Guest

Preview Tool

Cisco Bug: CSCur25513 - Cisco FirePower Management Center Remote Command Execution Vulnerability

Last Modified

Mar 23, 2017

Products (40)

  • Cisco Firepower Management Center
  • Cisco FirePOWER Appliance 8260
  • Cisco FirePOWER Appliance 8120
  • Sourcefire 3D6500 Sensor
  • Sourcefire Defense Center 1000 Chassis
  • Cisco FirePOWER Appliance 8360
  • Cisco FirePOWER Appliance 8350
  • Cisco AMP 8150
  • Cisco FirePOWER Appliance 8130
  • Cisco FirePOWER Appliance 8140
View all products in Bug Search Tool Login Required

Known Affected Releases

4.10.3.9 5.2.0 5.3.0.4 5.3.1 5.4.0

Description (partial)

Symptom:
A vulnerability in the web-based GUI of Cisco Firepower Management Center and Cisco Adaptive Security Appliance (ASA) 5500-X Series with
FirePOWER Services could allow an authenticated, remote attacker to perform unauthorized remote command execution on the affected device.

The vulnerability is due to insufficient authorization checking. An attacker could exploit this vulnerability by sending crafted HTTP requests to
the affected device. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges.

Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-fmc

Conditions:
Device configured with default configuration, running an affected version of software.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.