Flawed data can be injected into Cisco's monitoring system
In SSL and SSH connections, digital certificates are used to verify the genuineness of communication partners, but it is a pretty poor show if these technologies are available and a product does not check transmitted certificates at all or allows anyone to connect. Now, Cisco has reported such a problem in its Security Monitoring, Analysis, and Response System (CS-MARS) and Adaptive Security Device Manager (ASDM). These products are intended to detect attacks in networks and are able to take action against them automatically. To do so, they collect and correlate data from IPS sensors, firewalls, and switches on the network.
The vendor says that both systems fail to verify the authenticity of these certificates and of public keys when a connection is made. Attackers could then fake a sensor and transmit flawed data to the server, for instance, to provoke the monitoring system to respond or even to suppress a reaction. Depending on the configuration, attackers could even gain access to sensitive data. But to do so, they would first have to replace the original sensor or put it out of action.
Versions of CS-Mars up to and including 4.2.3 are affected, as are versions up to and including ASDM 5.2 (2.54). The vendor is providing updates that remedy the problem.
- SSL/TLS Certificate and SSH Public Key Validation Vulnerability, Cisco's security advisory