Unpatched Cisco Security Manager Java Deserialization Vulnerabilities

A variety of vulnerabilities in the Java deserialization functionality of Cisco Security Manager can allow an unauthenticated, remote attacker to execute arbitrary commands on an affected machine.

Tuesday, 17 November 2020, 07:21 GMT

These vulnerabilities are due to unstable deserialization of user-supplied content by the affected program. An attacker can exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an infected computer. An successful exploit could result in the attacker executing arbitrary commands with NT AUTHORITY\SYSTEM privileges on the computer’s Windows target host.

Cisco has not released software updates to fix these vulnerabilities. There are no workarounds to address these bugs.

Exploitation and Official Proclamations
The Incident Management Team (PSIRT) of Cisco Software Protection is aware of official announcements about these vulnerabilities. Cisco PSIRT is not aware that the vulnerabilities listed in this advisory are being maliciously exploited.

Details:

Several vulnerabilities in Cisco Security Manager’s Java deserialization functionality may allow an unauthenticated, remote attacker to execute arbitrary commands on an affected computer.

These flaws are attributed to the affected software’s unstable deserialization of user-supplied material.

Through submitting a malicious serialized Java object to a particular listener on an infected device, an attacker may exploit these vulnerabilities. A effective exploit could cause the attacker to execute arbitrary commands with NT AUTHORITY\SYSTEM privileges on the Windows target host on the computer. Software patches that fix these flaws have not been released by Cisco.