Cisco Firepower 4100/Firepower 9300 Smart Licensing Manager command injection

Summaryinfo

A vulnerability was found in Cisco Firepower 4100 and Firepower 9300. It has been rated as critical. Affected is an unknown function of the component Smart Licensing Manager. The manipulation leads to command injection. This vulnerability is traded as CVE-2017-12277. It is possible to initiate the attack remotely. There is no exploit available.

Detailsinfo

A vulnerability was found in Cisco Firepower 4100 and Firepower 9300 (Firewall Software) (version unknown). It has been rated as critical. This issue affects an unknown function of the component Smart Licensing Manager. The manipulation with an unknown input leads to a command injection vulnerability. Using CWE to declare the problem leads to CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the Smart Licensing Manager service of the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance could allow an authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges. The vulnerability is due to insufficient input validation of certain Smart Licensing configuration parameters. An authenticated attacker could exploit the vulnerability by configuring a malicious URL within the affected feature. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. This vulnerability affects the following Cisco Firepower Security products running FX-OS code trains 1.1.3, 1.1.4, and 2.0.1 (versions 2.1.1, 2.2.1, and 2.2.2 are not affected): Firepower 4100 Series Next-Generation Firewall and Firepower 9300 Security Appliance. Cisco Bug IDs: CSCvb86863.

The bug was discovered 11/01/2017. The weakness was shared 11/02/2017 with Cisco as cisco-sa-20171101-fpwr as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. The identification of this vulnerability is CVE-2017-12277 since 08/03/2017. The attack may be initiated remotely. The successful exploitation requires a simple authentication. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 01/21/2021). The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 101661†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• Cisco

Name

• Firepower 4100
• Firepower 9300

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion