Admins using Cisco Systems Secure Firewall Management Center (FMC) Software for network login authentication are being warned to quickly patch a major vulnerability that could allow a remote attacker to breach security.
At risk are deployments configured for RADIUS authentication for the web-based management interface, SSH management, or both, Cisco said in its alert. This vulnerability affects only releases 7.0.7 and 7.7.0 of the firewall management software.
The vulnerability is due to a lack of proper handling of user input during the authentication phase, it said. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level.
In its warning, Cisco said the flaw could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.
No workarounds available
Because a RADIUS server centralizes authentication, authorization, and accounting, this vulnerability has a CVSS score of 10.
The only mitigation, Cisco says, is for admins to use another type of authentication, such as local user accounts, external LDAP authentication, or SAML single sign-on (SSO).
Robert Beggs, head of Canadian incident response firm Digital Defence, noted that, in general, use of RADIUS for authentication by admins has been decreasing. In fact, he said, configuring Secure FMC for RADIUS or SSH management is uncommon.
“However,” he added, “if [Cisco Secure FMC] users have configured RADIUS, it may be hard to mitigate the vulnerability because the RADIUS functionality is likely required for a specific purpose on the network.”
Cisco users should first determine if they have a vulnerable release by manual inspection, or by using the Cisco tool, he said in an email. If possible, they should immediately disable the RADIUS functionality. He said, “the most important step is to update to a current release of the software that is not vulnerable to this specific attack.”
Not the first major vuln in FMC
Cisco Secure FMC (formerly Firepower Management Center) manages critical Cisco network security solutions. It provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. It oversees a number of Cisco products. However, the vendor has confirmed that this vulnerability does not affect Cisco Secure Firewall Adaptive Security Appliance (ASA) Software or Cisco Secure Firewall Threat Defense (FTD) Software.
Secure FMC also integrates with VMware’s vSphere platform, and the VMware ESXi and Microsoft Hyper-V hypervisors, and, depending on the version, can act as a management centre for cloud platforms including Amazon AWS, Google GCP, Microsoft Azure, Oracle OCI and on-premises private clouds.
This is not the first vulnerability to affect Cisco Secure FMC release 7.0.7, Beggs pointed out. Previous reports of other high severity issues including some causing denial of service, with CVSS scores ranging from 7.7 to 8.6. When those vulnerabilities were identified, Cisco recommended that users upgrade to newer versions, he said, which fixed those vulnerabilities.
No Responses