Security researchers discovered a critical flaw in the web interface of the Cisco Firepower management center (FMC). Cisco Firepower management center is a platform for managing Cisco network security solutions such as firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. A successful exploit of this vulnerability could allow the attacker to gain administrative access to the management interface and it is recommended to apply the latest software update.
Technical detail and additional information
What is the threat?
The authentication bypass vulnerability in the web-based management interface is known as CVE- 2019-16028. This is due to incorrect handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An unauthenticated, remote attacker can exploit this, by sending crafted HTTP requests to an affected device, in order to bypass authentication and execute arbitrary commands to gain administrative access to the Firepower Management Center. The root of this flaw is the how the FMC handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server which allows malicious actors to bypass authentication. This flaw only effects the Firepower Management Center that are configured to allow users to gain access through an external LDAP server. The hackers essentially are creating their own HTTP requests, and which bypass all authentication to give them administrative rights to the web-based interface.
Why is this noteworthy?
The CVE has a critical score of 9.8 out of 10, making this an extremely high threat to affected customers. Cisco officially released as advisory addressing this flaw on January 22, 2020 at that time there were no known cases of this vulnerability being exploited in the wild but since the flaw is now public that may change.
What is the exposure or risk?
This vulnerability could ultimately give the malicious actors access to a critical network devices such as firewalls, application controllers, intrusion prevention and URL filtering, if exploited correctly. The FMC software which is versions 6.1.0, 6.2.0, 6.2.1 and 6.2.2 are impacted The FMC is only vulnerable if it uses an external LDAP server to authenticate users of its web-based management interface. Cisco advises customers to check these using the product’s administrative interface.
What are the recommendations?
SKOUT recommends updating the Cisco FMC software since this bug was patched in the latest version. Versions 6.1.0, 6.2.0, 6.2.1 and 6.2.2 should update to a 6.2.3 or higher release. We also recommend checking to see if the configuration on their FMC interface are impacted to prevent any malicious attacks. If a software update cannot be applied, Cisco has advised all users to disable authentication from an external LDAP server on the FMC.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.