In response to the multiple Cisco Security Manager vulnerabilities reported by security researcher Florian Hauser, the networking device manufacturer has published three advisories. The vulnerabilities, if exploited, allow remote code execution (RCE), thus giving the attacker complete control of the victim’s system.
Hauser, who is a security researcher at Code White, had originally found 12 vulnerabilities affecting the web interface of Cisco Security Manager nearly four months back. As per standard ethical practice, Hauser shared his findings with Cisco so that they could fix it. However, even after 120 days Cisco failed to reply or acknowledge the fixes in their latest update v4.22. Hence he decided to tweet about it and go ahead with the publishing of the Proof-of-Concept (PoC) of the vulnerabilities.
— frycos (@frycos) November 16, 2020
Cisco finally acknowledged and contacted Hauser on November 17, and announced that they had indeed fixed the issues reported and, in response, released three advisories for the three CVEs that contained multiple vulnerabilities.
The Cisco Security Manager Vulnerabilities
As per the analysis shared by cybersecurity service provider Tenable, following was the description of the three CVEs fixed by Cisco:
- CVE-2020-27125 (CVSSv3 score – 7.4): This is a static credential vulnerability in Cisco Security Manager. If exploited successfully, an unauthenticated remote attacker could easily obtain static credentials by viewing the source code of a specific file. This would allow the attacker to “carry out further attacks.”
- CVE-2020-27130 (CVSSv3 score – 9.1): This is a critical path traversal vulnerability in Cisco Security Manager. If exploited successfully, an unauthenticated remote attacker could send a specially crafted request containing directory traversal character sequences (e.g. “../../”) to a vulnerable device. This would allow the attacker to arbitrarily download and upload files to the device.
- CVE-2020-27131 (CVSSv3 score – 8.1): It addresses multiple vulnerabilities in the Java deserialization function of Cisco Security Manager. A remote attacker could exploit this vulnerability by generating malicious serialized Java objects using a tool like ysoerial.net and sending them as part of a specially crafted request to the vulnerable device. Successful exploitation would grant the attacker arbitrary code execution privileges on the device as NT AUTHORITY\SYSTEM.
Rody Quinlan, Security Response Manager at Tenable said, “These vulnerabilities are relatively easy to exploit and the researcher who discovered them, Florian Hauser, has already publicly shared proofs-of-concept (PoCs). Almost all the vulnerabilities directly give RCE, which presents multiple attack vectors that a threat actor could potentially exploit to take control of affected systems. Given the impact of exploiting these vulnerabilities could have, and the fact that PoCs are available, it is imperative organizations patch as soon as updates are released as it’s inevitable that we will see in-the-wild attacks in the coming weeks, if not days.”
Cisco has already released patches for CVE-2020-27125 and CVE-2020-27130, and a patch for CVE-2020-271131 will be made available soon. However, the company’s Security Response Team has not yet found any evidence of these vulnerabilities being exploited in the wild but cautioned its users about keeping their systems updated with the latest patches.