Cisco has disclosed a critical command injection vulnerability in Firepower Threat Defence (FTD) devices.
In its advisory for CVE-2023-20048, the networking vendor said that the bug is rated 9.9 on the Common Vulnerability Scoring System and allows an authenticated remote attacker to execute “certain unauthorised configuration commands” on the target device’s management centre software.
Configuration commands sent through the web service interface are insufficiently authorised, the company explained.
Cisco didn’t reveal which commands can be exploited, but said they’re exploited using “a crafted HTTP request”.
The management centre update is part of a larger security rollup for adaptive security appliance (ASA), Firepower management centre (FMC) and FTD software released today.
That announcement covers a total of 27 vulnerabilities described in 22 advisories.
As well as CVE-2023-20048, there are eight CVEs that carry a high severity rating.
Five are denial-of-service bugs: CVE-2023-20086, in which an IPv6 ICMP message can force a device reload; CVE-2023-20095 in ASA’s and FTD’s VPN software, attacked using crafted HTTPS requests; CVE-2023-20244, a packet inspection bug in the Firepower 2100 series firewalls; CVE-2023-20083, another IPv6 ICMP bug, this time in the FTD when configured with Snort 2; and CVE-2023-20155, a lack of rate limiting in the FMC API exploitable by sending a high rate of HTTP requests.
There are also two code injection vulnerabilities: CVE-2023-20063 in FTD devices running FMC, allowing local attackers to run code as root; and one for and CVE-2023-20220, a pair of command injection vulnerabilities in FMC.