On January 22, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed a vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC). The vulnerability could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. The security advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth
Determining if you are impacted:
A few highlights to determine if you may be impacted by this vulnerability:
- Cisco FMC Software if it is configured to authenticate users of the web-based management interface through an external LDAP server
- To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.
NOTE: LDAP is used for a variety of functions within the Firepower Management Center (FMC), such as FMC Web Management Portal Authentication, Remote Access VPN Authorization, command line interface authorization, and others. This vulnerability impacts only the FMC Web Management Portal if it is configured to authenticate users of the web management portal through an external LDAP server. No other features that rely on external LDAP authentication are affected by this vulnerability.
Fixed Software:
Cisco has released free software updates that address the vulnerability described in the security advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth
Remember, there are several ways to stay connected and receive the latest security vulnerability information from Cisco: