Back to list
CVE-2015-6357: Cisco FireSIGHT Management Center SSL Validation Vulnerability
Nov 16 2015 10:45AM
Matthew Flanagan (mattimustang gmail com)
Title: Cisco FireSIGHT Management Center Certificate Validation Vulnerability
Blog URL: http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploi
Product: FireSIGHT Management Center
Affected Versions: 5.2.x, 5.3.x, 5.4.x
Advisory URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cis
The Cisco FireSIGHT Management Center appliance is used to manage Cisco
FirePOWER Intrusion Prevention Systems (IPS), also known as Sourcefire IPS.
FireSIGHT is responsible for downloading updated IPS signatures and installing
them on managed IPS devices.
On its own the Cisco FireSIGHT Management Center Certificate Validation
Vulnerability is a medium severity vulnerability with a CVSS of 5.1.
However, this vulnerability is an example of why SSL certificate
validation is so
important. In this exploit I will demonstrate how the vulnerability
can be leveraged
to obtain privileged remote command execution on a Cisco FireSIGHT system. The
exploit chains the SSL validation vulnerability with the software update process
on the Cisco FireSIGHT system to trick the target system into
downloading a malicious
update and executing it to obtain a reverse shell with **root** privileges.
Read the full advisory at
This security vulnerability was found by Matthew Flanagan.
- 2015-08-31 Vulnerability discovered in FireSIGHT 5.4.x and exploit developed
by Matthew Flanagan.
- 2015-09-01 Initial contact made with Cisco PSIRT psirt (at) cisco (dot) com. [email concealed]
- 2015-09-01 PSIRT responded asking for more information.
- 2015-09-01 Matthew Flanagan provided PSIRT with full write up and
exploit of vulnerability.
- 2015-09-02 PSIRT raised FireSIGHT defect and incident PSIRT-190974966.
- 2015-09-15 Matthew Flanagan reported to Cisco PSIRT that versions
5.2.0 and 5.3.0 are also
- 2015-10-16 PSIRT advised me of the CVSS score they assigned to the
- 2015-11-09 PSIRT assigned CVE ID CVE-2015-6357.
- 2015-11-16 [Cisco FireSIGHT Management Center Certificate Validation
- 2015-11-16 Matthew Flanagan's findings published.
[ reply ]
Copyright 2010, SecurityFocus