MSSPs Particularly Vulnerable to Cisco FDM Flaw

Of all those who potentially face a threat from the recently disclosed vulnerability on the Cisco Firepower Device Manager (FDM), MSSPs could feel the impact the hardest if adversaries decide to exploit it.

“An MSSP may be operating Cisco Firepower Device Manager (FDM) to manage instances of Cisco Firepower [next-generation firewalls] NGFWs for customers, in which case they’d be susceptible to attacks that aim to exploit the vulnerability,” said Michael Isbitski, technical evangelist at Salt Security.

“For MSSPs taking care of several businesses, the threat of an attack on the tool they use to manage and access their clients’ systems could lead to cybercriminals infiltrating more businesses than if they were to go after them one at a time,” said Heather Paunet, senior vice president at Untangle.

“Additionally, if the MSSP is operating Cisco FDM and Cisco Firepower NGFWs, that potentially puts the MSSP itself, the services they operate and their data and their customer data at risk,” Isbitski explained.

Researchers at Positive Technologies disclosed the flaw last week. Attackers exploiting the flaw remotely execute arbitrary code to seize control of a device, meaning they could filter traffic, shut down a firewall or access internal systems and enterprise resources located on the same subnet.

“Exploiting the vulnerability would allow attackers to, with minimal authorization rights, gain full access over the device and all its capabilities,” said Nikita Abramov, one of the Positive Technologies researchers who discovered the flaw. “That means they could completely shut it down, which would stop filtering all web traffic for the organization, allowing employees to visit malicious sites and allowing malicious content from the web to enter the organization’s network.”

He explained that “criminals could leverage this flaw in coordinated attacks—for example, they could turn off the Cisco Firepower Device Manager On-Box to allow all malicious content through, then launch phishing emails with malicious links or attachments.”

As a result, cybercriminals might rack up a “greater success rate, since the malicious links and attachments would not be blocked,” Abramov said. “If an organization has multiple Cisco Firepower firewalls installed, exploiting the flaw could allow attackers to shut all of them down since the vulnerable solution locally configures all Cisco Firepower firewalls.”

Additionally, they could “leverage the vulnerability to gain access to internal resources within the enterprise, if they’re located on the same subnet, such as confidential data or other parts of the network, enabling attacks and malware to spread even further,” he explained. “Attackers could even exploit the flaw to limit the ability to access internal resources for employees of victim organizations, demanding a ransom to get the company back up and running.”

While Abramov said Positive Technologies is not aware of any exploitations of the flaw, Isbitski said, “presumably, exploitation requires manipulation of API parameters or variables to perform a type of command injection.”

Successful exploitation of the REST API of Cisco FDM, he said, would provide “access to the underlying operating system of that FDM instance and allows an attacker to execute code arbitrarily.” The blast radius could be larger, though, “if an organization’s network is not segmented appropriately,” he said. “An attacker would likely chain this exploit with others in order to pivot within a vulnerable organization’s network and access other servers, applications, and data.”

Manipulating HTTP requests “is a trivial task for attackers, and the work can be easily scripted or automated,” Isbitski said.

Since NGFWs often are “deployed as a security catch-all for attacks against many protocols, applications and services in organizations,” he noted, “when a protection mechanism itself like an NGFW is flawed, it puts into question whether the front-end applications and data are being adequately secured at all.”

Injection flaws are commonplace, ranked number eight on the 2019 OWASP API Security Top 10. But in this case, what stands out is “that an API itself in Cisco FDM is vulnerable, which is precisely the type of service an organization would be trying to protect with an NGFW,” said Isbitski. “Unfortunately, many traditional security approaches like NGFWs aren’t designed to analyze API traffic, provide context and stop API attacks.”

Instead, they “evaluate API traffic just as they do with any other service riding on a network protocol like HTTP,” he said. “These traditional controls also rely on static signatures, and they can’t be tuned effectively or quickly enough by organizations.”

Security teams may find that tailoring the controls to an organization’s unique business logic is typically impossible. “Inevitably, attackers circumvent the traditional security controls used in organizations and exploit or abuse APIs,” Isbitski said.

While Cisco has already released a fix for the vulnerability, Paunet said “it is recommended to use an NTA/NDR solution to check for suspicious activity.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson