BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News A Dozen Cisco Vulnerabilities at Once

A Dozen Cisco Vulnerabilities at Once

This item in japanese

Security researchers discovered a dozen security flaws in Cisco Security Manager, several of which were pre-authentication remote command execution vulnerabilities that gave complete control to an attacker. Cisco patched the flaws in version 4.22 on November 11. However, per the researcher, "Release notes didn’t state anything about the vulnerabilities, security advisories 'were not published.'"

The researcher, Frycos, is on the red team of Code White, a specialist firm that performs penetration testing to locate and report vulnerabilities. Frycos explains the disclosure, "Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 [proof of concept]s in 1 gist." Publishing proof of concepts is a common industry practice, where major industry players like Google Project Zero often follow a 90-day timeline to fully disclose any relevant information about vulnerabilities. At the time of disclosure, Cisco had already exceeded 120 days.

The vulnerabilities derive from two main categories: Java Deserialization (CWE-502) and Arbitrary File Download. Deserialization flaws occur in applications that reconstruct binary data into Java objects. Done incorrectly, certain class files will execute code on the server as part of that deserialization process. This often results in user-controlled data being passed to sensitive classes like Runtime.exec. Common tools like ysoserial exist for generating payloads against common software frameworks.

Deserialization flaws are not unique to Java applications; tools such as ysoserial.net are available for other languages. Deserialization attacks bypass security tools like web application firewalls because the context to understand classes is not available at the network tier.

Following the disclosure of these vulnerabilities, Cisco and Code White resumed communication to properly address and document the findings. Frycos followed up after the disclosure, noting, "Just had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing. SP1 will be released in the next few weeks. We found a good mode of collaboration now."

Developers looking to evaluate their own code against similar deserialization issues can leverage the enhancements to the National Institute of Standards and Technology Cyberframework (NIST) 800-53 that now include interactive application security testing (IAST) (SA-11 9), a technique that identifies security vulnerabilities through normal application runtime usage. IAST weaves sensors into applications to record behavior about how actions use sensitive functions like deserialization ObjectInputStream or other classes like Runtime. Unlike dependency tracking, the interactive testing approach uses the runtime to evaluate how libraries and custom code work together rather than looking at each individually.

The exploits for Cisco Security Manager took advantage of the way that its web front-end framework engages serialized data through the CommonsBeanUtils library. CommonsBeanUtils was affected by a vulnerability in 2019, whereby the Common Weakness Enumeration (CWE) matches the same deserialization CWE-502. In addition to updating dependencies on a regular basis, developers using deserialization should regularly evaluate applications to ensure that data from untrusted sources is never used to execute server-side payloads of an attacker’s choosing.

Rate this Article

Adoption
Style

BT