CVE-2024-20412: Unauthorized Access to Cisco Firepower Devices via Static Credentials
Cisco has recently published a security advisory regarding a critical vulnerability in its Firepower Threat Defense (FTD) software. This vulnerability, identified as CVE-2024-20412, presents a significant risk to organizations using Cisco’s Firepower 1000, 2100, 3100, and 4200 Series devices. With a CVSS score of 9.3, this vulnerability allows unauthenticated, local attackers to exploit static credentials embedded in the system, potentially leading to unauthorized access and configuration changes.
The core issue lies in the presence of static accounts with hard-coded passwords within the affected Cisco Firepower systems. These accounts enable an attacker with local access to bypass authentication measures and log into the device’s command-line interface (CLI) using static credentials. Once authenticated, the attacker can execute limited commands, retrieve sensitive information, or even cause the device to become unbootable by modifying certain configuration options.
According to the Cisco advisory, “an attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials.” In the worst-case scenario, this could lead to a complete disruption of operations, requiring a reimage of the compromised device.
The vulnerability impacts Cisco Firepower devices running FTD Software Release 7.1 through 7.4, with a vulnerability database (VDB) release of 387 or earlier. The affected models include:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 3100 Series
- Firepower 4200 Series
Administrators can determine whether their devices are exposed by checking for the presence of static accounts using the show local-user command. The output will reveal the presence of accounts like csm_processes, report, sftop10user, Sourcefire, and SRU, which signal the device’s vulnerability.
Cisco also advises using specific commands to determine if these static accounts have been accessed recently. The following command allows administrators to check for any successful logins:
