Zero-day vulnerability in Cisco Security Manager; No patch available

Cybersecurity specialists report the detection of two critical vulnerabilities in Cisco Security Manager, which allows system administrators to apply the best security policies, in addition to facilitating the resolution of problems and detection of unusual events in their systems. According to the report, the successful exploitation of these flaws would allow the deployment of multiple risk scenarios.

Below are brief reports of the reported flaws, in addition to their respective identification keys and scores assigned by the Common Vulnerability Scoring System (CVSS); it should be remembered that these flaws have not yet been addressed by the manufacturer.

CVE-2021-34798: A NULL pointer dereference error in the affected application would allow remote threat actors to send specially crafted HTTP requests to an affected web server in order to deploy a denial of service (DoS) scenario.

This is a medium severity flaw and received a CVSS score of 6.5/10.

CVE-2021-40438: Moreover, this flaw exists due to insufficient validation of user-provided inputs in the Apache HTTP server’s mod_proxy module, which would allow malicious hackers to send specially crafted HTTP requests to execute requests to arbitrary systems.

This is a highly severe flaw and it received a CVSS score of 8.8/10 because its successful exploitation would allow access to sensitive records stored on the affected systems.

As mentioned above, vulnerabilities can be exploited by unauthenticated threat actors by sending specially crafted requests, although the good news is that so far no cases of active exploitation have been identified.

Still, due to the absence of security patches, Cisco Security Manager users are advised to keep an eye out for any updates announced by the manufacturer to mitigate the risk of exploitation altogether.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.