Not logged in » Login
Oct 06 2018

Cisco Serves Up 39 Patches During First Days of October

The San Jose-based networking giant kicked off the new month with a slew of repair suggestions covering all types of products, from ASA Software right through to various installments of Webex Center. According to the company's advisories, three fixes are rated as absolutely critical, while another ten are believed to be highly important; the remaining 26 get a medium rating. All fixes were published between Wednesday and Friday last week (October 3 through October 5).

The critical patches are supposed to fix vulnerabilities in Cisco's Digital Network Architecture (DNA) and Prime Infrastructure management software products. Severity ratings, based on CVSS Scores, range from 7.3 to 9.8. Below is a short overview based on Cisco's own summaries; detailed reports and further security tips are available from Cisco's advisory and alerts repository.

No. 1 in our collection for today is a Cisco Digital Network Architecture Center Authentication Bypass Vulnerability, marked with the CVE name CVE-2018-0448. Info about this bug was first released last Wednesday, and it affects all releases of Cisco's DNA Center Software that are older than version 1.1.4. More specifically, we're talking about a vulnerability in the identity management service of Cisco DNA Center that could allow remote attackers to bypass authentication and take complete control of identity management functions. The root cause for this flaw are insufficient security restrictions for those functions. Potential adversaries could exploit it by sending a valid identity management request to an affected system, which would then enable them to view and manipulate profiles of existing users or create new ones. The vulnerability was detected during internal security tests and has been fixed in Cisco DNA Center Software v1.1.4 and later. Updates are available via the usual channels.

The second critical bug, dubbed CVE-2018-15386, is an unauthenticated access vulnerability that works in the same way as the one described above. The flaw is to be found in DNA Center Software v1.1 only and hinges on an insecure default configuration of the affected systems that enables attackers to bypass authentication functions and directly connect to the exposed services. They could thus retrieve and modify critical system files. The bug was fixed in DNA Center Software v1.2 and later.

Both above vulnerabilities have received a severity rating of 9.8 on NIST's Common Vulnerability Scoring System, indicating that admins need to apply the available patches and updates immediately – if they haven't already done that.

The third and final critical bug comes in the form of CVE-2018-15379, consisting of an arbitrary file upload and command execution vulnerability. Cisco's engineers describe it as follows: "A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges." In this case, the root cause appears to be "an incorrect permission setting for important system directories" that could be exploited by uploading a malicious file via TFTP, which is accessible through the web interface. If successful, the attacker could then run all types of commands on the targeted application. As such, this flaw has received a 7.3 CVSS Score, which would normally place it in the "highly important" range (as opposed to "critical"); however, since Cisco PI Software has the TFTP server enabled by default, the potential impact could be remarkably higher. Cisco says the bug is found in Cisco PI Software v3.2 through 3.4 that were issued "prior to the first fixed release" that matches the specific product (3.3.1 Update 02 for users of version 3.2 and 3.3, and 3.4.1 for users of version 3.4). Cisco PI Software v.3.2 FIPS remains unaffected, as TFTP is turned off in that particular edition. Instead of updating their software package, admins could also use a workaround to close the loophole and mitigate risks by simply turning off TFTP and using protocols like SCP or SFTP to perform the required functions, e.g. image transfers.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now