Cisco addressed a flaw in the web-based management interface of the Firepower Management Centre (FMC) Software, identified as CVE-2024-20360 (CVSS score 8.8).
The vulnerability is a SQL injection bug; an intruder can use it to acquire any data from the database, run arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can only exploit this flaw if they have at least Read Only user privileges.
“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system.”
“A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials,” the advisory adds.
According to Cisco, there isn't a fix for this vulnerability. The IT giant confirmed that neither Firepower Threat Defence (FTD) nor Adaptive Security Appliance (ASA) software is impacted by this security vulnerability. The attacks that are taking advantage of this vulnerability in the wild are unknown to the Cisco Product Security Incident Response Team (PSIRT).
Security patch
Cisco has published free software upgrades to address the vulnerability stated in the advisory. Customers with service contracts that include regular software updates should receive security fixes through their usual update channels. Customers can only install and get support for software versions and feature sets for which they have acquired a licence. Customers agree to abide by the terms and conditions of the Cisco software licence while installing, downloading, accessing, or using such software upgrades.
Furthermore, customers may only download software for which they have a valid licence, either directly from Cisco or through a Cisco authorised reseller or partner. In most cases, this will be a maintenance upgrade for already purchased software. Customers that receive free security software updates are not entitled to a new software licence, additional software feature sets, or significant revision upgrades.
