Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability

Vulnerability

The vulnerability resides in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER modules. It is caused by improper handling of undefined command parameters, allowing command injection. Affected versions are those running a vulnerable release of Cisco FirePOWER Software with the system lockdown[-sensor] CLI command enabled (i.e., lockdown mode), and for the HTTPS attack vector, HTTPS management access must be enabled on the Cisco ASA. For details on affected releases, see the Cisco Security Advisory [1].

Exploitation

An attacker must have administrative access to the Cisco ASA that hosts the ASA FirePOWER module. The attack can be performed via the CLI using a crafted command, or via an HTTPS request to the web-based management interface. For the CLI exploit, the ASA FirePOWER module must be in lockdown mode (expert command not visible). For the HTTPS exploit, HTTPS management access must be enabled, and the attacker must be able to connect from an IP address permitted by the HTTP ACL. The attacker submits a crafted command or request to trigger the injection.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system of the ASA FirePOWER module as the root user, resulting in full compromise of the module.

Mitigation

Cisco has released fixed software versions; see the Fixed Software section of the advisory [1] for the appropriate upgrade paths. At the time of publication, no workaround was available. Lockdown mode and HTTPS management configuration are conditions for exploitation, not mitigations.