Cisco Management Tool Vulnerable to Authentication Bypass Flaw

Background:

Described as “the administrative nerve centre for managing critical Cisco network security solutions”, Cisco’s Firepower Management Center (FMC) has recently been issued a software update due to a critically rated authentication bypass vulnerability, which grants a remote attacker administrative access.

Cisco have released a security advisory to address the flaw, tracked as CVE-2019-16028, advising users to apply the latest patches provided as there are no workarounds. Currently, there no reports of public exploitation regarding CVE-2019-16028.

Advisory available here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth

Vulnerability Details:

For Cisco FMC products to be vulnerable, they must be configured to authenticate users of the web-based management interface through an external LDAP server. By sending crafted HTTP requests to the target device, an attacker can exploit the improper handling of LDAP authentication responses to gain administrative access to the web-based management interface.

To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.

Recommendations:

Cisco have stated there are no workarounds, however, users who cannot immediately apply a software fix should consider disabling LDAP authentication for FMC access and select another authentication method until a software fix can be applied.

A list of FMC releases and respective patches has been provided in the Cisco security advisory. To upgrade to a release that includes a fix for this vulnerability or to install a hotfix patch, administrators are advised to visit https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html

Links:

threatpost.com/cisco-critical-network-security-tool-flaw/152131/

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth

www.secpod.com/blog/cisco-fmc-critical-updates-january-2020/