A range of business customers could be impacted by a high-severity security flaw discovered in Cisco VoIP phones. The vendor issued a patch on Wednesday.
Cisco also patched two medium-security flaws today in its FireSIGHT management platform for network security; and one medium-severity issue in the Web Security Appliance. Finally, it issued a fix for a high-severity bug in its platform for mobile operator routers, StarOS.
The most critical of the flaws, CVE-2018-0341, would allow command injection and remote code execution on IP phones, including higher-end models that have HD video call functionality. The advisory said that thanks to insufficient input validation, an authenticated user could send specially crafted shell commands to a specific user input field using the web-based user interface that links to the handsets. That could result in the ability to inject and execute arbitrary shell commands, opening the door for attackers to eavesdrop on conversations, intercept rich media data, place phone calls and more.
The vulnerability, found internally by the vendor, affects IP Phone 6800, 7800 and 8800 series devices that run a Multiplatform Firmware release prior to Release 11.2(1). No exploits have yet been seen in the wild, Cisco said – and the requirement for an attacker to be logged into the user interface in order to launch an attack somewhat mitigates the severity of the issue.
Cisco also sent out fixes for two medium-severity flaws in the Cisco FireSIGHT System Software, which provides centralized management for network security and operational functions for Cisco ASA with FirePOWER services and Cisco FirePOWER network security appliances. It automatically aggregates and correlates cyber-threat information for business users.
The first issue is a file policy bypass vulnerability (CVE-2018-0383), found in the detection engine of FireSIGHT. An unauthenticated, remote attacker could send a maliciously crafted FTP connection to transfer a file to an affected device; that file could carry malware built to disable the detection mechanisms in the system or carry out other nefarious actions.
“A successful exploit could allow the attacker to bypass a file policy that is configured to apply the ‘block upload’ with reset action to FTP traffic,” the vendor said.
The second vulnerability (CVE-2018-0384) in same detection engine could allow an unauthenticated, remote attacker to bypass a URL-based access control policy that is configured to block traffic for an affected system.
“The vulnerability exists because the affected software incorrectly handles TCP packets that are received out of order when a TCP SYN retransmission is issued,” the vendor explained. “An attacker could exploit this vulnerability by sending a maliciously crafted connection through an affected device. A successful exploit could allow the attacker to bypass a URL-based access control policy that is configured to block traffic for the affected system.”
Another medium-severity flaw (CVE-2018-0366) is a cross-site scripting vulnerability in the web-based management interface of the Cisco Web Security Appliance.
Using social engineering, a malicious actor could convince an interface user to click a specially crafted link that would then give threat actors the ability to execute arbitrary script code in the context of the interface, or allow the attacker to access sensitive browser-based information.
Meanwhile, Cisco has also patched a high-severity StarOS IPv4 fragmentation denial-of-service vulnerability (CVE-2018-0369). StarOS powers next-generation mobile networks, which support everything from tablets and smartphones to connected cars, smart-city and other IoT deployments. The platform provides virtualization and intelligence for mobile network architectures, and allows dynamic resource allocation for mobile services and networks to help wireless carriers manage their bandwidth to deliver higher levels of service to consumers and businesses.
Internal security testing uncovered a vulnerability in the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms. An exploit could allow an unauthenticated, remote attacker to trigger a reload of the npusim process, resulting in a DoS condition, the vendor said.
“There are four instances of the npusim process running per Service Function (SF) instance, each handling a subset of all traffic flowing across the device,” it explained in the advisory. “It is possible to trigger a reload of all four instances of the npusim process around the same time.”
The result would be mobile service interruption, which would be felt by everyday users as a short connectivity glitch.
“An exploit could allow the attacker to trigger a restart of the npusim process, which will result in all traffic queued toward this instance of the npusim process to be dropped while the process is restarting,” the advisory added. “The npusim process typically restarts within less than a second.”
This vulnerability affects the Cisco Virtualized Packet Core-Single Instance (VPC-SI), the Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) and the Cisco Ultra Packet Core (UPC), if they’re running any release of the StarOS operating system prior to the first fixed release. The Cisco ASR 5000 series routers, Cisco Elastic Services Controllers (ESC) and Cisco Ultra Automation Services (UAS) are not affected. Also, no exploits have been seen in the wild.