerabilities in 4.22 release notes and had not published advisories.
He said that he had submitted several pre-auth vulnerabilities to Cisco on 13th July. Among them are multiple vulnerabilities in the Cisco Security Manager’s Java deserialization function, which could allow remote attackers without credentials to execute commands of their choice on the affected device.
Cisco did not fix these Java deserialization vulnerabilities in the 4.22 release but plans to fix them in the next 4.23 release. The company also stated that there aren’t any workarounds and has not listed any mitigations that could be used until a fix arrives.
These issues affect releases 4.21 and earlier and have a severity rating of 8.1 out of 10. The bugs tracked as CVE-2020-27131 are due to insecure deserialization of user-supplied content.
It is possible for an attacker to exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.
A third flaw dubbed CVE-2020-27125, affecting Cisco Security Manager releases 4.21 and earlier, allows an attacker to view insufficiently protected static credentials on the affected software. The credentials can be viewed by an attacker looking at source code. This issue, having a severity rating of 7.1, is fixed in release 4.22.
Cisco’s Product Security Incident Response Team (PSIRT) stated that they are aware of public announcements about these vulnerabilities, but they did not hear of any malicious use of them.