Cisco Patches Remote Code Execution and DoS Flaws in Multiple Products

Cisco has issued three patches to address serious security flaws across a handful of products
Cisco has issued three patches to address serious security flaws across a handful of products

The first patch addresses an issue in multiple Cisco products that include a flawed implementation of the Apache Struts 2 component. The Apache software is affected by a remote command execution vulnerability.

The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. That in turn could allow the attacker to execute arbitrary code on the targeted system.

Successful exploitation on the Cisco Identity Services Engine (ISE), Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system. There is no authentication needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy. To exploit this vulnerability on Cisco Business Edition 3000, the attacker must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.

Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product.

The patch addresses all affected products except Cisco Business Edition 3000; Cisco said that those customers should “contact their Cisco representative for available options.”

The Cisco ISE meanwhile contains an authenticated arbitrary command execution vulnerability and a support information download authentication bypass vulnerability – both now patchable. Successful exploitation of the first may allow an authenticated remote attacker to execute arbitrary code on the underlying operating system. The second one could allow an attacker to obtain sensitive information, including administrative credentials.

And finally, the company has issued a patch for Cisco IOS XR software releases 3.3.0 to 4.2.0, which contain a vulnerability when handling fragmented packets that could result in a denial-of-service condition of some Cisco CRS Route Processor cards. Successful exploitation of the vulnerability could cause the route processor on an affected device to stop transmitting packets from the route processor CPU to the fabric. As a result, the affected RP-A, RP-B, PRP, or DRP-A will experience a DoS issue, failing to transmit all of its route processor-based protocols (for example, Intermediate System-to-Intermediate System, Border Gateway Protocol, ICMP).

Customers that are running version 4.2.1 or later of Cisco IOS XR Software, or that have previously installed the Software Maintenance Upgrades (SMU) for Cisco bug ID CSCtz62593, are not affected by the vulnerability.

What’s Hot on Infosecurity Magazine?