Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution
MS-ISAC ADVISORY NUMBER:2020-017
Multiple vulnerabilities have been discovered in Cisco Devices, the most severe of which could allow for arbitrary code execution. Cisco is a vender for IT, networking and cybersecurity solutions. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
An undisclosed reliable exploit for CVE-2020-3119 has been crafted by Armis, Inc. There are currently no reports of these vulnerabilities being exploited in the wild.
- Cisco WSA releases 12.0.1-268 and 11.8.0-382
- Cisco devices running Cisco IOS XR Software releases earlier than 6.6.3, 7.0.2, 7.1.1, or 7.2.1 and if they are configured with both the IS-IS routing protocol and SNMP versions 1, 2c, or 3
- Cisco DNA Center Software releases earlier than 18.104.22.168 and 22.214.171.124
- Cisco ISE Software releases earlier than Release 2.7.0
- Cisco products with Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco FXOS, IOS XR (32-bit or 64-bit), or NX-OS Software
- Cisco Video Surveillance 8000 Series IP Cameras with the Cisco Discovery Protocol enabled and running a firmware version earlier than 1.0.7
- Cisco IP phones with Cisco Discovery Protocol enabled and running a vulnerable firmware release
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could result in arbitrary code execution. These vulnerabilities can be exploited when maliciously crafted packets are sent to the vulnerable device. Details of the vulnerabilities are as follows:
- Insufficient validation of user input in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance (WSA) and Cisco Content Security Management Appliance (SMA) (CVE-2020-3117)
- Improper handling of a Simple Network Management Protocol (SNMP) request for specific Object Identifiers (OIDs) by the IS-IS process in Cisco IOS XR Software (CVE-2019-16027)
- Insufficient validation of user-supplied input in the web-based management interface of Cisco Digital Network Architecture (DNA) (CVE-2019-15253)
- Insufficient input validation by the web-based management interface of Cisco Identity Services Engine (ISE) Software (CVE-2020-3149)
- Insufficient check when for Cisco FXOS, Cisco IOS XR, or Cisco NX-OS processes Cisco Discovery Protocol messages. (CVE-2020-3120)
- Improper validation of string input from certain fields in Cisco Discovery Protocol messages for Cisco IOS XR Software (CVE-2020-3118)
- Improper checks when the Cisco Video Surveillance 8000 Series IP Cameras process Cisco Discovery Protocol messages (CVE-2020-3110)
- Improper input validation for certain fields in Cisco Discovery Protocol for the Cisco NX-OS Software (CVE-2020-3119)
- Improper checks when Cisco IP Phones process Cisco Discovery Protocol messages (CVE-2020-3111)
Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Cisco to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
- Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
- Apply the Principle of Least Privilege to all systems and services.