CVE-2023-20155
📋 TL;DR
This vulnerability in Cisco Firepower Management Center allows unauthenticated attackers to cause denial of service by overwhelming a logging API, potentially crashing the device. It also enables authenticated non-admin users to access restricted log files. All FMC deployments with vulnerable software versions are affected.
💻 Affected Systems
- Cisco Firepower Management Center (FMC)
📦 What is this software?
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete system outage with device reload, extended downtime, and potential data loss from interrupted management operations.
Likely Case
Temporary service disruption with high CPU utilization, degraded performance, and possible brief outages.
If Mitigated
Minimal impact with proper rate-limiting controls and network segmentation in place.
🎯 Exploit Status
Simple HTTP flood attack against specific API endpoint. No authentication required for DoS portion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.5.1, 7.4.1, or 7.6.0 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-logview-dos-AYJdeX55
Restart Required: Yes
Instructions:
1. Download appropriate patch from Cisco Software Center. 2. Backup FMC configuration. 3. Apply patch via FMC web interface. 4. Reboot device after installation.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to FMC management interface to trusted IP addresses only
Configure ACLs on upstream firewall to allow only trusted management IPs to FMC
Rate Limiting Proxy
allImplement rate limiting for HTTP requests to FMC API endpoints
Configure WAF or reverse proxy to limit requests to /api/fmc_platform/v1/logs/* endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FMC from untrusted networks
- Deploy web application firewall with rate limiting rules for FMC API endpoints
🔍 How to Verify
Check if Vulnerable:
Check FMC version via web interface: System > Updates > Version InformationCheck Version:
ssh admin@fmc-host 'show version' or check web interfaceVerify Fix Applied:
Verify version is 7.2.5.1, 7.4.1, 7.6.0 or later, then test API endpoint with rate-limited requests📡 Detection & Monitoring
Log Indicators:
- High frequency of requests to /api/fmc_platform/v1/logs/* endpoints
- CPU utilization spikes to 100%
- Unexpected process restarts or system reloads
Network Indicators:
- Bursts of HTTP POST/GET requests to FMC logging API from single source
- Abnormal request patterns to /api/fmc_platform/v1/logs/*
SIEM Query:
source="fmc" AND (uri_path="/api/fmc_platform/v1/logs/*" AND request_count>1000) OR (process="fmc" AND cpu_usage>95)