Cisco has patched a critical bug that could give attackers unauthorised access to Firepower Management Centre (FMC), the device that controls all of its security products.
Cisco’s FMC is an administrative controller for the company’s network security products, giving administrators access to firewalls, application controllers, intrusion prevention, URL filtering, and malware protection systems. According to the company’s advisory, issued on 22 January, the vulnerability could allow a remote attacker to execute administrative commands on the device after bypassing authentication.
The problem lies in how the FMC handles authentication responses from Lightweight Directory Access Protocol (LDAP) servers. LDAP is a popular protocol that applications use to access directories (known as directory system agents). The directories hold information about users, including their access credentials.
The FMC is only vulnerable if it uses an external LDAP server to authenticate users of its web-based management interface. Cisco advises customers to check these using the product’s administrative interface. Go to the System menu, then Users, and finally External Authentication. Look for an External Authentication Object that is enabled and lists LDAP as its authentication method.
The bug, CVE-2019-16028, has a CVSS score of 9.8. Cisco has patched it in maintenance releases for versions 6.4 and 6.5, which are both available now. It will also introduce maintenance releases for versions 6.2.3 and 6.3.0 in February and May respectively. Until then, customers can use hot fixes for those products. Those using earlier versions should migrate to a fixed release, the company said.
This was the one critical bug in a collection of 28 advisories that Cisco released last week. It also announced patches for several bugs with high severity, including some in its collaboration products.
One of these, a bug in its Webex Meetings Suite and Meetings Online websites, enables attackers using an iOS or Android device to join a password-protected meeting without authenticating. The vulnerability exposes unintended meeting information in the mobile app that enables the attacker to access a known meeting ID or URL from their web browser, which then launches the mobile Webex application.
Another vulnerability in the video endpoint API of its Cisco TelePresence software fails to properly validate user-supplied input. An attacker could exploit it to read and write arbitrary files to the system, but they would need an In-Room Control or administrator account to do so.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.