CVE-2022-20949 The management web server of Cisco Firepower Threat Defense could be exploited by an authenticated, remote attacker with high privileges.

The management web server is accessible only by privileged users, such as system administrators, who should not be accessing the configuration of the device. In most cases, this vulnerability can only be exploited by a remote, authenticated attacker, who can send messages to the management web server. Cisco Firepower Management Center (FMC) should be used to manage and configure the devices, and not the device’s management web server. Cisco devices can be configured to block remote access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. Cisco Firepower Threat Defense (FTD) Software 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. Cisco Firepower Threat Defense (FTD) 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. Cisco Firepower Threat Defense (FTD) 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. Cisco

System-level mitigations to control access to management ports

Cisco Threat Defense (FTD) Software 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. Cisco FTD Software 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. The management port must be blocked at the system level, DNS forwarding must be disabled, or reverse mappings must not be enabled if these devices are not managed by Cisco Firepower Management Center (FMC).

Cisco Firepower Mx Series

Security Appliances Configuration
The Cisco Firepower Management Center (FMC) should be used to manage and configure the devices, and not the device’s management web server. This vulnerability can only be exploited by a remote, authenticated attacker who can send messages to the management web server. To block remote access to the management web server, use the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. The Cisco Firepower Threat Defense (FTD) software 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. The Cisco Firepower Threat Defense (FTD) 8.0 release can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. The Cisco Firepower Threat Defense (FTD) 8.0 release can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’

Cisco Firepower Management Center (FMC) vs. the Device's Management Web Server

The device’s management web server is accessible only by privileged users, such as system administrators, who should not be accessing the configuration of the device. In most cases, this vulnerability can only be exploited by a remote, authenticated attacker, who can send messages to the management web server. Cisco devices can be configured to block remote access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. Cisco Firepower Threat Defense (FTD) Software 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘GET’, ‘POST’, and ‘HEAD’. Cisco Firepower Threat Defense (FTD) 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’. Cisco Firepower Threat Defense (FTD) 8.0 and later releases can be configured to block access to the management web server by using the following command: Access-Control-Allow-Methods set to ‘POST’ and ‘GET’.>>

References

Cisco Firepower Management Center: https://supportforums.cisco.com/t5/firepower-management/ciscocm-dcf-upgrade-steps-for-device-manager/ta-p/235024

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 14:49:00 UTC

References