Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-012
Date(s) Issued: 
Friday, January 24, 2020
Subject: 
Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution with administrative privileges on the affected system. An attacker could gain administrative access to the web-based management interface of the affected device.

Systems Affected: 
  • Cisco Firepower Management Center (FMC)

  • Cisco TelePresence Integrator C Series

  • Cisco TelePresence MX Series

  • Cisco TelePresence SX Series

  • Cisco TelePresence System EX Series

  • Cisco Webex Board

  • Cisco Webex DX Series

  • Cisco Webex Room Series

  • Cisco IOS XE SD-WAN Software releases 16.11 and earlier

  • Cisco SD-WAN Solution vManage Software Release 18.4.1

  • Cisco Smart Software Manager On-Prem releases earlier than 7-201910

  • Cisco IOS XR Software later than 6.6.1

  • Cisco IOS XR Software later than 6.6.1 and are configured for BGP on a device with the L2VPN EVPN address family

  • Cisco IOS XR Software releases earlier than 6.6.3, 7.0.2, 7.1.1, or 7.2.1 and they configured with both the IS-IS routing protocol and SNMP versions 1, 2c, or 3. 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution with administrative privileges on the affected system. Details of these vulnerabilities are as follows:

  • A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. (CVE-2019-16028)

  • A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software, Cisco TelePresence Codec (TC) Software, and Cisco RoomOS Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. (CVE-2020-3143)

  • A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthenticated, local attacker to gain unauthorized access to an affected device. (CVE-2019-1950)

  • A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. (CVE-2020-3115)

  • A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. (CVE-2019-16029)

  • A vulnerability in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. (CVE-2019-16018)

  • Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. (CVE-2019-16019, CVE-2019-16020, CVE-2019-16021, CVE-2019-16022, CVE-2019-16023)

  • A vulnerability in the implementation of the Intermediate System-to-Intermediate System (IS-IS) routing protocol functionality in Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the IS-IS process. (CVE-2019-16027)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution with root privileges on the affected system. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately install the update provided by Cisco.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

CISA:
https://www.us-cert.gov/ncas/current-activity/2020/01/23/cisco-releases-...

Security Week:
https://www.securityweek.com/cisco-patches-critical-vulnerability-networ...

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3143