Network Security, Cyber Security

Cisco Firepower Management Center is on fire!

Network Security, Cyber Security

Foreword:


The FMC (Firepower Management Center) has a critical vulnerability in the web-based management interface that allows unauthenticated remote attacker to bypass authentication and get admin privileges that allows the attacker to run arbitrary code.

The vulnerability is due to bad handling of LDAP responses when the latter is being used for External Authentication. The bad actor can run the exploit by creating a crafted HTTP requests effectively bypassing authentication and getting administrative privileged access to the Web GUI. To break this down – anybody with HTTPS access to the management IP of your current FMC and some skills would be able to get in and change config or stop the Firepower Sensors, effectively compromising your security controls and leaving you exposed.

Who is affected:


Currently all unpatched FMC versions that use LDAP for external authentication are affected.

External authentication via LDAP is very common for Firepower clients due to the fact that Firepower is preferred choice for mid and large organization that tend to use central AAA to run its network (better security and scalability).

If you are running FMC and have LDAP enabled (how to check if you are using LDAP is mentioned inside the listed Cisco Advisory link), it is strongly recommended to patch the FMC as soon as possible.

How can we mitigate the risk before we patch?


Stop LDAP if possible, make sure you have a working local account before that.

Limit the HTTPS access to the management IP address of the FMC to only secure internal networks/addresses.