CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2019-010

DATE(S) ISSUED:

01/25/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution on the affected system as the logged on user. Depending on the privileges associated with the user or application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users or applications that have been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

**February 1 - Updated Threat Intelligence:
Attackers are actively exploiting vulnerabilities (CVE-2019-1652 and CVE-2019-1653) in Cisco small business routers RV320 and RV325 to take control of affected systems.

SYSTEMS AFFECTED:

  • Cisco SD-WAN Solution prior to Release 18.4.0
  • Cisco 1540 Aironet Series Outdoor Access Points prior to 8.8.100.0
  • Cisco 1800i Aironet Access Points prior to 8.8.100.0
  • Cisco 1810 Aironet Access Points prior to 8.8.100.0
  • Cisco 1815i Aironet Access Points prior to 8.8.100.0
  • Cisco 1815m Aironet Access Points prior to 8.8.100.0
  • Cisco 1815w Aironet Access Points prior to 8.8.100.0
  • Cisco 4800 Aironet Access Points prior to 8.8.100.0
  • Meraki MR30H Access Point prior to MR 25.13
  • Meraki MR33 Access Point prior to MR 25.13
  • Meraki MR74 Access Point prior to MR 25.13
  • Meraki MR42E Access Point prior to MR 26.1
  • Meraki MR53E Access Point prior to MR 26.1
  • Cisco Webex Teams prior to version 3.0.10260
  • Cisco Webex Business Suite WBS32 sites — All Webex Network Recording Player and Webex Player versions prior to Version WBS32.15.33
  • Cisco Webex Business Suite WBS33 sites — All Webex Network Recording Player and Webex Player versions prior to Version WBS33.6.1 or WBS 33.7.0
  • Cisco Webex Meetings Online — All Webex Network Recording Player and Webex Player versions prior to Version 1.3.40
  • Cisco Webex Meetings Server — All Webex Network Recording Player versions prior to Version 2.8MR3 SecurityPatch1 or 3.0MR2 SecurityPatch2
  • Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running Firmware Releases 1.4.2.15 through 1.4.2.19
  • Cisco Identity Services Engine prior to 2.2.0 patch 10, prior to 2.2.1 patch 1, prior to 2.3 patch 5, and prior to 2.4 patch 2
  • Connected Grid Network Management System, if running a software release prior to IoT-FND Release 3.0, prior to 4.1.2, prior to 4.3.0
  • Cisco Firepower Threat Defense Software Release 6.3.0 only when running on Firepower 4100 or Firepower 9300 Series Platforms.
  • Cisco Unified Intelligence Center
  • Cisco AMP Threat Grid Cloud prior to 3.5.68 and Cisco AMP Threat Grid Appliance software prior to 2.5
  • Cisco Enterprise NFV Infrastructure Software (NFVIS)
  • Cisco SocialMiner
  • Cisco Firepower Management Center
  • Cisco Prime Infrastructure
  • Cisco Connected Mobile Experiences (CMX) software

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for arbitrary code execution on the affected system as the logged on user. Details of these vulnerabilities are as follows:

  • A vulnerability in the vContainer of the Cisco SD-WAN Solution could allow an authenticated remote attacker to cause a denial of service (DoS) condition and execute arbitrary code as the root user. (CVE-2019-1651)
  • A vulnerability in Texas instruments chips in the affected Cisco Aironet and Meraki Access Points could allow an attacker to inject malicious Bluetooth frames to cause denial of service or remote code execution on the affected devices. (CVE-2018-16986)
  • A vulnerability in the Cisco Webex Teams client formerly Cisco Spark could allow an attacker to execute arbitrary commands on a targeted system. (CVE-2019-1636)
  • Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. (CVE-2019-1637, CVE-2019-1638, CVE-2019-1639, CVE-2019-1640, CVE-2019-1641)
  • A vulnerability in the Cisco SD-WAN Solution could allow an authenticated adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. (CVE-2019-1647)
  • A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated local attacker to gain elevated privileges on an affected device. (CVE-2019-1648)
  • A vulnerability in the Cisco SD-WAN Solution could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. (CVE-2019-1650)
  • Multiple vulnerabilities in the local CLI of the Cisco SD-WAN Solution could allow an authenticated local attacker to escalate privileges and modify device configuration files. (CVE-2019-1646)
  • A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated remote attacker with administrative privileges on an affected device to execute arbitrary commands. (CVE-2019-1652)
  • A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated remote attacker to retrieve sensitive information. (CVE-2019-1653)
  • A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated remote attacker to gain additional privileges on an affected device. (CVE-2018-15459)
  • A vulnerability in the UDP protocol implementation for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated remote attacker to exhaust system resources resulting in a denial of service (DoS) condition. (CVE-2019-1644)
  • A vulnerability in the data acquisition (DAQ) component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to bypass configured access control policies or cause a denial of service (DoS) condition. (CVE-2019-1669)
  • A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. (CVE-2019-1658)
  • A vulnerability in Cisco AMP Threat Grid could allow an authenticated remote attacker to access sensitive information. (CVE-2019-1657)
  • A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated local attacker to access the shell of the underlying Linux operating system on the affected device. (CVE-2019-1656)
  • Multiple vulnerabilities in the chat feed feature of Cisco SocialMiner could allow an unauthenticated remote attacker to perform cross-site scripting (XSS) attacks against a user of the web-based user interface of an affected system. (CVE-2019-1668)
  • A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. (CVE-2019-1655)
  • Multiple vulnerabilities in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. (CVE-2018-15455, CVE-2018-0187)
  • A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. (CVE-2019-1642)
  • A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. (CVE-2019-1643)
  • A vulnerability in the Cisco Connected Mobile Experiences (CMX) software could allow an unauthenticated adjacent attacker to access sensitive data on an affected device. (CVE-2019-1645)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution on the affected system as the logged on user. Depending on the privileges associated with the user or application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users or applications that have been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Install the update provided by Cisco immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-teams https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-sol-escal https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-file-write https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-escal https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-iot-fnd-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-firepowertds-bypass https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-uic-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-threat-grid https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-nfvis-shell-access https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-miner-chat-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-meetings-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-isel-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-info-disclosure https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-cpi-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-cmx-info-discl
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1648 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1651 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1669

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches CIS Benchmark and Other Tools for Related Technology Arrow Cisco

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil White paper 20 Feb 2019
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil Blog post 19 Feb 2019