Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-067
Date(s) Issued: 
Thursday, June 21, 2018
Subject: 
Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco products including Cisco FXOS Software, Cisco NX-OS Software, Cisco UCS Manager Software, Cisco Nexus 4000 Series Switch, Cisco Nexus 3000 and 9000 Series, Cisco UCS Fabric Interconnect Software, Cisco Firepower 4100 Series Next-Generation Firewall, Cisco Firepower 9300 Security Appliance, Cisco TelePresence Video Communication Server Expressway, Cisco Unified Communications Manager IM & Presence Service, Cisco Unified Communications Domain Manager, NVIDIA TX1 Boot ROM, Cisco Meeting Server, Cisco Firepower Management Center, Cisco 5000 Series Enterprise Network Compute System, Cisco UCS E-Series Servers, and Cisco AnyConnect Secure Mobility Client for Windows Desktop.

 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, delete data, or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Cisco NX-OS running on the following products: Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, and Nexus 9500 R-Series Line Cards and Fabric Modules

  • Cisco FXOS running on the following products: Firepower 4100 Series Next-Generation Firewalls, Firepower 9300 Security Appliance, MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects

  • UCS Manager Software

  • Cisco Nexus 4000 Series Switch

  • Cisco Nexus 3000 and 9000 Series Switch

  • UCS Fabric Interconnect Software

  • Cisco Firepower 4100 Series Next-Generation Firewall

  • Cisco Firepower 9300 Security Appliance

  • Cisco TelePresence Video Communication Server Expressway

  • Cisco Unified Communications Manager IM & Presence Service

  • Cisco Unified Communications Domain Manager

  • NVIDIA TX1 Boot ROM processors used in Cisco WebEx Room 55, Cisco WebEx Room 70 Single/Dual, Cisco WebEx Room Kit, Cisco WebEx Room Kit Plus, and RoomOS

  • Cisco Meeting Server

  • Cisco Firepower Management Center

  • Cisco 5000 Series Enterprise Network Compute System

  • Cisco UCS E-Series Servers

  • Cisco AnyConnect Secure Mobility Client for Windows Desktop

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco products including Cisco FXOS Software, Cisco NX-OS Software, Cisco UCS Manager Software, Cisco Nexus 4000 Series Switch, Cisco Nexus 3000 and 9000 Series, Cisco UCS Fabric Interconnect Software, Cisco Firepower 4100 Series Next-Generation Firewall, Cisco Firepower 9300 Security Appliance, Cisco TelePresence Video Communication Server Expressway, Cisco Unified Communications Manager IM & Presence Service, Cisco Unified Communications Domain Manager, NVIDIA TX1 Boot ROM, Cisco Meeting Server, Cisco Firepower Management Center, Cisco 5000 Series Enterprise Network Compute System, Cisco UCS E-Series Servers, and Cisco AnyConnect Secure Mobility Client for Windows Desktop. Details of these vulnerabilities are as follows: 

  • A buffer overflow vulnerability exists in the NX-API feature of Cisco NX-OS Software due to incorrect input validation in the authentication module of the NX-API subsystem. The NX-API feature is disabled by default. (CVE-2018-0301)

  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0308)

  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for unauthorized read of memory content, denial of service or arbitrary code execution or execute arbitrary code as root. (CVE-2018-0304)

  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for arbitrary code execution. (CVE-2018-0314)

  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0312)

  • A command-injection vulnerability in the CLI of Cisco NX-OS Software due to insufficient input validation of command arguments. (CVE-2018-0307)

  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software due to improper validation of SNMP protocol data units (PDUs) in SNMP packets. (CVE-2018-0291)

  • An elevated privilege vulnerability exists in the role-based access control (RBAC) for Cisco NX-OS Software due to incorrect RBAC privilege assignment for certain CLI commands. (CVE-2018-0293)

  • A vulnerability exists in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software due to a buffer overflow condition in the IGMP Snooping subsystem that could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. (CVE-2018-0292)

  • A denial of service vulnerability exists in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software due to incomplete input validation of the BGP update messages. (CVE-2018-0295)

  • A vulnerability exists in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software due to improper deletion of sensitive files when certain CLI commands are used to clear the device configuration and reload a device allowing the creation of an unauthorized administrator account. (CVE-2018-0294)

  • A privilege escalation vulnerability in the NX-API management application programming interface (API) in devices running, or based on, Cisco NX-OS Software due to a failure to properly validate certain parameters included within an NX-API request. (CVE-2018-0330)

  • A denial of service vulnerability exists in the Cisco Discovery Protocol (formerly known as CDP) subsystem of devices running, or based on, Cisco NX-OS Software due to failure to properly validate certain fields within a Cisco Discovery Protocol message prior to processing it. (CVE-2018-0331)

  • A denial of service vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of Cisco Fabric Services packets when the software processes packet data. (CVE-2018-0311)

  • A vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of header values in Cisco Fabric Services packets that could allow an unauthenticated, remote attacker to obtain sensitive information from memory or cause a denial of service (DoS) condition. (CVE-2018-0310)

  • A command execution vulnerability exists in the CLI parser of Cisco NX-OS Software due to insufficient input validation of command arguments. (CVE-2018-0306)

  • An arbitrary command execution vulnerability exists in the NX-API feature of Cisco NX-OS Software due to incorrect input validation of user-supplied data to the NX-API subsystem. (CVE-2018-0313)

  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) feature of the Cisco Nexus 4000 Series Switch due to incomplete validation of an SNMP poll request for a specific MIB. (CVE-2018-0299)

  • A denial of service vulnerability exists in the implementation of a specific CLI command and the associated Simple Network Management Protocol (SNMP) MIB for Cisco Nexus 3000 and 9000 Series Switches due to the incorrect implementation of the CLI command, resulting in a failure to free all allocated memory upon completion. (CVE-2018-0309)

  • A denial of service vulnerability exists in the web UI of Cisco FXOS and Cisco UCS Fabric Interconnect Software due to incorrect input validation in the web UI. (CVE-2018-0298)

  • An arbitrary code execution vulnerability exists in the CLI parser of Cisco FXOS Software and Cisco UCS Fabric Interconnect Software due to incorrect input validation in the CLI parser subsystem. (CVE-2018-0302)

  • An arbitrary code execution vulnerability exists in the Cisco Discovery Protocol component of Cisco FXOS Software and Cisco NX-OS Software because of insufficiently validated Cisco Discovery Protocol packet headers. (CVE-2018-0303)

  • A denial of service vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of Cisco Fabric Services packets. (CVE-2018-0305)

  • A path traversal vulnerability exists in the process of uploading new application images to the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance due to insufficient validation during the application image upload process. (CVE-2018-0300)

  • A denial of service vulnerability exists in the file descriptor handling of Cisco TelePresence Video Communication Server (VCS) Expressway due to exhaustion of file descriptors while processing a high volume of traffic. (CVE-2018-0358)

  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) due to insufficient CSRF protections for the web-based management interface of an affected device. (CVE-2018-0363)

  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager due to insufficient CSRF protections for the web-based management interface of an affected device. (CVE-2018-0364)

  • An arbitrary code execution vulnerability exists in the role-based access-checking mechanisms of Cisco NX-OS Software because the affected software lacks proper input and validation checks for certain file systems. (CVE-2018-0337)

  • A buffer overflow vulnerability exists in NVIDIA TX1 BootROM when Recovery Mode (RCM) is active. Cisco WebEx Room 55, Cisco WebEx Room 70 Single/Dual, Cisco WebEx Room Kit, Cisco WebEx Room Kit Plus, and RoomOS all use the vulnerable NVIDIA TX1 processor. (CVE-2018-6242)

  • A denial of service vulnerability exists in the Web Admin Interface of Cisco Meeting Server due to insufficient validation of incoming HTTP requests. (CVE-2018-0371)

  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Firepower Management Center due to insufficient CSRF protections for the web-based management interface of the affected device. (CVE-2018-0365)

  • An authentication bypass vulnerability exists in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers due to improper security restrictions that are imposed by the affected system. (CVE-2018-0362)

  • A session fixation vulnerability exists in the session identification management functionality of the web-based management interface for Cisco Meeting Server because the affected application does not assign a new session identifier to a user session when a user authenticates to the application. (CVE-2018-0359)

  • A denial of service vulnerability exists in the vpnva-6.sys for 32-bit Windows and vpnva64-6.sys for 64-bit Windows of Cisco AnyConnect Secure Mobility Client for Windows Desktop due to improper validation of user-supplied data. (CVE-2018-0373) 

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Addendum:

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Firepower 2100 Series

  • Firepower 4100 Series Next-Generation Firewall

  • Firepower 9300 Security Appliance

  • MDS 9000 Series Multilayer Switches

  • Nexus 1000V Series Switches

  • Nexus 1100 Series Cloud Services Platforms

  • Nexus 2000 Series Switches

  • Nexus 3000 Series Switches

  • Nexus 3500 Platform Switches

  • Nexus 3600 Platform Switches

  • Nexus 4000 Series Switch

  • Nexus 5500 Platform Switches

  • Nexus 5600 Platform Switches

  • Nexus 6000 Series Switches

  • Nexus 7000 Series Switches

  • Nexus 7700 Series Switches

  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode

  • Nexus 9000 Series Switches in standalone NX-OS mode

  • Nexus 9500 R-Series Line Cards and Fabric Modules

  • UCS 6100 Series Fabric Interconnects

  • UCS 6200 Series Fabric Interconnects

  • UCS 6300 Series Fabric Interconnects 

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • After appropriate testing, immediately apply available and future updates by Cisco to vulnerable systems.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.

References: 

Cisco:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-fab-ace

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-ace

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-execution

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-cli-execution

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxossnmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosrbac

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosigmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosbgp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosadmin

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-nxapi

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-cdp  

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-services-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-api-execution

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n4k-snmp-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n3k-n9k-clisnmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-ace

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-dos  

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepwr-pt

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-vcse-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-ucmim-ps-csrf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-ucdm-csrf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-rbaccess

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nvidia-tx1-rom

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-meeting-server-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepower-csrf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-encs-ucs-bios-auth-bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-cms-sf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-anyconnect-dos

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0291

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0292

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0293

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0294

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0295

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0298

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0299

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0300

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0301

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0302

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0303

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0304

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0305

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0306

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0307

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0308

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0309

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0310

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0311

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0312

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0313

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0314

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0330

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0331

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0337

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0358

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0359

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0362

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0363

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0364

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0365

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0371

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0373

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6242