CVE-2024-20387
📋 TL;DR
This stored XSS vulnerability in Cisco FMC's web management interface allows authenticated attackers to inject malicious scripts that execute when other users view affected pages. It affects organizations using Cisco Firepower Management Center software with authenticated user access. Attackers could steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Cisco Firepower Management Center (FMC)
📦 What is this software?
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, modifies firewall rules, exfiltrates sensitive network data, or deploys ransomware across managed devices.
Likely Case
Attacker steals session cookies to impersonate administrators, accesses sensitive configuration data, or modifies limited device settings.
If Mitigated
Malicious scripts are blocked by CSP headers or browser XSS filters, limiting impact to minor UI manipulation.
🎯 Exploit Status
Exploitation requires authenticated access and user interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1.2 or 7.6.0.1
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-infodisc-RL4mJFer
Restart Required: Yes
Instructions:
1. Backup FMC configuration. 2. Download appropriate patch from Cisco Software Center. 3. Apply patch via FMC web interface or CLI. 4. Reboot FMC appliance. 5. Verify version update.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input sanitization for user-controllable fields in custom configurations.
🧯 If You Can't Patch
- Restrict FMC web interface access to trusted IP addresses only using firewall rules.
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
🔍 How to Verify
Check if Vulnerable:
Check FMC version via web interface (System > Updates) or CLI command 'show version'.Check Version:
show version | include VersionVerify Fix Applied:
Verify version is 7.4.1.2 or higher, or 7.6.0.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to FMC web interface with script tags
- Multiple failed login attempts followed by successful authentication
Network Indicators:
- HTTP requests containing JavaScript payloads to FMC management interface
- Unexpected outbound connections from FMC to external domains
SIEM Query:
source="fmc_logs" AND (http_method="POST" AND (uri="*" AND content="*<script>*"))