A critical path-traversal flaw (CVE-2020-27130) exists in Cisco Security Manager that opens sensitive information to remote, unauthenticated attackers.
A day following proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has pushed through a patch.
Cisco Security Manager is an end-to-end security management application for enterprise administrators, which gives them the ability to enforce various security policies, troubleshoot security events & manage a wide range of devices. The application has a vulnerability that could allow remote, unauthenticated attackers to access sensitive data on affected systems.
Score
The flaw (CVE-2020-27130) has a CVSS score of 9.1 out of 10, making it critical.
“An attacker could exploit this vulnerability by sending a crafted request to the affected device,” according to Cisco, in a Tuesday analysis. “A successful exploit could allow the attacker to download arbitrary files from the affected device.”
Says Cisco, the flaw stems from the improper validation of directory traversal character sequences within requests to an affected device. A path-traversal attack aims to access files & directories that are stored outside the web root folder.
If an attacker manipulates variables referencing files (with “dot-dot-slash (../)” sequences), it is possible to access arbitrary files & directories stored on file system, such as application source code, or configuration & critical system files.
Flaw
PoC exploits for the flaw – as well as 11 other issues in Cisco Security Manager – were published online Monday by security researcher Florian Hauser. Hauser said in a Monday tweet that he had previously reported the flaws 120 days ago – however, Cisco “became unresponsive & the published release 4.22 still doesn’t mention any of the vulnerabilities.”
Since Cisco PSIRT became unresponsive & the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 PoCs in 1 gist:https://t.co/h31QO5rmde https://t.co/xyFxyp7cJr
— frycos (@frycos) November 16, 2020
Tweet
In a follow-up tweet on Tuesday, Hauser observed: “Just had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing. SP1 will be released in the next few weeks. We found a good mode of collaboration now.”
The flaw affects Cisco Security Manager releases 4.21 & earlier; the issue is fixed in Cisco Security Manager Release 4.22.
Security Manager Bugs
Cisco on Tuesday also disclosed 2 high-severity vulnerabilities in Cisco Security Manager. One of these (CVE-2020-27125) stems from insufficient protection of static credentials in the affected software. This flaw could allow a remote, unauthenticated attacker to access sensitive information on an affected system, according to Cisco.
“An attacker could exploit this vulnerability by viewing source code,” according to Cisco. “A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.”
The other flaw exists in the Java deserialization function that is used by Cisco Security Manager, & could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
Insecure
That flaw (CVE-2020-27131) stems from insecure deserialization of user-supplied content by the affected software, according to Cisco.
“An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system,” commented Cisco’s advisory.
“A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”
Severity
Cisco has recently dealt with various flaws across its product line. Last week, the networking giant warned of a high-severity flaw in Cisco’s IOS XR software that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR).
Cisco also recently disclosed a zero-day vulnerability in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
