CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-098

DATE(S) ISSUED:

09/05/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products, including Apache Struts running on Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apache Struts running on the following products: Cisco SocialMiner, Cisco Prime Service Catalog, Cisco Identity Services Engine (ISE), Cisco Emergency Responder, Cisco Finesse, Cisco Hosted Collaboration Solution for Contact Center, Cisco MediaSense, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service (formerly CUPS), Cisco Unified Contact Center Enterprise, Cisco Unified Contact Center Enterprise - Live Data server, Cisco Unified Contact Center Express, Cisco Unified Intelligence Center, Cisco Unified Intelligent Contact Management Enterprise, Cisco Unified SIP Proxy Software, Cisco Unified Survivable Remote Site Telephony Manager, Cisco Unity Connection, Cisco Virtualized Voice Browser, Cisco Video Distribution Suite for Internet Streaming (VDS-IS)
  • Cisco SD-WAN Solution running on the following products: vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vManage Network Management System, vEdge Cloud Router Platform, vSmart Controller Software, vBond Orchestrator Software
  • Cisco Integrated Management Controller running on the following products: Cisco UCS C-Series, Cisco UCS E-Series, 5000 Series Enterprise Network Compute System (ENCS)
  • Cisco Umbrella API
  • Cisco RV110W, RV130W, and RV215W Routers
  • Cisco Webex Meetings
  • Cisco Webex Meetings Suite (WBS31, WBS32, WBS33)
  • Cisco Webex Meetings Server
  • Cisco Meeting Server
  • Cisco Umbrella ERC
  • Cisco Prime Access Registrar
  • Cisco Prime Access Registrar Jumpstart
  • Cisco Prime Collaboration Assurance
  • Cisco Packaged Contact Center Enterprise
  • Cisco Data Center Network Manager
  • Cisco Tetration Analytics
  • Cisco Network Services Orchestrator
  • Cisco Enterprise NFV Infrastructure
  • Cisco Email Security Appliance
  • Cisco Cloud Services Platform 2100
  • Cisco Secure Access Control Server

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products including Apache Struts running on various Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server. Details of these vulnerabilities are as follows:

  • A vulnerability in Apache Struts could allow an unauthenticated remote attacker to execute arbitrary code on a targeted system. (CVE-2018-11776)
  • A vulnerability in the Cisco Umbrella API could allow an authenticated remote attacker to view and modify data across their organization and other organizations. (CVE-2018-0435)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to cause a denial of service condition or to execute arbitrary code. (CVE-2018-0423)
  • A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. (CVE-2018-0422)
  • A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated remote attacker to view and modify data for an organization other than their own organization. (CVE-2018-0436)
  • A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated local attacker to elevate privileges to Administrator. To exploit the vulnerability the attacker must authenticate with valid local user credentials. (CVE-2018-0437, CVE-2018-0438)
  • A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. (CVE-2018-0434)
  • A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated local attacker to inject arbitrary commands that are executed with root privileges. (CVE-2018-0433)
  • A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated remote attacker to gain elevated privileges on an affected device. (CVE-2018-0432)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to gain access to sensitive information. (CVE-2018-0426)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an authenticated remote attacker to execute arbitrary commands. (CVE-2018-0424)
  • A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated remote attacker to gain access to sensitive information. (CVE-2018-0425)
  • A vulnerability in TCP connection management in Cisco Prime Access Registrar could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition when the application unexpectedly restarts. (CVE-2018-0421)
  • A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated remote attacker to inject and execute arbitrary commands with root privileges on an affected device. (CVE-2018-0430, CVE-2018-0431)
  • A vulnerability in the web interface of Cisco Data Center Network Manager could allow an authenticated application administrator to execute commands on the underlying operating system with root-level privileges. (CVE-2018-0440)
  • A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF) files could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition. (CVE-2018-0457)
  • A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. (CVE-2018-0452)
  • A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. (CVE-2018-0451)
  • Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface or conduct a cross-site request forgery (CSRF) attack. (CVE-2018-0444, CVE-2018-0445)
  • A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. (CVE-2018-0458)
  • A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system. (CVE-2018-0463)
  • A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to read any file on an affected system. (CVE-2018-0460)
  • A vulnerability in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to perform a denial of service (DoS) attack against an affected system. (CVE-2018-0462)
  • A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated remote attacker to cause an affected system to reboot or shut down. (CVE-2018-0459)
  • A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. (CVE-2018-0439)
  • A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated remote attacker to bypass certain content filters on an affected device. (CVE-2018-0447)
  • A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack against a user of the management interface on an affected device. (CVE-2018-0450)
  • A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated remote attacker to perform command injection. (CVE-2018-0454)
  • A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated remote attacker to gain read access to certain information in an affected system. (CVE-2018-0414)

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on the system before applying patch.
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-api https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-overflow https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-validation https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-injection https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-escalation https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-traversal https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-injection https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-disclosure https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cpar-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cdcnm-escalation https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pcce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pca-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodis https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-meeting-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-esa-url-bypass https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-dcnm-xss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-csp2100-injection https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0433 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation CIS Benchmark and Other Tools for Related Technology Arrow Cisco