Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Cisco Security Manager – Remote Code Execution

Harsh_Chawla
F5 Employee
F5 Employee

on ‎19-Nov-2020 13:19

Recently, multiple critical and easy-to-exploit remote code execution (RCE) vulnerabilities were found in Cisco Security Manager. These vulnerabilities allow an unauthenticated remote attacker with network access via HTTP to achieve total compromise and takeover of vulnerable servers. The vulnerabilities affect version 4.21 and earlier. Cisco Security Manager version 4.22 patches these vulnerabilities.

Cisco did not mention these vulnerabilities in the release notes for version 4.22 and also did not publish any additional advisories on how to mitigate these if updating the version was not possible. Florian Hauser, a security researcher from Code White initially reported the bugs to Cisco on July 13th. Since Cisco did not acknowledge any of these vulnerabilities, he published proof of concept (PoC) exploits for 12 vulnerabilities affecting Cisco Security Manager on November 16th.

0151T000003q0sHQAQ.jpg

Figure 1 Tweet from @frycos, Florian Hauser’s Twitter handle

 

In this article, we will focus on the RCE vulnerabilities and how Big IP Advanced WAF protects our customers against these exploits.

Remote Code Execution using SecretService.jsp

A malicious request exploiting this vulnerability is shown in Figure 2.

0151T000003q0sMQAQ.jpg

Figure 2 Exploit request

 

Remote Code Execution using AuthTokenServlet

A malicious request exploiting this vulnerability is shown in Figure 3.0EM1T000002JKgL.pngFigure 3 Exploit request

 

Remote Code Execution using ClientServicesServlet

A malicious request exploiting this vulnerability is shown in Figure 4.

0EM1T000002JKgM.png

Figure 4 Exploit request

 

Remote Code Execution using CTMServlet

A malicious request exploiting this vulnerability is shown in Figure 5.0EM1T000002JKgN.png

Figure 5 Exploit request

 

Remote Code Execution using SecretServiceServlet

A malicious request exploiting this vulnerability is shown in Figure 6.

0EM1T000002JKgO.pngFigure 6 Exploit request

 

Mitigation with BIG-IP Advanced WAF

Advanced WAF customers under any supported BIG-IP version are already protected against this exploit.

An exploitation attempt will trigger a violation caused by “Bad unescape” evasion technique and will also be detected by many existing signatures for Java code injection and Java serialized object.

0EM1T000002JKgP.png
Figure 7 Bad unescape evasion technique detected

 

0EM1T000002JKgQ.png

0EM1T000002JKgR.png

0EM1T000002JKgS.png

0EM1T000002JKgT.png

0EM1T000002JKgU.png

0EM1T000002JKgV.png

0EM1T000002JKgW.png

0EM1T000002JKgX.png

0EM1T000002JKgY.png

0EM1T000002JKgZ.png

0EM1T000002JKga.png

Figure 8 Various Java code injection and Java serialized object signatures are triggered by the exploit request

Labels:
0 Kudos
Version history
Last update:
‎19-Nov-2020 13:19
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC