Multiple Critical Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-098
Date(s) Issued: 
Friday, October 5, 2018
Subject: 
Multiple Critical Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco products, including Cisco Prime, Cisco Webex, Cisco Digital Network Architecture Center Cisco Expressway Series, Cisco TelePresence, Cisco Small Business 300 Series Managed Switches, Cisco Adaptive Security Appliance, Cisco Cloud Services Platform, Cisco Firepower, Cisco Hosted Collaboration Mediation Fulfillment, Cisco HyperFlex, Cisco Integrated Management Controller, Cisco UCS Director, Cisco Industrial Network Director, Cisco IOS XR, Cisco Identity Services Engine, Cisco Remote PHY, Cisco Unity, Cisco Webex, Cisco Adaptive Security Appliance, Cisco SD-WAN, Cisco Digital Network Architecture Center.

 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Cisco Adaptive Security Appliance

  • Cisco Cloud Services Platform

  • Cisco Digital Network Architecture Center

  • Cisco Expressway Series

  • Cisco Firepower

  • Cisco Hosted Collaboration Mediation Fulfillment

  • Cisco HyperFlex

  • Cisco Identity Services Engine

  • Cisco Industrial Network Director

  • Cisco Integrated Management Controller

  • Cisco IOS XR

  • Cisco Prime Infrastructure

  • Cisco Remote PHY

  • Cisco SD-WAN

  • Cisco Small Business 300 Series Managed Switches

  • Cisco TelePresence

  • Cisco UCS Director

  • Cisco Unity

  • Cisco Webex

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco products including Apache Struts running on various Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server.

Details of the most severe of these vulnerabilities are as follows: 

  • A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. (CVE-2018-15379)

  • A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated remote attacker to bypass authentication and have direct unauthorized access to critical management functions. (CVE-2018-15386)

  • A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated remote attacker to bypass authentication and take complete control of identity management functions. (CVE-2018-0448)

  • A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. (CVE-2018-15389)

  • Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. (CVE-2018-15408, CVE-2018-15409, CVE-2018-15410, CVE-2018-15411, CVE-2018-15412, CVE-2018-15413, CVE-2018-15415, CVE-2018-15416, CVE-2018-15417, CVE-2018-15418, CVE-2018-15419, CVE-2018-15420, CVE-2018-15431 , CVE-2018-15408 , CVE-2018-15409 , CVE-2018-15410 , CVE-2018-15411 , CVE-2018-15412 , CVE-2018-15413 , CVE-2018-15415 , CVE-2018-15416 , CVE-2018-15417 , CVE-2018-15418 , CVE-2018-15419 , CVE-2018-15420 , CVE-2018-15431) 

A full list of all vulnerabilities can be found at the link in the references section below. 

 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • After appropriate testing, immediately apply patches provided by Cisco.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.