Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-064 - UPDATED
Date(s) Issued: 
Friday, June 8, 2018
Date Updated: 
Tuesday, June 26, 2018
Subject: 
Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco products including AnyConnect Secure Mobility Client, Cisco AnyConnect Network Access Manager, Cisco FireSIGHT System Software, Cisco Unity Connection, Cisco Identity Services Engine, Cisco Unified Communications Manager Software, Cisco Unified Computing System Software, Cisco UCS Director Software, Cisco Integrated Management Controller Supervisor Software, Cisco Wide Area Application Services, Cisco WebEx, Cisco Unified IP Phone Software, Cisco Adaptive Security Appliance Software, Cisco Firepower Threat Defense Software, Cisco IOS XE Software, Cisco Prime Collaboration Provisioning, Cisco Meeting Server, Cisco IP Phone 6800, 7800, and 8800 Series Phones, many Cisco Voice Operating System, and Cisco Network Services Orchestrator. 

 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights. 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

June 26, 2018 - UPDATED THREAT INTELLIGENCE:

There are reports of CVE-2018-0296 being exploited in the wild following the release of proof-of-concept code.  See updated references for more information.  

Systems Affected: 
  • Cisco Prime Collaboration Provisioning

  • Cisco devices running IOS XE Software Release Fuji 16.7.1 or Fuji 16.8.1 when configured to use AAA for login authentication

  • Cisco AsyncOS versions for WSA on both virtual and hardware appliances running any release of the 10.5.1, 10.5.2, or 11.0.0 WSA Software

  • Cisco Network Services Orchestrator versions 4.1 through 4.1.6.0, 4.2 through 4.2.4.0, 4.3 through 4.3.3.0, and 4.4 through 4.4.2.0

  • Cisco IP Phone 6800, 7800, and 8800 Series Phones with Multiplatform Firmware if they are running a Multiplatform Firmware release prior to Release 11.1(2)

  • Cisco Prime Collaboration Assurance

  • Cisco Voice Operating System (VOS)-based products: Emergency Responder, Finesse, Hosted Collaboration Mediation Fulfillment, MediaSense, Prime License Manager, SocialMiner, Unified Communications Manager, Unified Communications Manager IM and Presence Service, Unified Communication Manager Session Management Edition, Unified Contact Center Express, Unified Intelligence Center, Unity Connection, and Virtualized Voice Browser

  • Cisco Meeting Server 2000 Platforms running a CMS Software release prior to Release 2.2.13 or Release 2.3.4.

  • Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance, ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance, Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, and FTD Virtual

  • Cisco Unified IP Phone software

  • Cisco WebEx

  • Cisco Wide Area Application Services with default configuration

  • Cisco UCS Director Software

  • Cisco Integrated Management Controller Supervisor Software

  • Cisco Unified Computing System Software

  • Cisco Unified Communications Manager Software

  • Cisco Identity Services Engine

  • Cisco Unity Connection

  • Cisco FireSIGHT System Software

  • Cisco AnyConnect Network Access Manager

Cisco AnyConnect Secure Mobility Client for iOS, Mac OS X, Android, Windows and Linux

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco AnyConnect Secure Mobility Client, Cisco AnyConnect Network Access Manager, Cisco FireSIGHT System Software, Cisco Unity Connection, Cisco Identity Services Engine, Cisco Unified Communications Manager Software, Cisco Unified Computing System Software, Cisco UCS Director Software, Cisco Integrated Management Controller Supervisor Software, Cisco Wide Area Application Services, Cisco WebEx, Cisco Unified IP Phone Software, Cisco Adaptive Security Appliance Software, Cisco Firepower Threat Defense Software, Cisco IOS XE Software, Cisco Prime Collaboration Provisioning, Cisco Meeting Server, Cisco IP Phone 6800, 7800, and 8800 Series Phones, Cisco Voice Operating System, and Cisco Network Services Orchestrator. The most severe of these vulnerabilities could allow for remote code execution. Details of these vulnerabilities are as follows: 

  • A remote method invocation vulnerability exists in Cisco Prime Collaboration Provisioning due to an open port in the Network Interface and Configuration Engine (CVE-2018-0321).

  • A remote code execution vulnerability exists in the parsing of login authentication due to incorrect memory operations when a device running Cisco IOS XE Software is configured to use AAA for login authentication (CVE-2018-0315).

  • A security bypass vulnerability exists in traffic-monitoring functions in Cisco Web Security Appliance due to a change in the underlying operating system software (CVE-2018-0353).

  • An SQL injection vulnerability exists in the web framework code of Cisco Prime Collaboration Provisioning due to a lack of proper validation on user-supplied input in SQL queries (CVE-2018-0320).

  • An unauthorized password reset vulnerability exists in the password reset function of Cisco Prime Collaboration Provisioning due to insufficient validation of a password reset request (CVE-2018-0318).

  • An unauthorized password recovery vulnerability exists in the password recovery function of Cisco Prime Collaboration Provisioning due to insufficient validation of a password recovery request (CVE-2018-0319).

  • An access control bypass vulnerability exists in the web interface of Cisco Prime Collaboration Provisioning due to insufficient web portal access control checks (CVE-2018-0317).

  • An access control vulnerability exists in the web management interface of Cisco Prime Collaboration Provisioning due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users (CVE-2018-0322).

  • An arbitrary command execution vulnerability exists in the CLI parser of Cisco Network Services Orchestrator due to insufficient input validation (CVE-2018-0274).

  • A denial of service vulnerability exists in the Session Initiation Protocol call-handling functionality of Cisco IP Phone 6800, 7800, and 8800 Series Phone with Multiplatform Firmware due to the firmware of an affected phone incorrectly handling errors that could occur when an incoming phone call is not answered (CVE-2018-0316).

  • A denial of service vulnerability exists in multiple Cisco products due to a certain system log file not having a maximum size restriction (CVE-2017-6779).

  • An information disclosure vulnerability exists in Cisco Meeting Server due to incorrect default configuration of the device (CVE-2018-0263).

  • A denial of service vulnerability exists in the web interface of the Cisco Adaptive Security Appliance due to the lack of proper input validation of the HTTP URL (CVE-2018-0296).

  • A denial of service vulnerability exists in the Session Initiation Protocol ingress packet processing of Cisco Unified IP Phone software due to a lack of flow-control mechanisms in the software (CVE-2018-0332).

  • A cross-site scripting vulnerability exists in the web framework of Cisco WebEx due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP Get and HTTP Post methods (CVE-2018-0356, CVE-2018-0357).

  • A static SNMP credentials vulnerability exists in the default configuration of the Simple Network Management Protocol feature of Cisco Wide Area Application Services Software due to a hard-coded, read-only community string in the configuration file for the SNMP daemon (CVE-2018-0329).

  • A privilege escalation vulnerability exists in the Disk Check Tool for Cisco Wide Area Application Services due to insufficient validation of script files executed in the context of the Disk Check Tool (CVE-2018-0352).

  • A cross-site scripting vulnerability exists in the web-based management interface of Cisco Integrated Management Controller Supervisor Software and Cisco UCS Director Software due to insufficient validation of user-supplied input by the web-based management interface of the affected software (CVE-2018-0149).

  • A role-based access vulnerability exists in the role-based access-checking mechanisms of Cisco Unified Computing System Software due to the affected software lacking proper input and validation checks for certain file systems (CVE-2018-0338).

  • A cross-site scripting vulnerability exists in the web framework of the Cisco Unified Communications Manager Software due to insufficient validation of certain parameters passed to the web server (CVE-2018-0340).

  • A privilege escalation vulnerability exists in the batch provisioning feature of Cisco Prime Collaboration Provisioning due to insufficient authorization enforcement on batch processing (CVE-2018-0336).

  • A cross-site scripting vulnerability exists in the web-based management interface of Cisco Identity Services Engine due to insufficient input validation of some parameters passed to the web-based management interface (CVE-2018-0339).

  • A cross-frame scripting vulnerability exists in the web UI of Cisco Unified Communications Manager due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software (CVE-2018-0355).

  • A cross-site scripting vulnerability exists in the web framework of Cisco Unity Connection due to insufficient input validation of certain parameters that are passed to affected software via the HTTP Get and HTTP Post methods (CVE-2018-0354).

  • A cleartext passwords written to world-readable file vulnerability exists the web portal authentication process of Cisco Prime Collaboration Provisioning due to improper logging of authentication data (CVE-2018-0335).

  • A VPN policy bypass vulnerability exists in the VPN configuration management of Cisco FireSIGHT System Software due to incorrect management of the configured interface names and VPN parameters when dynamic CLI configuration changes are performed (CVE-2018-0333).

  • A client certificate bypass vulnerability exists in the certificate management subsystem of Cisco AnyConnect Network Access Manager and of Cisco AnyConnect Secure Mobility Client for iOS, Mac OS X, Android, Windows and Linux due to improper use of Simple Certificate Enrollment Protocol and improper server certificate validation (CVE-2018-0334). 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • After appropriate testing, immediately apply patches provided by Cisco.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.

References: 

Cisco:

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=100#~Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-rmi

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-aaa

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-wsa

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-sql

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-reset

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-recovery

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-access

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-nso

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-multiplatform-sip

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ip-phone-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss1

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-snmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-priv-escalation

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucsdimcs

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucs-access

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucm-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-escalation

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ise-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cuc-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cpcp-id

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-FireSIGHT-vpn-bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-AnyConnect-cert-bypass

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6779

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0149

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0263

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0274

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0315

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0316

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0317

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0318

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0319

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0320

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0321

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0322

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0329

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0332

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0333

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0334

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0335

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0336

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0353

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0354

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0355

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0356

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0357

June 26, 2018 – UPDATED REFERENCES:
Help Net Security:
https://www.helpnetsecurity.com/2018/06/26/cisco-asa-firepower-flaw/