Cisco this week released advisories for three serious vulnerabilities in Security Manager that already have proof-of-concept (PoC) exploit code available online.
Tracked as CVE-2020-27130 and featuring a CVSS score of 9.1, the first of the bugs is a critical-severity issue that could be abused to download arbitrary files from the affected device.
Exploitable by a remote, unauthenticated attacker, the weakness exists because directory traversal character sequences within requests to a vulnerable device are not properly validated.
“An attacker could exploit this vulnerability by sending a crafted request to the affected device,” Cisco explains in its advisory.
Cisco says that there are no workarounds available for this vulnerability but that Cisco Security Manager 4.22 addresses is.
The software release also patches CVE-2020-27125, a high-severity flaw (CVSS score of 7.4) that could result in the leakage of sensitive data.
“The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by viewing source code. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks,” the company notes.
No workarounds are available for this vulnerability either and Cisco also notes that both issues have been publicly disclosed, although they do not appear to be exploited in malicious attacks.
Security researcher Florian Hauser was credited for both flaws, as well as for CVE-2020-27131 (CVSS score of 8.1), a bug that could lead to the remote execution of arbitrary commands, without authentication, but which hasn’t been addressed yet.
The issue, which Cisco refers to as a collection of vulnerabilities, exists because user-supplied content is insecurely deserialized.
“An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITYSYSTEM on the Windows target host,” Cisco’s advisory reads.
The company notes that no workaround exists for this bug either and plans on patching it with the release of Security Manager 4.23.
Last week, Hauser revealed on Twitter that he reported the vulnerabilities to Cisco in July, along with 9 other issues in Security Manager. He published PoC code for these issues after Cisco released version 4.22 of the affected software without mentioning the flaws.
“Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn’t state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITYSYSTEM,” the researcher notes on GitHub.
Last week, Cisco released patches for a high-severity vulnerability in IOS XR software for ASR 9000 series routers (CVE-2020-26070, CVSS score of 8.6). The bug exists because resources are not properly allocated during the processing of network traffic in software switching mode.
The issue affects ASR 9000 routers running IOS XR releases earlier than 6.7.2 or 7.1.2. No workarounds exist for this flaw, but information on it hasn’t been publicly disclosed before Cisco’s advisory, the company says.