SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Cisco FireSIGHT Vendors:   Cisco
Cisco FireSIGHT Management Center SSL Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1034161
SecurityTracker URL:  http://securitytracker.com/id/1034161
CVE Reference:   CVE-2015-6357   (Links to External Site)
Date:  Nov 16 2015
Impact:   Execution of arbitrary code via network, Root access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.4.0, 5.4.0.1; possibly also 5.2.0 and 5.3.0
Description:   A vulnerability was reported in Cisco FireSIGHT Management Center. A remote user can execute arbitrary code on the target system in certain cases.

The Management Center does not validate the SSL certificate when downloading software updates via HTTPS. A remote user that can conduct a man-in-the-middle attack can provide a specially crafted update file to execute arbitrary code on the target system. The code will run with root privileges.

The vendor has assigned bug ID CSCuw06444 to this vulnerability.

The vendor was notified on September 1, 2015.

The original advisory is available at:

http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploit-for.html

Matthew Flanagan reported this vulnerability.

Impact:   A remote user that can conduct a man-in-the-middle attack can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fmc

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fmc (Links to External Site)
Cause:   Authentication error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC