lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKiWCLSte9p0mrhk3UM2LQNHsf1_C6jcjVftq3+7RSp4xuwg9g@mail.gmail.com>
Date: Mon, 16 Nov 2015 21:41:30 +1100
From: Matthew Flanagan <mattimustang@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] CVE-2015-6357: Cisco FireSIGHT Management Center SSL
	Validation Vulnerability

Title: Cisco FireSIGHT Management Center Certificate Validation
Vulnerability

Blog URL:
http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploit-for.html
Vendor: Cisco
Product: FireSIGHT Management Center
Affected Versions: 5.2.x, 5.3.x, 5.4.x
Advisory URL:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fmc
CVE: CVE-2015-6357
CVSS: 5.1


The Cisco FireSIGHT Management Center appliance is used to manage Cisco
FirePOWER Intrusion Prevention Systems (IPS), also known as Sourcefire IPS.
FireSIGHT is responsible for downloading updated IPS signatures and
installing
them on managed IPS devices.

On its own the Cisco FireSIGHT Management Center Certificate Validation
Vulnerability is a medium severity vulnerability with a CVSS of 5.1.
However, this vulnerability is an example of why SSL certificate validation
is so
important. In this exploit I will demonstrate how the vulnerability can be
leveraged
to obtain privileged remote command execution on a Cisco FireSIGHT system.
The
exploit chains the SSL validation vulnerability with the software update
process
on the Cisco FireSIGHT system to trick the target system into downloading a
malicious
update and executing it to obtain a reverse shell with **root** privileges.

Read the full advisory at
http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploit-for.html

Credits:

This security vulnerability was found by Matthew Flanagan.


Disclosure Timeline:

- 2015-08-31 Vulnerability discovered in FireSIGHT 5.4.x and exploit
developed
  by Matthew Flanagan.
- 2015-09-01 Initial contact made with Cisco PSIRT psirt@...co.com.
- 2015-09-01 PSIRT responded asking for more information.
- 2015-09-01 Matthew Flanagan provided PSIRT with full write up and exploit
of vulnerability.
- 2015-09-02 PSIRT raised FireSIGHT defect and incident PSIRT-190974966.
- 2015-09-15 Matthew Flanagan reported to Cisco PSIRT that versions 5.2.0
and 5.3.0 are also
vulnerable.
- 2015-10-16 PSIRT advised me of the CVSS score they assigned to the
vulnerability.
- 2015-11-09 PSIRT assigned CVE ID CVE-2015-6357.
- 2015-11-16 [Cisco FireSIGHT Management Center Certificate Validation
  Vulnerability][3] published.
- 2015-11-16 Matthew Flanagan's findings published.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ