CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-069

DATE(S) ISSUED:

06/21/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products including Cisco FXOS Software, Cisco NX-OS Software, Cisco UCS Manager Software, Cisco Nexus 4000 Series Switch, Cisco Nexus 3000 and 9000 Series, Cisco UCS Fabric Interconnect Software, Cisco Firepower 4100 Series Next-Generation Firewall, Cisco Firepower 9300 Security Appliance, Cisco TelePresence Video Communication Server Expressway, Cisco Unified Communications Manager IM & Presence Service, Cisco Unified Communications Domain Manager, NVIDIA TX1 Boot ROM, Cisco Meeting Server, Cisco Firepower Management Center, Cisco 5000 Series Enterprise Network Compute System, Cisco UCS E-Series Servers, and Cisco AnyConnect Secure Mobility Client for Windows Desktop.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • UCS Manager Software
  • Cisco Nexus 4000 Series Switch
  • Cisco Nexus 3000 and 9000 Series Switch
  • UCS Fabric Interconnect Software
  • Cisco Firepower 4100 Series Next-Generation Firewall
  • Cisco Firepower 9300 Security Appliance
  • Cisco TelePresence Video Communication Server Expressway
  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Communications Domain Manager
  • NVIDIA TX1 Boot ROM processors used in Cisco WebEx Room 55, Cisco WebEx Room 70 Single/Dual, Cisco WebEx Room Kit, Cisco WebEx Room Kit Plus, and RoomOS
  • Cisco Meeting Server
  • Cisco Firepower Management Center
  • Cisco 5000 Series Enterprise Network Compute System
  • Cisco UCS E-Series Servers
  • Cisco AnyConnect Secure Mobility Client for Windows Desktop
  • Cisco NX-OS running on the following products: Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, and Nexus 9500 R-Series Line Cards and Fabric Modules
  • Cisco FXOS running on the following products: Firepower 4100 Series Next-Generation Firewalls, Firepower 9300 Security Appliance, MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products including Cisco FXOS Software, Cisco NX-OS Software, Cisco UCS Manager Software, Cisco Nexus 4000 Series Switch, Cisco Nexus 3000 and 9000 Series, Cisco UCS Fabric Interconnect Software, Cisco Firepower 4100 Series Next-Generation Firewall, Cisco Firepower 9300 Security Appliance, Cisco TelePresence Video Communication Server Expressway, Cisco Unified Communications Manager IM & Presence Service, Cisco Unified Communications Domain Manager, NVIDIA TX1 Boot ROM, Cisco Meeting Server, Cisco Firepower Management Center, Cisco 5000 Series Enterprise Network Compute System, Cisco UCS E-Series Servers, and Cisco AnyConnect Secure Mobility Client for Windows Desktop. Details of these vulnerabilities are as follows:

  • A buffer overflow vulnerability exists in the NX-API feature of Cisco NX-OS Software due to incorrect input validation in the authentication module of the NX-API subsystem. The NX-API feature is disabled by default. (CVE-2018-0301)
  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0308)
  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for unauthorized read of memory content, denial of service or arbitrary code execution or execute arbitrary code as root. (CVE-2018-0304)
  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for arbitrary code execution. (CVE-2018-0314)
  • A buffer overflow vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0312)
  • A command-injection vulnerability in the CLI of Cisco NX-OS Software due to insufficient input validation of command arguments. (CVE-2018-0307)
  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software due to improper validation of SNMP protocol data units (PDUs) in SNMP packets. (CVE-2018-0291)
  • An elevated privilege vulnerability exists in the role-based access control (RBAC) for Cisco NX-OS Software due to incorrect RBAC privilege assignment for certain CLI commands. (CVE-2018-0293)
  • A vulnerability exists in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software due to a buffer overflow condition in the IGMP Snooping subsystem that could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. (CVE-2018-0292)
  • A denial of service vulnerability exists in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software due to incomplete input validation of the BGP update messages. (CVE-2018-0295)
  • A vulnerability exists in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software due to improper deletion of sensitive files when certain CLI commands are used to clear the device configuration and reload a device allowing the creation of an unauthorized administrator account. (CVE-2018-0294)
  • A privilege escalation vulnerability in the NX-API management application programming interface (API) in devices running, or based on, Cisco NX-OS Software due to a failure to properly validate certain parameters included within an NX-API request. (CVE-2018-0330)
  • A denial of service vulnerability exists in the Cisco Discovery Protocol (formerly known as CDP) subsystem of devices running, or based on, Cisco NX-OS Software due to failure to properly validate certain fields within a Cisco Discovery Protocol message prior to processing it. (CVE-2018-0331)
  • A denial of service vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of Cisco Fabric Services packets when the software processes packet data. (CVE-2018-0311)
  • A vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of header values in Cisco Fabric Services packets that could allow an unauthenticated, remote attacker to obtain sensitive information from memory or cause a denial of service (DoS) condition. (CVE-2018-0310)
  • A command execution vulnerability exists in the CLI parser of Cisco NX-OS Software due to insufficient input validation of command arguments. (CVE-2018-0306)
  • An arbitrary command execution vulnerability exists in the NX-API feature of Cisco NX-OS Software due to incorrect input validation of user-supplied data to the NX-API subsystem. (CVE-2018-0313)
  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) feature of the Cisco Nexus 4000 Series Switch due to incomplete validation of an SNMP poll request for a specific MIB. (CVE-2018-0299)
  • A denial of service vulnerability exists in the implementation of a specific CLI command and the associated Simple Network Management Protocol (SNMP) MIB for Cisco Nexus 3000 and 9000 Series Switches due to the incorrect implementation of the CLI command, resulting in a failure to free all allocated memory upon completion. (CVE-2018-0309)
  • A denial of service vulnerability exists in the web UI of Cisco FXOS and Cisco UCS Fabric Interconnect Software due to incorrect input validation in the web UI. (CVE-2018-0298)
  • An arbitrary code execution vulnerability exists in the CLI parser of Cisco FXOS Software and Cisco UCS Fabric Interconnect Software due to incorrect input validation in the CLI parser subsystem. (CVE-2018-0302)
  • An arbitrary code execution vulnerability exists in the Cisco Discovery Protocol component of Cisco FXOS Software and Cisco NX-OS Software because of insufficiently validated Cisco Discovery Protocol packet headers. (CVE-2018-0303)
  • A denial of service vulnerability exists in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software due to insufficient validation of Cisco Fabric Services packets. (CVE-2018-0305)
  • A path traversal vulnerability exists in the process of uploading new application images to the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance due to insufficient validation during the application image upload process. (CVE-2018-0300)
  • A denial of service vulnerability exists in the file descriptor handling of Cisco TelePresence Video Communication Server (VCS) Expressway due to exhaustion of file descriptors while processing a high volume of traffic. (CVE-2018-0358)
  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) due to insufficient CSRF protections for the web-based management interface of an affected device. (CVE-2018-0363)
  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager due to insufficient CSRF protections for the web-based management interface of an affected device. (CVE-2018-0364)
  • An arbitrary code execution vulnerability exists in the role-based access-checking mechanisms of Cisco NX-OS Software because the affected software lacks proper input and validation checks for certain file systems. (CVE-2018-0337)
  • A buffer overflow vulnerability exists in NVIDIA TX1 BootROM when Recovery Mode (RCM) is active. Cisco WebEx Room 55, Cisco WebEx Room 70 Single/Dual, Cisco WebEx Room Kit, Cisco WebEx Room Kit Plus, and RoomOS all use the vulnerable NVIDIA TX1 processor. (CVE-2018-6242)
  • A denial of service vulnerability exists in the Web Admin Interface of Cisco Meeting Server due to insufficient validation of incoming HTTP requests. (CVE-2018-0371)
  • A cross-site request forgery (CSRF) vulnerability in the web-based management interface of Cisco Firepower Management Center due to insufficient CSRF protections for the web-based management interface of the affected device. (CVE-2018-0365)
  • An authentication bypass vulnerability exists in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers due to improper security restrictions that are imposed by the affected system. (CVE-2018-0362)
  • A session fixation vulnerability exists in the session identification management functionality of the web-based management interface for Cisco Meeting Server because the affected application does not assign a new session identifier to a user session when a user authenticates to the application. (CVE-2018-0359)
  • A denial of service vulnerability exists in the vpnva-6.sys for 32-bit Windows and vpnva64-6.sys for 64-bit Windows of Cisco AnyConnect Secure Mobility Client for Windows Desktop due to improper validation of user-supplied data. (CVE-2018-0373)

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-fab-ace https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-ace https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-cli-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxossnmp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosrbac https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosigmp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosbgp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosadmin https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-nxapi https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-cdp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-services-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-api-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n4k-snmp-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n3k-n9k-clisnmp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-ace https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepwr-pt https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-vcse-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-ucmim-ps-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-ucdm-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-rbaccess https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nvidia-tx1-rom https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-meeting-server-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepower-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-encs-ucs-bios-auth-bypass https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-cms-sf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-anyconnect-dos
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0310 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0312 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0314 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0330 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0365 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6242

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches