Cisco patches serious flaws in Firepower and Identity Services Engine

Cisco released several patches for high and critical vulnerabilities affecting several products like its Firepower network security devices, Identity Services Engine (ISE)) network access control platform, and Adaptive Security Appliance (ASA). The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging administrators to deploy the available patches because “a cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”

The exploitation of vulnerabilities in network security appliances has become a common occurrence in recent years because these devices are sometimes by nature connected to the internet because they are perimeter devices and provide attackers with a privileged position on the network from where they can move laterally.

Most serious Cisco flaw allows command injection

The most serious flaw is in the Management Center Software of Cisco Firepower and allows an authenticated attacker to send unauthorized configuration commands to Firepower Threat Defense (FTD) devices that are managed through the software. The attacker can authenticate on the web interface and exploit the vulnerability by sending a specially crafted HTTP request to the target device. While Cisco doesn’t specify in its advisory what the attacker can achieve through these configuration commands, it rated the flaw as critical.

The flaw only exists in the Management Center Software, so standalone FTD devices that are managed through the Cisco Firepower Device Manager (FDM) are not affected. The Cisco Adaptive Security Appliance (ASA) software, which is the predecessor to Cisco Firepower is not affected, either.

Two other command injection vulnerabilities were also patched in the Cisco Firepower Management Center, but these can lead to command execution on the underlying operating system, not the managed devices. Exploiting these flaws requires the attacker to have valid credentials too, but they don’t need to be for the administrator account. The two vulnerabilities are rated with high severity.

A fourth code injection flaw was found and patched in both the Cisco Firepower Management Center software and the Firepower Threat Defense software. The issue is in an inter-device communication mechanism and allows an authenticated attacker to execute commands on the device as root. The limitation is that the attacker needs to have administrator role on an FTD device to target the Management Center device, or to have administrator privileges on the Management Center to execute root commands on an associated FTD device.

Two high-severity command injection issues were also patched in the Cisco Identity Services Engine (ISE) and could allow an authenticated local attacker to execute commands as root on the underlying operating system. ISE also received patches for two flaws that can allow attackers to upload arbitrary files to the device or disable the Cisco Discovery Protocol (CDP) processing.

Other Cisco vulnerabilities could lead to denial of service

Additional high-risk vulnerabilities that could lead to denial-of-service (DoS) conditions were fixed in the Cisco Adaptive Security Appliance software, the Firepower Threat Defense software, the Firepower Management Center software, the software in Cisco Firepower 2100 Series firewalls. These were located in the following functionalities: the ICMPv6 message processing, the remote access VPN, firewall inspection rules, the Log API, and ICMPv6 inspection with Snort 2 detection.