uthor = Daichi Goto
The United States Computer Emergency Readiness Team (US-CERT) revealed multiple vulnerabilities in the Cisco Systems security solution “Cisco Security Manager” in “Cisco Releases Security Updates for Security Manager | CISA” on November 17 (US time). It was discovered and reported that the company had released a security update.
Exploitation of these vulnerabilities could allow malicious attackers to gain access to sensitive system information. Information about the vulnerabilities fixed in this release is summarized in the following security advisory by Cisco.
- Cisco Security Manager Path Traversal Vulnerability
- Cisco Security Manager Static Credential Vulnerability
The first is a vulnerability that allows path traversal for the target device, which is due to insufficient verification of the character sequence in the request. A malicious attacker could send a specially crafted request to the target device to download arbitrary files, he said. The severity of this vulnerability is “Critical” and requires immediate attention.
The second is a vulnerability caused by insufficient protection of static credentials in the target software. If the attack is successful, it is possible to display the credentials that are originally inaccessible, and that information can be used as another attack. It is said that it may be used for. The severity is classified as “High”. Both vulnerabilities are affected by Cisco Security Manager versions prior to release 4.21 and can be avoided by updating to release 4.22.