<
>

CyberSecurity Asean security alert on Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

This alert is originally published and can be viewed at www.cisecurity.org
 
OVERVIEW:
Multiple vulnerabilities have been discovered in Cisco products, including Apache Struts running on Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server.
Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:

  • Apache Struts running on the following products: Cisco SocialMiner, Cisco Prime Service Catalog, Cisco Identity Services Engine (ISE), Cisco Emergency Responder, Cisco Finesse, Cisco Hosted Collaboration Solution for Contact Center, Cisco MediaSense, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service (formerly CUPS), Cisco Unified Contact Center Enterprise, Cisco Unified Contact Center Enterprise - Live Data server, Cisco Unified Contact Center Express, Cisco Unified Intelligence Center, Cisco Unified Intelligent Contact Management Enterprise, Cisco Unified SIP Proxy Software, Cisco Unified Survivable Remote Site Telephony Manager, Cisco Unity Connection, Cisco Virtualized Voice Browser, Cisco Video Distribution Suite for Internet Streaming (VDS-IS)
  • Cisco SD-WAN Solution running on the following products: vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vManage Network Management System, vEdge Cloud Router Platform, vSmart Controller Software, vBond Orchestrator Software
  • Cisco Integrated Management Controller running on the following products: Cisco UCS C-Series, Cisco UCS E-Series, 5000 Series Enterprise Network Compute System (ENCS)
  • Cisco Umbrella API
  • Cisco RV110W, RV130W, and RV215W Routers
  • Cisco Webex Meetings
  • Cisco Webex Meetings Suite (WBS31, WBS32, WBS33)
  • Cisco Webex Meetings Server
  • Cisco Meeting Server
  • Cisco Umbrella ERC
  • Cisco Prime Access Registrar
  • Cisco Prime Access Registrar Jumpstart
  • Cisco Prime Collaboration Assurance
  • Cisco Packaged Contact Center Enterprise
  • Cisco Data Center Network Manager
  • Cisco Tetration Analytics
  • Cisco Network Services Orchestrator
  • Cisco Enterprise NFV Infrastructure
  • Cisco Email Security Appliance
  • Cisco Cloud Services Platform 2100
  • Cisco Secure Access Control Server

RISK:
Government:

  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM

Businesses:

  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM

Home Users:
 LOW
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Cisco products including Apache Struts running on various Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server. Details of these vulnerabilities are as follows:

  • A vulnerability in Apache Struts could allow an unauthenticated remote attacker to execute arbitrary code on a targeted system. (CVE-2018-11776)
  • A vulnerability in the Cisco Umbrella API could allow an authenticated remote attacker to view and modify data across their organization and other organizations. (CVE-2018-0435)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to cause a denial of service condition or to execute arbitrary code. (CVE-2018-0423)
  • A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. (CVE-2018-0422)
  • A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated remote attacker to view and modify data for an organization other than their own organization. (CVE-2018-0436)
  • A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated local attacker to elevate privileges to Administrator. To exploit the vulnerability the attacker must authenticate with valid local user credentials. (CVE-2018-0437, CVE-2018-0438)
  • A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. (CVE-2018-0434)
  • A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0433)
  • A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated remote attacker to gain elevated privileges on an affected device. (CVE-2018-0432)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to gain access to sensitive information. (CVE-2018-0426)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an authenticated remote attacker to execute arbitrary commands. (CVE-2018-0424)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to gain access to sensitive information. (CVE-2018-0425)
  • A vulnerability in TCP connection management in Cisco Prime Access Registrar could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition when the application unexpectedly restarts. (CVE-2018-0421)
  • A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated remote attacker to inject and execute arbitrary commands with root privileges on an affected device. (CVE-2018-0430, CVE-2018-0431)
  • A vulnerability in the web interface of Cisco Data Center Network Manager could allow an authenticated application administrator to execute commands on the underlying operating system with root-level privileges. (CVE-2018-0440)
  • A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF) files could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition. (CVE-2018-0457)
  • A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. (CVE-2018-0452)
  • A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. (CVE-2018-0451)
  • Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface or conduct a cross-site request forgery (CSRF) attack. (CVE-2018-0444, CVE-2018-0445)
  • A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. (CVE-2018-0458)
  • A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system. (CVE-2018-0463)
  • A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to read any file on an affected system. (CVE-2018-0460)
  • A vulnerability in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to perform a denial of service (DoS) attack against an affected system. (CVE-2018-0462)
  • A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to cause an affected system to reboot or shut down. (CVE-2018-0459)
  • A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. (CVE-2018-0439)
  • A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated remote attacker to bypass certain content filters on an affected device. (CVE-2018-0447)
  • A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the management interface on an affected device. (CVE-2018-0450)
  • A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated remote attacker to perform command injection. (CVE-2018-0454)
  • A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated remote attacker to gain read access to certain information in an affected system. (CVE-2018-0414)

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
RECOMENDATIONS:
We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on the system before applying patch.
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-api
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-overflow
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-validation
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-injection
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-escalation
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-traversal
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-injection
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-disclosure
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cpar-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cdcnm-escalation
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pcce
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pca-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodis
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-meeting-csrf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-esa-url-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-dcnm-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-csp2100-injection
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
 

You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments