Cisco Issues Critical Advisory on Firepower Management Center
Take action: The high CVSS score is weird because the vulnerability requires an authenticated user. It seems the issue is real but Cisco won't tell us all until a sufficient number of FMC software is patched. Limit your FMC access only from trusted networks, then plan for a quick patch.
A security flaw is reported in the web-based management interface of Cisco's Firepower Management Center (FMC) Software, which could potentially be exploited by an attacker with valid user credentials. The flaw arises due to inadequate restrictions on user permissions, which allows for unauthorized command executions on a Firepower Threat Defense (FTD) unit managed by the FMC.
The vulnerability is tracked as CVE-2023-20048 and Cisco has assigned it a severity CVSS score 9.9. It stems from the web service interface not properly verifying user permissions for the execution of configuration commands. If exploited, this flaw could allow a remote attacker to send specially crafted HTTP requests to the interface, thereby executing commands on a connected FTD device without proper authorization.
The security flaw affects any Cisco FMC software running a version below 7.0.6 which was released on 1st of November 2023.
It's peculiar that the severity is so high given that to exploit this flaw, the attacker would need to have legitimate access credentials for the FMC Software. Cisco has acknowledged the issue and has issued updates to rectify this vulnerability. Cisco also claims that there are no alternative solutions or workarounds to mitigate this issue. Given the unexpectedly high severity score and no details about exploitability, it seems that Cisco has not disclosed all methods of exploit. Which makes this flaw even scarier than reported.
It is confirmed that the following Cisco products are not impacted by this vulnerability:
Cisco has made software updates available at no additional cost to address this vulnerability, and customers are encouraged to install these updates. The updates should be obtained through standard channels for customers with valid service contracts. It is critical for customers to adhere to Cisco software licensing agreements when installing these updates. The advisory also includes advice for customers without service contracts on how to obtain software upgrades.
Additionally, Cisco offers the Cisco Software Checker tool, which helps users identify specific vulnerabilities and the software releases that address them.
The advisory is a part of Cisco's November 2023 bundled publication of security advisories that include updates for Cisco ASA, FMC, and FTD software.