Summary: If you use Windows domain authentication in Firepower Management Console, you could be affected by this vulnerability.
Cisco announced on January 22nd that a vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. Most of the information below comes from the Cisco official advisory.
Advisory ID: cisco-sa-20200122-fmc-auth
The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device. There are no workarounds for the vulnerability.
This vulnerability affects Cisco FMC Software if it is configured to authenticate users of the web-based management interface through an external LDAP server.
Products Confirmed Not Vulnerable:
Cisco has confirmed that this vulnerability does not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.
Verification of Vulnerability
To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.
How to Fix this Vulnerability
Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch.
Contact us for help determining if you are affected or remediating the issue. PEI is a Cisco Select Certified partner and can help you migrate to a fixed release or install any necessary hotfix patches.
Customers who are running the following Cisco FMC Software releases can remediate by doing the following:
- Releases earlier than 6.1.0: Migrate to a 6.2.3 release and apply available hotfixes.
- 6.1.0: Apply the hotfix listed in the preceding table or migrate to a 6.2.3 release and apply available hotfix.
- 6.2.0 through 6.2.2: Migrate to a 6.2.3 release and apply available hotfix.
- 6.2.3 or 6.3.0: Apply available hotfixes; maintenance releases will be available later this year.
- 6.4.0: Apply available hotfixes or upgrade to Release 22.214.171.124.
- 6.5.0: Upgrade to 126.96.36.199.
See the table below from Cisco below for more details.
|Cisco FMC Software Release||First Fixed Release||Hotfix Patch|
|Earlier than 6.1.01||Migrate to a fixed release.||Not available.|
|6.1.0||Migrate to a fixed release.||Sourcefire_3D_Defense_Center_S3_Hotfix_ES-188.8.131.52-2.sh|
|6.2.02||Migrate to a fixed release.||Not available.|
|6.2.12||Migrate to a fixed release.||Not available.|
|6.2.22||Migrate to a fixed release.||Not available.|
|6.2.3||184.108.40.206 (February 2020)||Sourcefire_3D_Defense_Center_S3_Hotfix_DO-220.127.116.11-3.sh.REL.tar|
|6.3.0||18.104.22.168 (May 2020)||Cisco_Firepower_Mgmt_Center_Hotfix_AI-22.214.171.124-2.sh.REL.tar|
|6.4.0||126.96.36.199||Cisco_Firepower_Mgmt_Center_Hotfix_U-188.8.131.52-2.sh.REL.tar (for releases 184.108.40.206 and later)|
Cisco_Firepower_Mgmt_Center_Hotfix_T-220.127.116.11-1.sh.REL.tar (for releases 18.104.22.168 and earlier)
1. Cisco FMC Software releases 6.0.1 and earlier have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
2. Customers who are running a 6.2.0, 6.2.1, or 6.2.2 release should migrate either to a release that integrates the fix or to a release for which a hotfix patch is available. For example, customers could migrate to Release 6.2.3 and then install the hotfix patch, which is Sourcefire_3D_Defense_Center_S3_Hotfix_DO-22.214.171.124-3.sh.REL.tar.
3. Cisco FMC Software Release 126.96.36.199 integrates a fix for this vulnerability; however, it is no longer available for download.
Note to PEI Managed Service Customers: If you are a PEI Managed Services customer who is affected by this announcement, we have already contacted your IT team about this vulnerability and started the process to implement the proper fix. Feel free to contact us or your account manager with any questions.
Alison Walick, PEI