Expert publicly discloses PoC code for critical RCE issues in Cisco Security Manager

Pierluigi Paganini November 17, 2020

Cisco released multiple advisories related to security issues in Cisco Security Manager (CSM) that affect the recently released 4.22 version.

Cisco published multiple security advisories related to critical vulnerabilities affecting the Cisco Security Manager (CSM), including the recently released version 4.22.

Cisco Security Manager provides a comprehensive management solution for CISCO devices, including intrusion prevention systems and firewall.

On December 16th, the researcher Florian Hauser (aka @frycos) from security firm Code White publicly released the proof-of-concept (PoC) exploit code for 12 security flaws in the web interface of CSM.

According to a tweet published by the researcher, he reported the flaws to the vendor 120 days ago, on July 13.

The vulnerabilities in the web interface of the Cisco Security Manager could be exploited by an unauthenticated attacker to achieve remote code execution (RCE).

Hauser decided to publicly disclose the vulnerability because Cisco PSIRT did not address the flaw with the recent release 4.22.

“Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn’t state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.” explained the expert.

The vulnerabilities could be triggered to upload and download arbitrary files in the context of the highest-privilege user account “NT AUTHORITY\SYSTEM,” giving the attacker access to all files in a specific directory.

Cisco published a security advisory for Java Deserialization Vulnerabilities in Cisco Security Manager that could have allowed an unauthenticated, remote attacker with system privileges to execute arbitrary commands on an affected device.

“Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the advisory published by Cisco.

“These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”

These flaws affect CSM releases 4.22 and earlier, the IT giant has not released software updates to address them.

Cisco plans to fix the flaws with the release of Cisco Security Manager Release 4.23.

The Product Security Incident Response Team (PSIRT) is aware of public announcements about these flaws, but it is not aware of attacks in the wild that exploited them.

A Cisco spokesman told TheHackerNews website that Cisco has released free software updates to address the flaws in the CSM path traversal vulnerability advisory and the CSM static credential vulnerability advisory.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco Security Manager)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment