It’s a bad week for all things network security as Cisco spewed out 20 Security Advisories and Alerts – two critical and three high-impact – that customers should be aware of and implement patches where they can.
Cisco, like other big enterprise vendors, regularly issues security warnings but 20 in one day is an unusual amount for the networking giant. Others like Microsoft and Oracle issue tons of security bulletins monthly mostly without much fanfare – for example Microsoft for March, released 18 security bulletins split into nine critical and nine important security updates.
According to Cisco however there is a reason for the uptick.
Cisco told Network World: “To better help our customers plan for managing their network updates in response to published advisories, we have begun to also include "medium" severity advisories as part of the more structured disclosure process. In the past, medium vulnerabilities were published as soon as the necessary information was available, but not according to a pre-determined timeline. The higher number today is due to this change in process, though not indicative of an overall increase in disclosures”
Until recently Cisco generally discloses Cisco Security Advisories for vulnerabilities with a severity rating of "high" or "critical." Indeed, in this week’s list, 15 of the 20 were considered “medium.”
This week the two critical warnings were concerning the Apache Struts vulnerability, which was disclosed last week, and an exposure with Cisco’s Mobility Express 1800 Series Access Points.
Cisco's security team last week called the weakness in Apache Struts “critical” and this week published a list of vulnerable products here as it learns of them. Among them, Cisco Unified Communications Manager IM & Presence Service; Cisco Unified Communications Manager Session Management Edition; and Cisco Unified Communications Manager – all have patches available to address the problem, Cisco said.
Last week Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could let an attacker execute commands remotely on the targeted system using what’s known as a crafted Content-Type header value.
Cisco wrote in its warning: “The vulnerability is due to improper handling of the Content-Type header value when performing a file upload based on the Jakarta multipart parser of the affected software. An attacker could exploit this vulnerability by persuading a targeted user to upload a malicious file. Once the Jakarta multipart parser of the affected application uploads the file, the attacker could have the ability to execute arbitrary code. Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool. Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.”
The other critical warning came for Cisco Mobility Express. In that wireless LAN product, the vulnerability is due to improper implementation of authentication for accessing certain web pages using the GUI interface. “An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface of the affected system. A successful exploit could allow the attacker to bypass authentication and perform unauthorized configuration changes or issue control commands to the affected device. This vulnerability affects Cisco Mobility Express 1800 Series Access Points running a software version prior to 220.127.116.11,” Cisco wrote in the advisory.
Cisco said it has released software updates that address this problem.
The High Alert products included:
Cisco wrote that a vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC) software could allow an unauthenticated, remote attacker to impersonate a WLC in a meshed topology. The vulnerability is due to insufficient authentication of the parent access point in a mesh configuration. An attacker could exploit this vulnerability by forcing the target system to disconnect from the correct parent access point and reconnect to a rogue access point owned by the attacker. An exploit could allow the attacker to control the traffic flowing through the impacted access point or take full control of the target system. Cisco has released software updates that address this vulnerability. Note that additional configuration is needed in addition to upgrading to a fixed release. There are no workarounds that address this vulnerability.
A vulnerability in the Client Manager Server of Cisco Workload Automation and Cisco Tidal Enterprise Scheduler could allow an unauthenticated, remote attacker to retrieve any file from the Client Manager Server. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted URL to the Client Manager Server. An exploit could allow the attacker to retrieve any file from the Cisco Workload Automation or Cisco Tidal Enterprise Scheduler Client Manager Server. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability, Cisco stated.
A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward Port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. Cisco has released software updates that address this vulnerability, Cisco wrote.
Cisco generally discloses Cisco Security Advisories for vulnerabilities with a severity rating of "high" or "critical" at 16:00 GMT on any given Wednesday.
Note: There are exceptions for this process when there is 1) heightened public awareness of a serious vulnerability, 2) Cisco learns of active exploitation of a vulnerability or 3) Cisco works with a third-party coordination center to publicly disclose a vulnerability.
To better help its customers plan for managing their network updates in response to published advisories, Cisco has begun to also include "medium" severity advisories as part of the more structured disclosure process. In the past, medium vulnerabilities were published as soon as the necessary information was available, but not according to a pre-determined timeline. The higher number today is due to this change in process, though not indicative of an overall increase in disclosures.