Cisco: Firewall Manager RCE Flaw is a zero-day Incoming Patch

Cisco: Firewall Manager RCE Flaw is a zero-day Incoming Patch

In a Thursday security consultative update, Cisco revealed that remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher revealed last month in a zero-day that has yet to receive a security update. Cisco ADSM is a firewall appliance manager that gives a web interface for handling Cisco Adaptive Security Appliance (ASA) firewalls and AnyConnect Security Mobility clients.

“At the duration of publication, Cisco planned to fix the vulnerability in Cisco ASDM,” the organization says in the updated advisory. “Cisco has not published software updates that address this vulnerability. There are no workarounds that address this vulnerability.”

The zero-day bug, addressed as CVE-2021-1585, is caused by improper signature verification for code exchanged between the ASDM and the Launcher. Prosperous exploitation could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then insert arbitrary code, as Cisco explains in the updated advisory.

In a past release, the organization also reconstruct the list of affected ADSM software versions, from releases ‘9.16.1 and earlier’ – as listed in the first advisory – to ‘ 7.16(1.150) and earlier.’

How MiTM Attack Exploit RCE Bug?

Cisco-Firewall-Manager-RCE-Flaw-is-a-zero-day-Incoming-Patch-image1

“A successful exploit may need the threat actor to perform a social engineering attack to assured the user to start conversation from the Launcher to the ASDM.” Moreover, the organization stated that its Product Security Incident Response Team (PSIRT) is not yet aware of proof-of-concept exploits for this zero-day or threat actors exploiting it in the wild.

Not the Initiate Rodeo!

In recent news, three months ago, Cisco fixed a six-month-old zero-day vulnerability (CVE-2020-3556) in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

While Cisco PSIRT stated that the proof-of-concept exploit code was available publicly when the flaws were revealed, it also stated that there was no clue of in the wild harm. Cisco revealed the zero-day in November 2020 without security updates tracking the underlying flaws, but it did give the mitigation measures to decrease the attack surface.

Before address this CVE-2020-3556 in May, no current exploitation was reported, likely because default VPN configurations were vulnerable to attacks and the bug could only be harmed by authenticated local attackers.

Although, last month, threat actors urgently pounced on a Cisco ASA flaw (partially patched in October 2020 and completely addressed in April 2021), urgently after Positive Technologies’ Offensive Team revealed a PoC exploit.  

Leave a Reply