CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-109

DATE(S) ISSUED:

10/04/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products, including Cisco Prime, Cisco Webex, Cisco Digital Network Architecture Center Cisco Expressway Series, Cisco TelePresence, Cisco Small Business 300 Series Managed Switches, Cisco Adaptive Security Appliance, Cisco Cloud Services Platform, Cisco Firepower, Cisco Hosted Collaboration Mediation Fulfillment, Cisco HyperFlex, Cisco Integrated Management Controller, Cisco UCS Director, Cisco Industrial Network Director, Cisco IOS XR, Cisco Identity Services Engine, Cisco Remote PHY, Cisco Unity, Cisco Webex, Cisco Adaptive Security Appliance, Cisco SD-WAN, Cisco Digital Network Architecture Center.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Cisco Expressway Series
  • Cisco TelePresence
  • Cisco Small Business 300 Series Managed Switches
  • Cisco Cloud Services Platform
  • Cisco Firepower
  • Cisco Hosted Collaboration Mediation Fulfillment
  • Cisco HyperFlex
  • Cisco Integrated Management Controller
  • Cisco UCS Director
  • Cisco Industrial Network Director
  • Cisco IOS XR
  • Cisco Identity Services Engine
  • Cisco Remote PHY
  • Cisco Prime Infrastructure
  • Cisco Unity
  • Cisco WebEx
  • Cisco Adaptive Security Appliance
  • Cisco SD-WAN
  • Cisco Digital Network Architecture Center

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products including Apache Struts running on various Cisco products, Cisco SD-WAN Solution, Cisco Integrated Management Controller, Cisco Umbrella API, Cisco RV110W, RV130W, and RV215W Routers, Cisco Webex Meetings Suite (WBS31), Cisco Webex Meetings Suite (WBS32), Cisco Webex Meetings Suite (WBS33), Cisco Webex Meetings, Cisco Webex Meetings Server, Cisco Meeting Server, Cisco Umbrella ERC, Cisco Prime Access Registrar, Cisco Prime Access Registrar Jumpstart, Cisco Prime Collaboration Assurance, Cisco Packaged Contact Center Enterprise, Cisco Data Center Network Manager, Cisco Tetration Analytics, Cisco Network Services Orchestrator, Cisco Enterprise NFV Infrastructure, Cisco Email Security Appliance, Cisco Cloud Services Platform 2100, Cisco Secure Access Control Server.
Details of the most severe of these vulnerabilities are as follows:

  • A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. (CVE-2018-15379)
  • A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated remote attacker to bypass authentication and have direct unauthorized access to critical management functions. (CVE-2018-15386)
  • A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated remote attacker to bypass authentication and take complete control of identity management functions. (CVE-2018-0448)
  • A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. (CVE-2018-15389)
  • Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. (CVE-2018-15408, CVE-2018-15409, CVE-2018-15410, CVE-2018-15411, CVE-2018-15412, CVE-2018-15413, CVE-2018-15415, CVE-2018-15416, CVE-2018-15417, CVE-2018-15418, CVE-2018-15419, CVE-2018-15420, CVE-2018-15431 , CVE-2018-15408 , CVE-2018-15409 , CVE-2018-15410 , CVE-2018-15411 , CVE-2018-15412 , CVE-2018-15413 , CVE-2018-15415 , CVE-2018-15416 , CVE-2018-15417 , CVE-2018-15418 , CVE-2018-15419 , CVE-2018-15420 , CVE-2018-15431)

A full list of all vulnerabilities can be found at the link below:
https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&last_published=2018+Oct&sort=-day_sir&limit=50#~Vulnerabilities

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on the system before applying patch.
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches