Cisco released multiple security advisories on Wednesday for vulnerabilities discovered in their products. Among these advisories was a HIGH alert (CRITICAL is the highest, followed by HIGH) for their Webex product, a commonly used virtual meeting platform as well as three CRITICAL alerts – one for Cisco Prime Infrastructure and two with in their Digital Network Architecture Center.
The CVE’s are as follows:
HIGH
Webex contains multiple vulnerabilities in its video recording architecture that could allow an attacker to “execute arbitrary code” or in more layman’s terms the attacker could infect the victim with malware. Essentially, WebEx improperly validates the file types of recordings (.arf and .wrf files). Because of this attackers could package malware up as one of those files in an email, convince the victim to open the file, which then WebEx validates due to the file type. Once that occurs the malware successfully executes and infects the system. Thus allowing any number of malicious actions to occur, including remote access for the hacker.
Mitigation: Cisco has released a software update (patch) for Webex that fixes this vulnerability.
Please visit the linked advisory for more information on affected versions and the software patch.
CVE-2018-15379 – Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
CRITICAL
A vulnerability in the web server for Cisco Prime Infrastructure (PI) “has unrestricted directory permissions”. This vulnerability could allow an attacker to upload malware that could execute commands at the “prime” privilege level. It is important to note that the “prime” privilege has fewer permissions than “administrative” or “root” privileges.
Attackers exploit an incorrect permission setting by “uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI.” Success exploitation could allow the attacker wide access to the impacted system and perhaps the network.
Mitigation: Cisco has released a software update (patch) for Webex that fixes this vulnerability.
Please visit the linked advisory for more information on affected versions and the software patch.
CVE-2018-15386 – Digital Network Architecture Center Unauthenticated Access Vulnerability
CRITICAL
The Cisco Digital Network Architecture has a critical vulnerability that could allow an attacker to directly exploit the system and gain unauthenticated, direct access to the system and “could allow an attacker to retrieve and modify critical system files”. Once the attacker has access it is feasible that they could gain persistence on the network and exploit additional systems; resulting in a substantial data breach.
Mitigation: Cisco has released a software update (patch) for Webex that fixes this vulnerability.
Please visit the linked advisory for more information on affected versions and the software patch.
CVE-2018-0448 – Digital Network Architecture Center Authentication Bypass Vulnerability
CRITICAL
The Cisco Digital Network Architecture (DNA) has a critical vulnerability in its identity management service that, “could allow an unauthenticated, remote attacker to bypass authentication and take complete control of identity management functions”. By having control of these functions, the attacker could create additional accounts, change passwords, and change permissions of various users.
The exploitation occurs by attackers “sending a valid identity management request to affected system”. Depending on where this software resides on the network (i.e. internal or external facing), the attacker could either exploit this directly or will need to already have access to the network. In a large majority of instances, this latter scenario would be the case. Thus, this vulnerability enables broader exploitation, network pivoting, privilege escalation, and gaining persistence.
Mitigation: Cisco has released a software update (patch) for Webex that fixes this vulnerability.
Please visit the linked advisory for more information on affected versions and the software patch.
Recommendations
Clearly these are serious vulnerabilities. It should be noted that these are not the only vulnerabilities disclosed and patched, there were many others. However, these appear to be the most critical. We recommend that you review the full disclosure here and apply patches for the software that impacts you directly.
If you employ the DNA or Prime Infrastructure products, we recommend applying an emergency patch in accordance with your patching policy. We don’t recommend waiting a significant amount of time for your next patching cycle to come around if it can be avoided. The sooner the better.
For the WebEx vulnerability, it may be sufficient to follow your normal patching protocol. However if you are regularly recording and saving WebEx sessions, it may warrant patching in an emergency cycle. We also recommend that you inform your staff of this vulnerability and to be vigilant in email usage and not to click on any links or attachments that end in “.arf” or “.wrf” and, more generally, to be cautious in opening attachments and clicking links in general.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.
