300-710 outline - Securing Networks with Cisco Firepower Updated: 2023

Cisco has disclosed a critical command injection vulnerability in Firepower Threat Defence (FTD) devices.

In its advisory for CVE-2023-20048, the networking vendor said that the bug is rated 9.9 on the Common Vulnerability Scoring System and allows an authenticated remote attacker to execute “certain unauthorised configuration commands” on the target device’s management centre software.

Configuration commands sent through the web service interface are insufficiently authorised, the company explained.

Cisco didn’t reveal which commands can be exploited, but said they’re exploited using “a crafted HTTP request”.

The management centre update is part of a larger security rollup for adaptive security appliance (ASA), Firepower management centre (FMC) and FTD software released today.

That announcement covers a total of 27 vulnerabilities described in 22 advisories.

As well as CVE-2023-20048, there are eight CVEs that carry a high severity rating.

Five are denial-of-service bugs: CVE-2023-20086, in which an IPv6 ICMP message can force a device reload; CVE-2023-20095 in ASA’s and FTD’s VPN software, attacked using crafted HTTPS requests; CVE-2023-20244, a packet inspection bug in the Firepower 2100 series firewalls; CVE-2023-20083, another IPv6 ICMP bug, this time in the FTD when configured with Snort 2; and CVE-2023-20155, a lack of rate limiting in the FMC API exploitable by sending a high rate of HTTP requests. 

There are also two code injection vulnerabilities: CVE-2023-20063 in FTD devices running FMC, allowing local attackers to run code as root; and one for and CVE-2023-20220, a pair of command injection vulnerabilities in FMC.

Maintaining independence and editorial freedom is essential to our mission of empowering investor success. We provide a platform for our authors to report on investments fairly, accurately, and from the investor’s point of view. We also respect individual opinions––they represent the unvarnished thinking of our people and exacting analysis of our research processes. Our authors can publish views that we may or may not agree with, but they show their work, distinguish facts from opinions, and make sure their analysis is clear and in no way misleading or deceptive.

To further protect the integrity of our editorial content, we keep a strict separation between our sales teams and authors to remove any pressure or influence on our analyses and research.

Read our editorial policy to learn more about our process.

Shares of Cisco Systems Inc. fell more than 11% in extended trading today as the company warned it will likely miss analysts’ expectations in its fiscal second quarter by a wide margin.

The company expects this to have a knock-on effect, and its forecast for the current fiscal year also came in low.

The disappointing guidance came in the wake of a solid earnings beat. The company reported first quarter earnings before certain costs such as stock compensation of $1.11 per share, with revenue up 8% from a year earlier to $14.67 billion. The results were better-than-expected, with analysts looking for earnings of just $1.03 per share on sales of $14.61 billion.

All told, Cisco reported a net income of $3.64 billion for the quarter, up from $2.67 billion a year earlier.

Cisco said its problem is that it has experienced a notable slowdown in new product orders during the quarter. This is because many of its clients are currently busy installing and implementing products that were delivered recently, over the prior three quarters, Cisco Chief Executive Chuck Robbins (pictured) said in a conference call with analysts.

During the COVID-19 pandemic, the company had been stuck with a backlog of unfulfilled orders caused by component shortages. But its supply chain constraints eased rapidly about a year ago as China exited its lockdown strategy, leading to a glut of product deliveries over the last four quarters. Now, customers have their hands full implementing all of those products.

“Our customers and our sales organizations have been very clear with us over the last 90 days that this is the issue,” Robbins said, though he also admitted that sales cycles are still longer than is usually the case.

According to Robbins, “customers are now taking time to onboard and deploy these heightened product deliveries,” hence the slowdown in new orders. He said it’s mainly larger enterprises, service providers and cloud customers that are facing these challenges, adding that the issue was “most pronounced in October.” On average, Cisco’s biggest customers are waiting to implement one to two quarters’ worth of shipped products, he added.

Cisco had a good quarter, but is now suffering from its post pandemic high, when it was finally able to deliver pandemic orders it could not fulfill due to supply chain challenges. Now that it has fulfilled those orders, the demand has weakened as enterprises are implementing and the channel reducing inventories. The good news is all product lines are growing, which has not been too often the case, and Cisco delivered approximately 1B more in profit on roughly 1B more in revenue, which means Chuck Robbins and team have kept costs constant and EPS per share are up a quarter. Let’s see if this trends continues.

Because of these customer issues, Cisco could only offer a much lower forecast than Wall Street analysts had been anticipating. Officials said they’re looking for earnings of between 82 and 84 cents in the second quarter, with revenue of $12.6 billion to $12.8 billion, implying a 7% decline from one year earlier. That compares very badly with the Street’s forecast of 99 cents pre share in earnings and $14.19 billion in sales.

For the full year, Cisco is reducing its revenue forecast while bumping up its view on earnings. The company now sees full-year earnings of between $3.87 and $3.93 on revenue of $53.8 billion to $55 billion. Previously, it had forecast a range of $3.19 to $3.32 in earnings and $57.0 billion to $58.2 billion in revenue. In any case, the new forecast is not great, as Wall Street is hoping for earnings of $4.05 per share on sales of $57.7 billion.

The after-hours stock decline masks the fact that Cisco delivered strong quarterly results, thanks to it finally being able to deliver pandemic-era orders that could not be fulfilled earlier, said Holger Mueller of Constellation Research Inc. “But now those orders have been shipped, it is faced with weakening demand as enterprise implement those products and the channel reduces inventories,” he explained.

Charles King of Pund-IT Inc. said Cisco has been caught on one of those “damned if you do, damned if you don’t situations”, because it did a great job in recovering from the pandemic-related supply chain chaos and has gotten back its manufacturing mojo. However, he said many of its customers have been slower off the mark. “Many are still struggling to deploy and configure the new kit they ordered months ago, so you can’t really blame them for slowing or stopping orders to deal with the backlog,” King said. “But investors appear to be blaming Cisco anyway, for failing to live up to analysts’ consensus. That may be short-sighted, but no one ever said that life, let alone the markets, are fair.”

In the longer term, Cisco’s prospects do look better. During the quarter, it announced that it intends to buy the data analytics and cybersecurity software giant Splunk Inc. in a bumper $28 billion deal, which would be its largest-ever acquisition. The move catapults Cisco, which is best known for its networking gear as well as other data center equipment, to the leading ranks of cybersecurity providers.

Robbins said at the time the deal was announced that the combination of Cisco’s and Splunk’s data would have real value for enterprises, allowing them to “move from threat detection and response to threat prediction and prevention.” He said it will enable Cisco to become one of the world’s largest software companies.

Besides its cybersecurity ambitions, Cisco has a lot of hope for artificial intelligence in the longer term. During the conference call, Robbins told analysts that his company believes it can win more than $1 billion worth of orders in fiscal 2025 for AI infrastructure from cloud providers alone. He said cloud providers are looking to move to “more of a standard, broad-based technology like Ethernet, where they can have multiple sources” to support AI networking workloads.

Mueller said it’s also notable that Cisco is running a tight ship in terms of its business expenditures. “Investors can be pleased that all of Cisco’s product lines grew during the previous quarter, which has not been the case too often,” he added. “That allowed Cisco to deliver approximately $1 billion in profit on almost $15 billion in revenue. That shows Cisco has kept its cost base constant, resulting in increased earnings per share. Cisco needs to continue this trend.”

The after-hours stock decline means that Cisco’s shares are now up just 12% in the year-to-date, trailing the wider S&P 500 index, which is up 17% for the year.

Photo: Fortune GLOBAL FORUM/Flickr

Cisco Live 2023 promises a re-imagined IT experience complete with new innovations in networking, security and collaboration, to name a few, as the tech giant continues its journey toward building top tech platforms for MSPs and end customers.

Bookmark this page for the latest news and exclusive interviews with top executives and channel partners.

Partners Applaud Cisco’s Sustainability Focus With Data Center, Webex Control Hub Updates
‘Everyone has a sustainability goal, but it’s very hard to actually measure and track and figure out what my improvements actually did in terms of environmental impact. Cisco has done a pretty good job of turning that into a dashboard through Control Hub,’ says Joe Berger, area vice president of digital experiences at Cisco Gold partner World Wide Technology.

Cisco Channel Chief Tuszik On Networking Cloud, FSO, And How Generative AI Can Help Partners Grow Their Businesses
“When you look at the Cisco Live announcements; if it’s Networking Cloud, the security piece, what we’re doing with Webex or FSO, they all are offers, rather, solutions that we bring into the market that are ready to be delivered in a managed-as-a-service motion,” Cisco Channel leader Oliver Tuszik told CRN.

Cisco Injects Generative AI Into Security, Collaboration Portfolios For ‘Reimagined’ Customer Experiences
‘We were going to be investing very heavily in this notion of AI just being part of the fabric of everything … One of the big challenges we have in our industry is shortage of skill and talent, and we can make sure that every single person can become this very sophisticated user when they start using our products,’ Cisco’s EVP of Security and Collaboration Jeetu Patel tells CRN.

Cisco Webex Go With AT&T Addresses Cloud Calling For Mobility-Minded Partners
The tech giant has teamed with AT&T to help more businesses move to the cloud for their calling needs, while unlocking new mobility opportunities for partners, the company announced at Cisco Live 2023.

Cisco Live 2023: Cisco ELT’s 5 Big Statements
CEO Chuck Robbins, alongside the tech giant’s executive leadership team, talk about Cisco’s AI, networking and security launches, as well as the biggest trends happening in the IT industry on-stage at Cisco Live 2023.

Cisco Security Cloud Platform Now Includes SSE, Multi-Cloud Feature, Firewall Updates
‘When you have 70 players on average that are part of the security stack, that’s 70 different policy engines and 70 different cracks in the system. The efficacy of companies is going down when they buy point solutions and so what our customers are telling us is [they] need an integrated platform,’ Cisco’s Jeetu Patel tells CRN.

Cisco Builds On Security Platform Strategy, Unveils Unified Networking Platform
Following in the footsteps of its Security Cloud platform, the tech giant debuts its Cisco Networking Cloud strategy at Cisco Live 2023 to the delight of channel partners.

Cisco Accelerates Platform Push With New Full Stack Observability Platform
‘Cisco is using the term full stack observability and they mean it. Full stack creates a platform, which means, essentially, an ecosystem of observability and monitoring, and very few players have anything close to that,’ Cisco Gold partner NTT tells CRN.

On Monday, Cisco reported that a critical zero-day vulnerability in devices running IOS XE software was being exploited by an unknown threat actor who was using it to backdoor vulnerable networks. Company researchers described the infections as a "cluster of activity."

On Tuesday, researchers from security firm VulnCheck said that at last count, that cluster comprised more than 10,000 switches, routers, and other Cisco devices. All of them, VulnCheck said, have been infected by an implant that allows the threat actor to remotely execute commands that run at the deepest regions of hacked devices, specifically the system or iOS levels.

"Cisco buried the lede by not mentioning thousands of Internet-facing IOS XE systems have been implanted," VulnCheck CTO Jacob Baines wrote. "VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks."

In an email, a VulnCheck representative said the company has "fingerprinted approximately 10,000 implanted systems, but we’ve only scanned approximately half of the devices listed on Shodan/Censys." The number is likely to grow as the scan continues.

Although Cisco has yet to release a software patch, the company is urging customers to protect their devices. That means implementing a stop-gap measure to keep vulnerable devices from being exploited and running a host of scans to detect if devices have been backdoored.

"Cisco is committed to transparency," a company representative wrote in an email Tuesday. "When critical security issues arise, we handle them as a matter of top priority, so our customers understand the issues and know how to address them."We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory."

The previously unknown vulnerability, which is tracked as CVE-2023-20198, carries the maximum severity rating of 10. It resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. Any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and exposed to the Internet is vulnerable. On Monday, the Shodan search engine showed that as many as 80,000 Internet-connected devices could be affected.

“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” members of Cisco’s Talos security team wrote Monday. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory.”

Cisco said that the unknown threat actor has been exploiting the zero-day since at least September 18. After using the vulnerability to become an authorized user, the attacker creates a local user account. In most cases, the threat actor has gone on to deploy an implant that allows it to execute malicious commands at the system or iOS level, once the web server is restarted. The implant is unable to survive a reboot, but the local user accounts will remain active.

Monday’s advisory went on to say that after gaining access to a vulnerable device, the threat actor exploits a medium vulnerability, CVE-2021-1435, which Cisco patched two years ago. The Talos team members said that they have seen devices fully patched against the earlier vulnerability getting the implant installed “through an as yet undetermined mechanism.”

The implant is saved in the file path “/usr/binos/conf/nginx-conf/cisco_service.conf.” It contains two variable strings composed of hexadecimal characters. The advisory continued:

The implant is based on the Lua programming language and consists of 29 lines of code that facilitates the arbitrary command execution. The attacker must create an HTTP POST request to the device, which delivers the following three functions (Figure 1):

1. The first function is dictated by the “menu” parameter, which must exist and must be non-empty. This returns a string of numbers surrounded by forward-slashes, which we suspect might represent the implant’s version or installation date.
2. The second function is dictated by the “logon_hash” parameter, which must be set to “1”. This returns an 18-character hexadecimal string that is hardcoded into the implant.
3. The third function is also dictated by the “logon_hash” parameter, which checks to see if the parameter matches a 40-character hexadecimal string that is hardcoded into the implant. A second parameter used here is “common_type”, which must be non-empty, and whose value determines whether the code is executed at the system level or IOS level. If the code is executed at the system level, this parameter must be set to “subsystem”, and if it is executed at the IOS level, the parameter must be “iox”. The IOX commands are executed at privilege level 15.

In most instances we have observed of this implant being installed, both the 18-character hexadecimal string in the second function and the 40-character hexadecimal string in the third function are unique, although in some cases, these strings were the same across different devices. This suggests there is a way for the actor to compute the value used in the third function from the value returned by the second function, acting as a form of authentication required for the arbitrary command execution provided in the third function.

The Talos team members strongly urge administrators of any affected gear to immediately search their networks for signs of compromise. The most effective means is by searching for unexplained or newly created users on devices. One means of identifying if an implant has been installed is by running the following command against the device, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

Admin accounts may have the names cisco_tac_admin or cisco_support. IP addresses Cisco has seen so far exploiting the zero-day are 5.149.249[.]74 and 154.53.56[.]231.
Additional guidance from Cisco:

1. Check the system logs for the presence of any of the following log messages where “user” could be “cisco_tac_admin”, “cisco_support” or any configured, local user that is unknown to the network administrator:

%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.

2. Check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:

%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename It should go without saying but the HTTP and HTTPS server feature should never be enabled on internet-facing systems as is consistent with long-established best practices. Cisco reiterated the guidance in Monday’s advisory.

VulnCheck has released a scanner of its own here.

It should go without saying, but the HTTP and HTTPS server feature should never be enabled on Internet-facing systems as is consistent with long-established best practices. Cisco reiterated the guidance in Monday’s advisory.

This vulnerability is relatively easy to exploit and is presently giving hackers the ability to take all kinds of malicious actions against as many as 10,000 infected networks. Anyone administering Cisco gear that had the Web UI exposed should assume their devices are compromised and carefully read the advisory and the above-mentioned PSIRT advisory and follow all recommendations as soon as possible.

October 17, 2023, 2:50 pm Eastern. This article has been updated with new information about how many systems are infected.

CRN is providing full coverage of Cisco Partner Summit 2022. Bookmark this page for the latest news, videos and exclusive videos from the show.

Anaiis Cisco, assistant professor of moving image production in film and media studies, received her master’s in cinema from San Francisco State University in the spring of 2019. Cisco focuses on the experiences of underrepresented racial, ethnic, queer and gendered identities. Her short film, Breathless (2017), inspired by the murder of Eric Garner, has won numerous awards and has screened at various film festivals. Cisco’s most recent short narrative, GYRL (2018), is a portrait of a preteen African American girl struggling with an abusive father. Currently in the early stages of distribution her thesis film, Drip Like Coffee, explores Black womanhood, desire and space, while rendering the Black female body as fluid.

Cisco teaches digital video production courses at Smith, where she develops films that explore the emotional and internal journeys of Black characters, confronting intimate moments of violence and trauma in diverse story worlds.

Selected Works

Breathless (2017), short film.

“Precarity, Black Life, and Filmmaking: A Conversation with Filmmaker Anaiis Cisco.” Asian Diasporic Visual Cultures and the Americas, 2018.

Stocks: Real-time U.S. stock quotes reflect trades reported through Nasdaq only; comprehensive quotes and volume reflect trading in all markets and are delayed at least 15 minutes. International stock quotes are delayed as per exchange requirements. Fundamental company data and analyst estimates provided by FactSet. Copyright 2019© FactSet Research Systems Inc. All rights reserved. Source: FactSet

Indexes: Index quotes may be real-time or delayed as per exchange requirements; refer to time stamps for information on any delays. Source: FactSet

Markets Diary: Data on U.S. Overview page represent trading in all U.S. markets and updates until 8 p.m. See Closing Diaries table for 4 p.m. closing data. Sources: FactSet, Dow Jones

Stock Movers: Gainers, decliners and most actives market activity tables are a combination of NYSE, Nasdaq, NYSE American and NYSE Arca listings. Sources: FactSet, Dow Jones

ETF Movers: Includes ETFs & ETNs with volume of at least 50,000. Sources: FactSet, Dow Jones

Bonds: Bond quotes are updated in real-time. Sources: FactSet, Tullett Prebon

Currencies: Currency quotes are updated in real-time. Sources: FactSet, Tullett Prebon

Commodities & Futures: Futures prices are delayed at least 10 minutes as per exchange requirements. Change value during the period between open outcry settle and the commencement of the next day's trading is calculated as the difference between the last trade and the prior day's settle. Change value during other periods is calculated as the difference between the last trade and the most recent settle. Source: FactSet

Data are provided 'as is' for informational purposes only and are not intended for trading purposes. FactSet (a) does not make any express or implied warranties of any kind regarding the data, including, without limitation, any warranty of merchantability or fitness for a particular purpose or use; and (b) shall not be liable for any errors, incompleteness, interruption or delay, action taken in reliance on any data, or for any damages resulting therefrom. Data may be intentionally delayed pursuant to provider requirements.

Mutual Funds & ETFs: All of the mutual fund and ETF information contained in this display, with the exception of the current price and price history, was supplied by Lipper, A Refinitiv Company, subject to the following: Copyright 2019© Refinitiv. All rights reserved. Any copying, republication or redistribution of Lipper content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Lipper. Lipper shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Cryptocurrencies: Cryptocurrency quotes are updated in real-time. Sources: CoinDesk (Bitcoin), Kraken (all other cryptocurrencies)

Calendars and Economy: 'Actual' numbers are added to the table after economic reports are released. Source: Kantar Media