Cisco Secure Firewall Management Center Software SQL Injection Vulnerability

Monitor6.5cisco-sa-fmc-sql-inject-2EnmTC8vOct 23, 2024

CiscoEnergy

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A SQL injection vulnerability exists in the Cisco Secure Firewall Management Center (FMC) web-based management interface. An authenticated attacker with Security Approver, Intrusion Admin, Access Admin, or Network Admin role could send a crafted HTTP request to exploit insufficient input validation. A successful exploit allows reading database contents and limited read access to the underlying operating system.

What this means

What could happen

An attacker with administrative credentials could extract sensitive firewall configuration data and security policy information from the FMC database, potentially revealing network security policies, threat intelligence, and system details that could inform further attacks on your network infrastructure.

Who's at risk

Energy sector organizations and any entity using Cisco Secure Firewall Management Center for centralized firewall management and security policy administration should prioritize this fix, as the FMC serves as a critical management platform for network security controls.

How it could be exploited

An attacker with valid FMC admin credentials (Security Approver, Intrusion Admin, Access Admin, or Network Admin role) logs into the web-based management interface and submits a specially crafted HTTP request containing SQL injection payload in an unvalidated input field. The database executes the attacker's SQL commands, exposing database contents and system information.

Prerequisites

Valid authenticated account on FMC with one of these roles: Security Approver, Intrusion Admin, Access Admin, or Network Admin
Network access to the FMC web-based management interface (typically HTTPS port 443)

Remotely exploitableAuthentication required but with elevated privileges common in administrative teamsLow complexity attackHigh CVSS score (6.5) indicates moderate-to-high sensitivity impactDirectly impacts confidentiality of security-critical data

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Secure Firewall Management Center (FMC) AppliancesAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the FMC web-based management interface to only authorized IT personnel and security teams; use firewall rules to limit access by source IP address

HARDENINGReview and limit FMC user account roles to the minimum necessary; audit which users have Security Approver, Intrusion Admin, Access Admin, or Network Admin roles and remove if not required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco Secure Firewall Management Center to the patched version released by Cisco (consult Cisco security advisory for specific version numbers and affected version ranges)

Long-term hardening

0/1

HARDENINGMonitor FMC access logs and database query logs for suspicious activity or unusual SQL patterns in web requests

CVEs (1)

CVE-2024-20340

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d7f7282d-5d2c-43da-9aba-1c4ead8c3617

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.