Today, Cisco released a security advisory for its Firepower Management Center and FireSIGHT System Software for a session fixation vulnerability. The vulnerability is rated as a medium risk with no workarounds or software updates at this time. The vulnerability could allow an unauthenticated, remote attacker to hijack a valid user session.
According to Cisco:
The vulnerability exists because the affected application does not assign a new session identifier to a user session when a user authenticates to the application. An attacker could exploit this vulnerability by using a hijacked session identifier to connect to the application through the web-based management interface. A successful exploit could allow the attacker to hijack an authenticated user’s browser session.
If you use this Cisco software, please follow the Advisory ID cisco-sa-20160907-fsmc for future software releases or workarounds for remediation of this vulnerability.
As of this writing, Cisco offers no software patch or workaround.