In a Thursday security advisory update, Cisco disclosed that a remote code execution (RCE) vulnerability discovered last month in the Adaptive Security Device Manager (ADSM) Launcher is a zero-day flaw that is yet to be patched. Cisco ADSM is a firewall appliance manager that controls Cisco Adaptive Security Appliance (ASA) firewalls and AnyConnect Secure Mobility clients via a web interface. As per the updated advisory, "At the time of publication, Cisco planned to fix this vulnerability in Cisco ASDM. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability." The business also modified the list of compromised ADSM software versions from '9.16.1 and earlier'—as mentioned in the first advisory—to '7.16(1.150) and earlier' in a recent update. Incorrect signature verification for code shared between the ASDM and the Launcher caused the zero-day flaw, which is tracked as CVE-2021-1585. With the rights granted to the ASDM Launcher, successful exploitation could permit an unauthenticated attacker to remotely launch arbitrary code on a target's operating system. As Cisco explained in the updated advisory, "An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code." "A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM." Furthermore, according to the firm, its Product Security Incident Response Team (PSIRT) is not informed of any proof-of-concept attacks for zero-day or threat actors utilizing it in the open. Cisco patched a six-month-old zero-day vulnerability (CVE-2020-3556) in the Cisco AnyConnect Secure Mobility Client VPN sof ..
Support the originator by clicking the read the rest link below.
