Vulnerability in Cisco Products Could Allow Remote Code Execution

ITS Advisory Number: 
2015-155
Date(s) Issued: 
Tuesday, December 15, 2015
Subject: 
Vulnerability in Cisco Products Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered affecting Cisco products. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by submitting crafted input to an application on a targeted system that uses the ACC library. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.

Systems Affected: 

Please note there is an active investigation to determine other products that are vulnerable. Please refer to the Cisco URL for up to date information. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

The following Cisco products are affected: Note: The CSCuxxxxx is the product defect number.

Cable Modems

  • Digital Life RMS 1.8.1.1 Cisco Broadband Access Center Telco Wireless 3.8.1 CSCux34660 

Collaboration and Social Media

  • Cisco SocialMiner CSCux34833 
  • Cisco WebEx Meetings Server versions 1.x CSCux34612 
  • Cisco WebEx Meetings Server versions 2.x CSCux34612 

Endpoint Clients and Client Software

  • Cisco NAC Agent for Windows CSCux35102 

Network Application, Service, and Acceleration

  • Cisco InTracer CSCux35041 
  • Cisco Network Admission Control (NAC) CSCux35101 
  • Cisco Visual Quality Experience Server CSCux34725 
  • Cisco Visual Quality Experience Tools Server CSCux34725 

Network and Content Security Devices

  • Cisco ASA CX and Cisco Prime Security Manager CSCux34742 
  • Cisco ASA Content Security and Control (CSC) Security Services Module CSCux34736 
  • Cisco Clean Access Manager CSCux34981 
  • Cisco Email Security Appliance (ESA) CSCux35048 
  • Cisco NAC Appliance (Clean Access Server) CSCux34982 
  • Cisco NAC Guest Server CSCux34984 
  • Cisco NAC Server CSCux34983 
  • Cisco Secure Access Control System (ACS) CSCux34781 

Network Management and Provisioning

  • Cisco Access Registrar Appliance CSCux34652 
  • Cisco Cloupia Unified Infrastructure Controller CSCux35070 
  • Cisco Configuration Professional CSCux35040 
  • Cisco Digital Media Manager CSCux34692 
  • Cisco Insight Reporter CSCux34694 
  • Cisco Prime Access Registrar Appliance CSCux34652 
  • Cisco Prime Access Registrar CSCux34955 
  • Cisco Prime Collaboration Provisioning CSCux34669 
  • Cisco Prime Home CSCux34668 
  • Cisco Prime LAN Management Solution (LMS - Solaris) CSCux34647 
  • Cisco Prime Network Services Controller CSCux34672 
  • Cisco Prime Optical for SPs CSCux34656 
  • Cisco Prime Performance Manager CSCux34953 
  • Cisco Prime Provisioning for SPs CSCux34664 
  • Cisco Prime Provisioning CSCux35084 
  • Cisco Prime Service Catalog Virtual Appliance CSCux34715 
  • Cisco Security Manager CSCux34671 
  • Data Center Analytics Framework (DCAF) CSCux34575 

Routing and Switching - Enterprise and Service Provider

  • Cisco Broadband Access Center Telco Wireless CSCux34645 

Unified Computing

  • Cisco Unified Computing System (Management software) CSCux35113 

Voice and Unified Communications Devices

  • Cisco Computer Telephony Integration Object Server (CTIOS) CSCux34589 
  • Cisco Emergency Responder CSCux34852 
  • Cisco Hosted Collaboration Mediation Fulfillment CSCux34859 
  • Cisco IM and Presence Service (CUPS) CSCux34855 
  • Cisco IP Interoperability and Collaboration System (IPICS) CSCux34720 
  • Cisco Management Heartbeat Server CSCux35009 
  • Cisco MediaSense CSCux34874 11.0, 10.5 (March 2016), 11.5 (June 2016)
  • Cisco MeetingPlace CSCux35147 
  • Cisco Unified Attendant Console Advanced CSCux34827 
  • Cisco Unified Attendant Console Business Edition CSCux34827 
  • Cisco Unified Attendant Console Department Edition CSCux34827 
  • Cisco Unified Attendant Console Enterprise Edition CSCux34827 
  • Cisco Unified Attendant Console Premium Edition CSCux34827 
  • Cisco Unified Communications Manager (UCM) CSCux34835 
  • Cisco Unified Communications Manager Session Management Edition (SME) CSCux34835 
  • Cisco Unified Contact Center Enterprise CSCux34589 
  • Cisco Unified Intelligence Center CSCux34844 
  • Cisco Unified Intelligent Contact Management Enterprise CSCux34589 
  • Cisco Unified Sip Proxy CSCux34567 

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco Digital Transport Adapter Control System (DTACS) CSCux34796 
  • Cisco Media Experience Engines (MXE) CSCux34968 
  • Cisco Show and Share CSCux34708 
  • Cisco TelePresence Exchange System (CTX) CSCux34690 
  • Cisco Videoscape Conductor CSCux34792 
  • Cisco Videoscape Control Suite CSCux34974 
  • Explorer Controller (EC) system CSCux34795 

Cisco Hosted Services

  • Business Video Services Automation Software (BV) CSCux34572 
  • Cisco Cloud Email Security CSCux34593 
  • Cisco Cloud Web Security CSCux35002 
  • Cisco Registered Envelope Service (CRES) CSCux34591 
  • Cisco Unified Services Delivery Platform (CUSDP) CSCux34779 
  • Communication/Collaboration Sizing Tool, Virtue Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment CSCux34881 
  • DCAF UCS Collector CSCux34924 
  • Network Change and Configuration Management CSCux34580 
  • Partner Supporting Service (PSS) 1.x CSCux34739 
  • SI component of Partner Supporting Service CSCux34738 
  • Serial Number Assessment Service (SNAS) CSCux34991 
  • Smart Net Total Care (SNTC) CSCux34987 
  • Smart Net Total Care CSCux34730 

 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A remote code execution vulnerability exists in several Cisco products due to a Java deserialization issue that is used by the Apache Commons Collections (ACC) library.  An attacker may exploit this vulnerability by submitting specially crafted input to an application on a targeted Cisco system that uses the ACC library. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Once a patch is released by Cisco, update immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.