Two high-severity vulnerabilities have been disclosed in Cisco’s security platform that could allow an attacker to gain administrative privileges – and take full control of the impacted machine.
The glitches, disclosed Wednesday, affect two parts of Cisco Umbrella, a secure internet gateway that acts as a cloud-delivered security service for corporate networks. Specifically, the Cisco Umbrella ERC and Cisco Umbrella Roaming Module are impacted.
Cisco has released software updates addressing the vulnerabilities.
The company said in an advisory released Wednesday: “An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.”
The vulnerabilities (CVE-2018-0437 and CVE-2018-0438) both stem from an improper implementation of file system permissions in the ERC, which could allow non-administrative users to place files within restricted directories. The glitches come with limits – an attacker would first need valid local user credentials to launch an attack, said Cisco’s advisory.
CVE-2018-0437 impacts Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella Roaming Module releases prior to 4.6.1098. Cisco has issued fixes in Cisco Umbrella ERC releases 2.1.118 and later; and Cisco Umbrella Roaming Module for Cisco AnyConnect releases 4.6.1098 and later. The vulnerability was first reported to Cisco by Quentin Rhoads, offensive security manager at Critical Start.
According to a Wednesday post by Rhoads with Critical Start, CVE-2018-0437 exists in a service named Umbrella_RC in Umbrella Roaming Client from Cisco OpenDNS.
The service, which is executed as SYSTEM on startup, consumes several files within the C:\ProgramData\OpenDNS\* directory which possess the user rights, Rhoads said.
“According to Microsoft, local users have the ability to write data to the above referenced directory which, by default, isn’t a security vulnerability,” Rhoads said. “However, what happens if the service requests files that don’t exist within this directory?”
Rhoads was able to perform a binary planting proof of concept where he placed a malicious file containing exploit code in C:\ProgramData\OpenDNS\ where the application would execute it. Essentially he generated two executables that would add a user and also add that user to the administrators group and then write a file to C:\.
“Now we can either restart our machine or be lazy and restart the service as an admin user; either way will yield the same result which is an admin user, and a file written in C:\,” said Rhoads. Rhoads said he notified Cisco of the glitch in May. The bug and patch were disclosed this week.
Meanwhile, CVE-2018-0438 affects Cisco Umbrella ERC releases prior to 2.1.127. Cisco has addressed this vulnerability in Cisco Umbrella ERC releases 2.1.127 and later. The flaw was found during internal security testing, Cisco said.
Cisco said it is not aware of any exploits in the wild of either vulnerability. Both glitches have a CVSS score of 7.8, which ranks “high” in severity.