Cisco Firepower Management Center Lightweight Directory Access Protocol Authentication Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.

Recent assessments:

wvu-r7 at January 23, 2020 3:26am UTC reported:

We had post-auth RCE in Cisco Firepower Management Console submitted as a module in PR #7803. This new vuln nets you admin access to the device ONLY if LDAP authentication is enabled. I don’t know how common that configuration is.

While the potential for a shell is nice, admin access to a management center for network security solutions is likely more useful. I also don’t know if the admin interface is typically exposed on the WAN side, but I’ve seen worse. I’d expect to see this exposed on a corporate LAN, though. And if you can turn external access into internal access, it makes little difference.

I don’t think there’s any cause for panic with this, like Citrix last week, but I’d keep my eye on this one. Cisco hasn’t seen any PoCs, but it’s only a matter of time.

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0