Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-077
Date(s) Issued: 
Thursday, July 19, 2018
Subject: 
Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco products including Cisco SD-WAN Solution, Cisco Policy Suite, Cisco Finesse, Cisco Cloud Services Platform 2100, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express (Unified CCX), Cisco Webex, Cisco Webex Teams, Cisco Webex Network Recording Player for Advanced Recording and Webex Recording Format files, and Cisco Nexus 9000 Series Fabric Switches.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Cisco SD-WAN Solution running on the following products: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software
  • Cisco Policy Suite
  • Cisco Finesse
  • Cisco Cloud Services Platform 2100
  • Cisco Unified Communications Manager IM and Presence Service
  • Cisco Unified Contact Center Express (Unified CCX)
  • Cisco Webex
  • Cisco Webex Teams for MacOS
  • Cisco Webex Meetings Suite (WBS31) - Webex Network Recording Player and Webex Player versions prior to WBS31.23
  • Cisco Webex Meetings Suite (WBS32) - Webex Network Recording Player and Webex Player versions prior to WBS32.15
  • Cisco Webex Meetings Suite (WBS33) - Webex Network Recording Player and Webex Player versions prior to WBS33.2
  • Cisco Webex Meetings Online - Webex Network Recording Player and WebEx Player versions prior to 1.3.35
  • Cisco Webex Meetings Server - Webex Network Recording Player versions prior to 3.0MR1
  • Cisco Nexus 9000 Series Fabric Switches
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco products including Cisco SD-WAN Solution, Cisco Policy Suite, Cisco Finesse, Cisco Cloud Services Platform 2100, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express (Unified CCX), Cisco Webex, Cisco Webex Teams, Cisco WebEx Network Recording Player for Advanced Recording Format and Webex Recording Format files, and Cisco Nexus 9000 Series Fabric Switches. Details of these vulnerabilities are as follows:

  • A vulnerability in the Policy Builder interface of Cisco Policy Suite could allow an unauthenticated, remote attacker to access the Policy Builder interface. (CVE-2018-0376)
  • A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. (CVE-2018-0377)
  • A vulnerability in the Policy Builder database of Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. (CVE-2018-0374)
  • A vulnerability in the Cluster Manager of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials. (CVE-2018-0375)
  • Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could allow arbitrary code execution on the system of a targeted user. There is no risk when a .arf player that is stored on a Webex site is played in the Webex Network Recording Player. (CVE-2018-0379)
  • A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. (CVE-2018-0349)
  • A vulnerability in the Zero Touch Provisioning service of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. (CVE-2018-0346)
  • A vulnerability in the configuration and management database of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the vmanage user in the configuration management system of the affected software. (CVE-2018-0345)
  • A vulnerability in the command-line tcpdump utility in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0351)
  • A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0348)
  • A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0350)
  • A vulnerability in the Zero Touch Provisioning (ZTP) subsystem of the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0347)
  • A vulnerability in the DHCPv6 feature of the Cisco Nexus 9000 Series Fabric Switches in Application-Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause the device to run low on system memory, which could result in a Denial of Service (DoS) condition on an affected system. (CVE-2018-0372)
  • A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to execute arbitrary code on the user's device, possibly with elevated privileges. (CVE-2018-0387)
  • Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could cause an affected player to crash, resulting in a denial of service (DoS) condition. (CVE-2018-0380)
  • A vulnerability in the web framework of Cisco Webex could allow an unauthenticated, remote attacker to conduct a Document Object Model-based (DOM-based) cross-site scripting (XSS) attack against the user of the web interface of an affected system. (CVE-2018-0390)
  • A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. (CVE-2018-0396)
  • Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface, conduct a cross-site request forgery (CSRF) attack, or retrieve a cleartext password. (CVE-2018-0400, CVE-2018-0401, CVE-2018-0402, CVE-2018-0403)
  • A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system. (CVE-2018-0343)
  • A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. (CVE-2018-0344)
  • A vulnerability in the configuration and monitoring service of the Cisco SD-WAN Solution could allow an authenticated, local attacker to execute arbitrary code with root privileges or cause a denial of service (DoS) condition on an affected device. (CVE-2018-0342)
  • A vulnerability in the CLI of Cisco Policy Suite could allow an authenticated, local attacker to access files owned by another user. (CVE-2018-0392)
  • A vulnerability in the Policy Builder interface of Cisco Policy Suite could allow an authenticated, remote attacker to make policy changes in the Policy Builder interface. (CVE-2018-0393)
  • Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack or retrieve a cleartext password from an affected system. (CVE-2018-0398, CVE-2018-0399)
  • A vulnerability in the web upload function of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to obtain restricted shell access on an affected system. (CVE-2018-0394)

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply patches provided by Cisco.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.
References: 

Cisco:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-pspb-unauth-access

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-unauth-access

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-cm-default-psswrd

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-fo

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cx

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-coinj

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdnjct

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-ci

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-20180718-nexus-9000-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-teams-rce

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-uccx

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-bo

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-suite-data

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-suite-change

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-csp2100-injection

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0342

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0343

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0344

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0346

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0347

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0348

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0349

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0350

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0351

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0372

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0374

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0375

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0376

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0377

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0379

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0380

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0387

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0390

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0392

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0393

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0394

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0396

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0398

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0399

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0400

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0401

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0402

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0403