Cisco released several patches for high and critical vulnerabilities affecting several products like its Firepower network security devices, Identity Services Engine (ISE)) network access control platform, and Adaptive Security Appliance (ASA). The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging administrators to deploy the available patches because “a cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”
The exploitation of vulnerabilities in network security appliances has become a common occurrence in recent years because these devices are sometimes by nature connected to the internet because they are perimeter devices and provide attackers with a privileged position on the network from where they can move laterally.
Most serious Cisco flaw allows command injection
The most serious flaw is in the Management Center Software of Cisco Firepower and allows an authenticated attacker to send unauthorized configuration commands to Firepower Threat Defense (FTD) devices that are managed through the software. The attacker can authenticate on the web interface and exploit the vulnerability by sending a specially crafted HTTP request to the target device. While Cisco doesn’t specify in its advisory what the attacker can achieve through these configuration commands, it rated the flaw as critical.
The flaw only exists in the Management Center Software, so standalone FTD devices that are managed through the Cisco Firepower Device Manager (FDM) are not affected. The Cisco Adaptive Security Appliance (ASA) software, which is the predecessor to Cisco Firepower is not affected, either.
Two other command injection vulnerabilities were also patched in the Cisco Firepower Management Center, but these can lead to command execution on the underlying operating system, not the managed devices. Exploiting these flaws requires the attacker to have valid credentials too, but they don’t need to be for the administrator account. The two vulnerabilities are rated with high severity.
A fourth code injection flaw was found and patched in both the Cisco Firepower Management Center software and the Firepower Threat Defense software. The issue is in an inter-device communication mechanism and allows an authenticated attacker to execute commands on the device as root. The limitation is that the attacker needs to have administrator role on an FTD device to target the Management Center device, or to have administrator privileges on the Management Center to execute root commands on an associated FTD device.