IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco patch notes ‘left out’ details of RCE flaws

The company has since released advisories for three flaws a week after first patching its security management platform

Close up Cisco logo on a UCS C240 M4 server in a data centre

The recently patched Cisco Security Manager (CSM) platform did not initially include details of 12 severe security vulnerabilities that could, if exploited, lead to remote code execution (RCE).

Although these 12 flaws in CSM, an enterprise-class management console that offers insight into the control of Cisco security and network devices, were recently fixed, its developers failed to mention these at all, according to security researcher Florian Hauser

Hauser claims to have reported these 12 bugs to the networking giant in July this year and was under the impression they were due to be fixed when CSM was updated to version 4.22 earlier this month.

The researcher claims, however, that despite patching the vulnerabilities last week, the company didn’t mention them at all in the release notes for CSM and did not issue security advisories for businesses that may be potentially affected.

As a result, Hauser has published the proof-of-concept for all 12 flaws that he submitted via GitHub, including a host of RCE exploits that cyber criminals could use if targeting an unpatched system. 

“120 days ago, I disclosed 12 vulnerabilities to Cisco affecting the web interface of Cisco Security Manager. All unauthenticated, almost all directly giving RCE,” Hauser posted on Twitter on 11 November, following this up overnight with: “Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities, here are 12 PoCs in 1 gist.”

The CSM 4.22 release notes outlined several improvements to security and functionality, including support for AnyConnect Web Security WSO. The company has subsequently released advisories for three vulnerabilities that were reported in July, crediting Florian Hauser for discovery.

The first, a path traversal vulnerability, tagged CVE-2020-27130 and assigned a CVSS score of 9.1, could allow an unauthenticated remote attacker to gain access to sensitive information, upon successful exploitation. This is due to improper validation of traversal character sequences within requests to affected devices.

The second, a Java deserialisation flaw, is tagged CVE-2020-27131 and assigned a severity score of 8.1, could also allow a remote attacker to execute arbitrary commands on an affected device. The final flaw, a static credential vulnerability tagged CVE-2020-27125 and assigned a severity score of 7.4, could also allow a remote attacker to access sensitive information on a targeted system.

“On November 16, Cisco published three security advisories for the reported vulnerabilities in Cisco Security Manager (CSM)," a Cisco spokesperson told IT Pro. "The 12 issues reported are tracked and addressed through four Cisco bug IDs. Cisco has released free software updates that address the vulnerabilities described in the CSM path traversal vulnerability advisory and the CSM static credential vulnerability advisory.

"Cisco will release free software updates as soon as possible that address the vulnerabilities described in the CSM Java deserialization vulnerabilities advisory. We ask our customers to please review the advisories for complete detail. Cisco PSIRT is not aware of malicious use of the vulnerabilities that are described in the advisories.”

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Recommended

SOC modernisation and and the role of XDR
Whitepaper

SOC modernisation and and the role of XDR

16 Mar 2023
Analysing the economic benefits of Trend Micro Vision One
Whitepaper

Analysing the economic benefits of Trend Micro Vision One

16 Mar 2023
More than a number: Your risk score explained
Whitepaper

More than a number: Your risk score explained

16 Mar 2023
The IT manager's guide to getting home in time for dinner
Whitepaper

The IT manager's guide to getting home in time for dinner

15 Mar 2023

Most Popular

HMRC lost nearly 50% more devices in 2022
Hardware

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins
Security

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023