Cisco Security Manager – Remote Code Execution

Recently, multiple critical and easy-to-exploit remote code execution (RCE) vulnerabilities were found in Cisco Security Manager. These vulnerabilities allow an unauthenticated remote attacker with network access via HTTP to achieve total compromise and takeover of vulnerable servers. The vulnerabilities affect version 4.21 and earlier. Cisco Security Manager version 4.22 patches these vulnerabilities.

Cisco did not mention these vulnerabilities in the release notes for version 4.22 and also did not publish any additional advisories on how to mitigate these if updating the version was not possible. Florian Hauser, a security researcher from Code White initially reported the bugs to Cisco on July 13th. Since Cisco did not acknowledge any of these vulnerabilities, he published proof of concept (PoC) exploits for 12 vulnerabilities affecting Cisco Security Manager on November 16th.

Figure 1 Tweet from @frycos, Florian Hauser’s Twitter handle

 

In this article, we will focus on the RCE vulnerabilities and how Big IP Advanced WAF protects our customers against these exploits.

Remote Code Execution using SecretService.jsp

A malicious request exploiting this vulnerability is shown in Figure 2.

Figure 2 Exploit request

 

Remote Code Execution using AuthTokenServlet

A malicious request exploiting this vulnerability is shown in Figure 3.Figure 3 Exploit request

 

Remote Code Execution using ClientServicesServlet

A malicious request exploiting this vulnerability is shown in Figure 4.

Figure 4 Exploit request

 

Remote Code Execution using CTMServlet

A malicious request exploiting this vulnerability is shown in Figure 5.

Figure 5 Exploit request

 

Remote Code Execution using SecretServiceServlet

A malicious request exploiting this vulnerability is shown in Figure 6.

Figure 6 Exploit request

 

Mitigation with BIG-IP Advanced WAF

Advanced WAF customers under any supported BIG-IP version are already protected against this exploit.

An exploitation attempt will trigger a violation caused by “Bad unescape” evasion technique and will also be detected by many existing signatures for Java code injection and Java serialized object.


Figure 7 Bad unescape evasion technique detected

 

Figure 8 Various Java code injection and Java serialized object signatures are triggered by the exploit request

Published Nov 19, 2020
Version 1.0
ASM Advanced WAF
BIG-IP
security
No CommentsBe the first to comment