Cisco fixes Security Manager authentication vulnerabilities


Cisco has released a security update report. They use public exp to solve multiple vulnerabilities in Cisco Security Manager. These public exp can allow remote code execution after successful exploitation.

Cisco Security Manager can help manage various Cisco security and security policies on network devices, and also has summary reports and security incident troubleshooting functions.

The product can be used with a variety of Cisco security devices, including but not limited to Cisco ASA devices, Cisco Catalyst 6000 series switches, integrated service routers (ISR), and firewall service modules.

POC exp available since November

The report said: “The Cisco Product Security Incident Response Team (PSIRT) has been aware of the announcement regarding these vulnerabilities.”

These vulnerabilities only affect Cisco Security Manager 4.22 and earlier versions, and after Code White security researcher Florian Hauser reported it in August, Cisco disclosed these vulnerabilities on November 16.

After Cisco PSIRT stopped responding, Hauser shared the POC exp of all 12 Cisco Security Manager vulnerabilities he reported.

Fortunately, Cisco currently says that they have not found any ongoing attacks using vulnerabilities that have been patched today.

Cisco added: “So far, Cisco PSIRT has not found any malicious use of the vulnerabilities mentioned in this report.”

Security update patches available

Cisco resolved two of these 12 vulnerabilities (CVE-2020-27125 and CVE-2020-27130), but did not provide any security updates to fix multiple security vulnerabilities. These vulnerabilities are collectively referred to as CVE-2020-27131.

Hauser discovered the vulnerabilities in the Java deserialization function of Cisco Security Manager. These vulnerabilities are caused by “the attacked software unsafely deserializes user-provided content.”

Cisco released the patch for CVE-2020-27131 in Servicepack 4.22SP1. Please download the patch now to fix the vulnerability!

—— frycos (@frycos) December 7, 2020

After successfully exploiting this exploit, they can allow unauthenticated to remotely execute arbitrary commands on vulnerable devices.

Cisco explained: “These vulnerabilities allow to send malicious serialized Java objects to specific listeners on the attacked system.”

“After successfully exploiting the exploit, the can use NT AUTHORITY\SYSTEM permissions on the Windows target host to execute arbitrary commands on the device.”

Cisco has fixed these vulnerabilities in Service Pack 1 of Cisco Security Manager 4.22.

Given that there is no emergency solution to these security vulnerabilities, it is recommended that administrators immediately perform security updates as soon as possible.

In November last year, Cisco also disclosed an AnyConnect VPN 0day vulnerability with a public exp that will affect non-default software.