CVE-2024-20472
📋 TL;DR
An authenticated SQL injection vulnerability in Cisco Secure Firewall Management Center (FMC) web interface allows administrators to execute arbitrary SQL queries. This could lead to unauthorized data access or system modifications. Only systems running vulnerable FMC software with administrator accounts are affected.
💻 Affected Systems
- Cisco Secure Firewall Management Center (FMC)
📦 What is this software?
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Administrator could exfiltrate all configuration data, modify firewall rules to allow unauthorized traffic, or compromise the entire management system.
Likely Case
Administrator with malicious intent could extract sensitive configuration data or modify limited system settings.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrators who would be detected if misusing privileges.
🎯 Exploit Status
Exploitation requires administrator credentials. SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sql-inj-LOYAFcfq
Restart Required: Yes
Instructions:
1. Backup FMC configuration. 2. Download and install FMC version 7.4.1 or later from Cisco Software Center. 3. Reboot the FMC appliance after installation.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only trusted personnel and implement multi-factor authentication.
Network Segmentation
allRestrict access to FMC management interface to only authorized management networks.
🧯 If You Can't Patch
- Implement strict monitoring of administrator account activity and SQL query patterns
- Apply network controls to limit FMC interface access to only necessary administrative workstations
🔍 How to Verify
Check if Vulnerable:
Check FMC version via web interface: System > Updates > Version InformationCheck Version:
ssh admin@fmc-hostname show versionVerify Fix Applied:
Verify version is 7.4.1 or later in System > Updates > Version Information📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in FMC logs
- Multiple failed authentication attempts followed by successful admin login
- Configuration changes from unexpected administrator accounts
Network Indicators:
- Unusual database connection patterns from FMC
- Unexpected outbound data transfers from FMC management interface
SIEM Query:
source="fmc_logs" AND (sql_query OR database_query) AND admin_user=*