Cisco Accidentally Released Dirty CoW Exploit Code in Software

Cisco Systems revealed in a security bulletin Wednesday that it “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software. The code exploits the Dirty Cow vulnerability (CVE-2016-5195), a well-known privilege escalation vulnerability in the Linux Kernel, which came to light in 2016.

The code was used internally by Cisco in validation scripts to be included in shipping software images – it was used to ensure that Cisco’s software is protected against known exploits. However, there was a failure in the final QA validation step of the software, and as a result someone from Cisco forgot to remove the code before release.

“The presence of the sample, dormant exploit code does not represent nor allow an exploitable vulnerability on the product, nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated into all shipping software images,” Cisco wrote in its advisory.

The blunder was discovered during internal security testing.

“A failure in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software inadvertently allowed a set of sample, dormant exploit code used internally by Cisco in validation scripts to be included in shipping software images,” the company said in an advisory. “This includes an exploit for the Dirty CoW vulnerability (CVE-2016-5195). The purpose of this QA validation step is to make sure the Cisco product contains the required fixes for this vulnerability.”

Cisco said that it is not aware of “malicious use of the issue” and that the issue does not open the impacted software (Cisco Expressway Series and Cisco TelePresence Video Communication Server image versions X8.9 through X8.11.3) to any sort of attack. “The impacted software images will be removed and will be replaced by fixed images,” the company said. It did not specify when.

Dirty Cow was patched in 2016 after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.

Cisco Patches Critical Bug in Small Business Switches 

Cisco, on Wednesday, also disclosed 15 flaws in various products, including three critical vulnerabilities. One of these critical bugs (CVE-2018-15439) was identified in the software used in Cisco’s Small Business Switches which are typically deployed in small office network environments. The Small Business switch flaw could enable an unauthenticated remote attacker to bypass user authentication in a backdoor-ed account.

Cisco said it has not released software updates that address this vulnerability, but the glitch can be fixed by a simple workaround. The company said that it is not aware of any exploits of this particular vulnerability in the wild.

The Cisco Small Business Switch vulnerability exists because when no accounts in the system have top-level access privilege (level 15), the affected software automatically enables a default privileged user account that has these top privileges – without notifying the system administrators.

“The default configuration on the devices listed as vulnerable includes a default, privileged user account that is used for the initial login and cannot be removed from the system,” the company said in the advisory. “An administrator may disable this account by configuring other user accounts with access privilege set to level 15. However, if all user-configured privilege level 15 accounts are removed from the device configuration, an affected software release re-enables the default privileged user account without notifying administrators of the system.”

Under these circumstances, an attacker could exploit the bug by using the default account to log in to an affected device and execute commands with full admin rights, Cisco said in its advisory.

The unauthorized privilege access vulnerability, CVE-2018-15439, has a CVSS severity score of 9.8 (out of 10). Cisco did not respond to a request for comment from Threatpost.

Below are the impacted families of Small Business product switches:

Cisco Small Business 200 Series Smart Switches

Cisco Small Business 300 Series Managed Switches

Cisco Small Business 500 Series Stackable Managed Switches

Cisco 250 Series Smart Switches

Cisco 350 Series Managed Switches

Cisco 350X Series Stackable Managed Switches

Cisco 550X Series Stackable Managed Switches

Cisco said it will update its advisory once a patched version of the software becomes available.

However, in the meantime, there is a simple workaround to address CVE-2018-15439 – users can add one account that has an access privilege set to the top level of privilege for an account (level 15) in the device configuration – this will automatically disable the default privileged account.

“The workaround consists of adding at least one user account with access privilege set to level 15 in the device configuration,” said the company. “By adding this user account, the default privileged account will be disabled.”

Another critical authentication vulnerability (CVE-2018-15394) exists in Cisco’s Stealthwatch Management Console in its Stealthwatch Enterprise platform. The flaw  could allow an unauthenticated, remote attacker to execute arbitrary actions with administrative privileges on impacted systems.

“The vulnerability is due to an insecure system configuration,” according the advisory. “An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to gain unauthenticated access, resulting in elevated privileges in the SMC.”

The vulnerability, has a CVSS score of 9.8, affects Cisco Stealthwatch Enterprise releases 6.10.2 and prior. A patch has been released by Cisco and users can update to Cisco Stealthwatch Enterprise Release 6.10.3.

Cisco also reported a Java deserialization vulnerability in Cisco Unity Express (CUE) that could enable an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user.

“An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service,” according to Cisco’s advisory. “A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

The deserialization flaw impacted CUE releses prior to release 9.0.6.  It is fixed in Cisco Unity Express 9.0.6 and later releases. The vulnerability (CVE-2018-15381) has a CVSS score of 9.8.

Cisco’s other glitches addressed in Wednesday’s advisory include one rated high, a privilege escalation flaw (CVE-2018-0284), and one informational bug and 11 additional bugs rated medium.