A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.
Recent assessments:
wvu-r7 at January 23, 2020 3:26am UTC reported:
We had post-auth RCE in Cisco Firepower Management Console submitted as a module in PR #7803. This new vuln nets you admin access to the device ONLY if LDAP authentication is enabled. I donโt know how common that configuration is.
While the potential for a shell is nice, admin access to a management center for network security solutions is likely more useful. I also donโt know if the admin interface is typically exposed on the WAN side, but Iโve seen worse. Iโd expect to see this exposed on a corporate LAN, though. And if you can turn external access into internal access, it makes little difference.
I donโt think thereโs any cause for panic with this, like Citrix last week, but Iโd keep my eye on this one. Cisco hasnโt seen any PoCs, but itโs only a matter of time.
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0