Input validation issues open Cisco firewall vulnerability

Standard security practices are the baseline for any product, and even the most junior software developers should be aware of the minimum security requirements for any project. And yet, something as simple as a lack of input validation still plagues the industry.

For example, a firewall vulnerability (CVE-2019-1841) was found in the Software Image Management element of Cisco Digital Network Architecture (DNA) Center versions prior to 1.2.5. This vulnerability stems from an insufficient validation of user-supplied input and could allow an authenticated, remote attacker to send arbitrary HTTP requests to unauthorized internal services.

Check your firewall security

Based on a CVSS V3 score of 8.1, this firewall vulnerability is ranked as high in severity, and also scores high in the confidentiality and integrity categories. An attacker could read or change the firewall rules table, and/or discover which internal services are protected on a firewall host.

A hacker could bypass Cisco’s high-end next generation firewalls (NGFW) in an attack. The threat-focused NGFWs provide advanced threat detection and remediation along with all functions of a traditional NGFW. The firewall uses network and endpoint event correlation to help detect evasive or suspicious network activity, and unified policies help reduce threat complexity. However, an attacker could use Cisco DNA Center to bypass the firewall and modify a table of firewall rules.

Specifically, the bypass vulnerability is a weakness caused by firewall implementation and configuration that a hacker could exploit to attack the trusted network from either outside or inside the firewall.

The extent to which this Cisco firewall vulnerability can be exploited depends on three things:

  • the overall firewall technology;
  • the firewall’s configuration; and
  • the complexity of the firewall’s implementation.

A proxy server is more vulnerable to firewall attacks compared to higher-level firewalls because it’s limited to providing content caching and preventing direct connections from the outside.

How to eliminate a firewall vulnerability

To overcome this limitation, a stateful inspection firewall was designed to allow or block traffic based on state, port and protocol. This type of firewall doesn’t detect unnecessary open ports, isn’t closed when it’s not in use and includes open ports that are hidden by an operating system by default.

Higher up in the firewall evolution is a unified threat management firewall. This type of firewall includes stateful inspection and allows the administrator to set up loose coupling with intrusion prevention, antivirus software and other services.

Next-generation firewalls do more than simple packet filtering and stateful inspection. They block advanced malware and application-layer attacks, and automate security operations to save time in an enterprise network. If your budget allows, consider a move to a next generation firewall to help avoid security failures.

For the Cisco DNA Center firewall vulnerability, service isn’t denied. It continues to run while the attacker gains access to internal services. Cisco DNA Center version 1.2.10 includes vulnerability fixes and is available.