CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-082

DATE(S) ISSUED:

07/19/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products including Cisco SD-WAN Solution, Cisco Policy Suite, Cisco Finesse, Cisco Cloud Services Platform 2100, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express (Unified CCX), Cisco Webex, Cisco Webex Teams, Cisco Webex Network Recording Player for Advanced Recording and Webex Recording Format files, and Cisco Nexus 9000 Series Fabric Switches.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Cisco SD-WAN Solution running on vBond Orchestrator Software
  • Cisco SD-WAN Solution running on vEdge 100 Series Routers
  • Cisco SD-WAN Solution running on vEdge 1000 Series Routers
  • Cisco SD-WAN Solution running on vEdge 2000 Series Routers
  • Cisco SD-WAN Solution running on vEdge 5000 Series Routers
  • Cisco SD-WAN Solution running on vEdge Cloud Router Platform
  • Cisco SD-WAN Solution running on vManage Network Management Software
  • Cisco SD-WAN Solution running on vSmart Controller Software
  • Cisco Policy Suite
  • Cisco Finesse
  • Cisco Cloud Service Platform 2100
  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Contact Center Express (Unified CCX)
  • Cisco WebEx
  • Cisco Webex Teams for MacOS
  • Cisco Webex Meetings Suite (WBS31) - Webex Network Recording Player and Webex Player versions prior to WBS31.23
  • Cisco Webex Meetings Suite (WBS32) - Webex Network Recording Player and Webex Player versions prior to WBS32.15
  • Cisco Webex Meetings Suite (WBS33) - Webex Network Recording Player and Webex Player versions prior to WBS33.2
  • Cisco Webex Meetings Online - Webex Network Recording Player and WebEx Player versions prior to 1.3.35
  • Cisco Webex Meetings Server - Webex Network Recording Player versions prior to 3.0MR1
  • Cisco Nexus 9000 Series Fabric Switches

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products including Cisco SD-WAN Solution, Cisco Policy Suite, Cisco Finesse, Cisco Cloud Services Platform 2100, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express (Unified CCX), Cisco Webex, Cisco Webex Teams, Cisco WebEx Network Recording Player for Advanced Recording Format and Webex Recording Format files, and Cisco Nexus 9000 Series Fabric Switches. Details of these vulnerabilities are as follows:

  • A vulnerability in the Policy Builder interface of Cisco Policy Suite could allow an unauthenticated, remote attacker to access the Policy Builder interface. (CVE-2018-0376)
  • A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. (CVE-2018-0377)
  • A vulnerability in the Policy Builder database of Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. (CVE-2018-0374)
  • A vulnerability in the Cluster Manager of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials. (CVE-2018-0375)
  • Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could allow arbitrary code execution on the system of a targeted user. There is no risk when a .arf player that is stored on a Webex site is played in the Webex Network Recording Player. (CVE-2018-0379)
  • A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. (CVE-2018-0349)
  • A vulnerability in the Zero Touch Provisioning service of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. (CVE-2018-0346)
  • A vulnerability in the configuration and management database of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the vmanage user in the configuration management system of the affected software. (CVE-2018-0345)
  • A vulnerability in the command-line tcpdump utility in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0351)
  • A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0348)
  • A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0350)
  • A vulnerability in the Zero Touch Provisioning (ZTP) subsystem of the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0347)
  • A vulnerability in the DHCPv6 feature of the Cisco Nexus 9000 Series Fabric Switches in Application-Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause the device to run low on system memory, which could result in a Denial of Service (DoS) condition on an affected system. (CVE-2018-0372)
  • A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to execute arbitrary code on the user’s device, possibly with elevated privileges. (CVE-2018-0387)
  • Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could cause an affected player to crash, resulting in a denial of service (DoS) condition. (CVE-2018-0380)
  • A vulnerability in the web framework of Cisco Webex could allow an unauthenticated, remote attacker to conduct a Document Object Model-based (DOM-based) cross-site scripting (XSS) attack against the user of the web interface of an affected system. (CVE-2018-0390)
  • A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. (CVE-2018-0396)
  • Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface, conduct a cross-site request forgery (CSRF) attack, or retrieve a cleartext password. (CVE-2018-0400, CVE-2018-0401, CVE-2018-0402, CVE-2018-0403)
  • A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system. (CVE-2018-0343)
  • A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. (CVE-2018-0344)
  • A vulnerability in the configuration and monitoring service of the Cisco SD-WAN Solution could allow an authenticated, local attacker to execute arbitrary code with root privileges or cause a denial of service (DoS) condition on an affected device. (CVE-2018-0342)
  • A vulnerability in the CLI of Cisco Policy Suite could allow an authenticated, local attacker to access files owned by another user. (CVE-2018-0392)
  • A vulnerability in the Policy Builder interface of Cisco Policy Suite could allow an authenticated, remote attacker to make policy changes in the Policy Builder interface. (CVE-2018-0393)
  • Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack or retrieve a cleartext password from an affected system. (CVE-2018-0398, CVE-2018-0399)
  • A vulnerability in the web upload function of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to obtain restricted shell access on an affected system. (CVE-2018-0394)

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-pspb-unauth-access https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-unauth-access https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-cm-default-psswrd https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-fo https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cx https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-coinj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdnjct https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-ci https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-20180718-nexus-9000-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-teams-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-uccx https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-bo https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-suite-data https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-suite-change https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-csp2100-injection
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0347 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0374 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0403

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil Blog post 20 May 2019
CONTROL: 4 --- ADVISORY CONTROL: 0