CVE-2024-20412: Unauthorized Access to Cisco Firepower Devices via Static Credentials

by do son ·

CVE-2024-20412

Cisco has recently published a security advisory regarding a critical vulnerability in its Firepower Threat Defense (FTD) software. This vulnerability, identified as CVE-2024-20412, presents a significant risk to organizations using Cisco’s Firepower 1000, 2100, 3100, and 4200 Series devices. With a CVSS score of 9.3, this vulnerability allows unauthenticated, local attackers to exploit static credentials embedded in the system, potentially leading to unauthorized access and configuration changes.

The core issue lies in the presence of static accounts with hard-coded passwords within the affected Cisco Firepower systems. These accounts enable an attacker with local access to bypass authentication measures and log into the device’s command-line interface (CLI) using static credentials. Once authenticated, the attacker can execute limited commands, retrieve sensitive information, or even cause the device to become unbootable by modifying certain configuration options.

According to the Cisco advisory, “an attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials.” In the worst-case scenario, this could lead to a complete disruption of operations, requiring a reimage of the compromised device.

The vulnerability impacts Cisco Firepower devices running FTD Software Release 7.1 through 7.4, with a vulnerability database (VDB) release of 387 or earlier. The affected models include:

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 3100 Series
  • Firepower 4200 Series

Administrators can determine whether their devices are exposed by checking for the presence of static accounts using the show local-user command. The output will reveal the presence of accounts like csm_processes, report, sftop10user, Sourcefire, and SRU, which signal the device’s vulnerability.

Cisco also advises using specific commands to determine if these static accounts have been accessed recently. The following command allows administrators to check for any successful logins:

zgrep -E "Accepted password for (csm_processes|report|sftop10user|Sourcefire|SRU)" /ngfw/var/log/messages*

 

Cisco has released software updates to address CVE-2024-20412 and strongly advises users to upgrade their FTD software to a fixed release. In cases where immediate patching is not possible, Cisco has provided a workaround to reduce the risk. This workaround involves restricting local access and managing SSH configurations.
At the time of publication, Cisco’s Product Security Incident Response Team (PSIRT) has reported that “there are no public announcements or malicious use of the vulnerability” described in this advisory. However, given the critical nature of the flaw, organizations should prioritize mitigation efforts to safeguard their networks.

Related Posts:

Tags: Cisco FirepowerCVE-2024-20412