Cisco patched critical and high severity vulnerabilities in several products, including the Cloud Services Platform (CSP), the Firepower Extensible Operating System (FXOS) and NX-OS software, and some Small Business IP phones.
The most severe vulnerability patched in this round it the CVE-2017-12251, a critical unauthorized access flaw affecting the Cloud Services Platform 2100.
The Cloud Services Platform is used by many organizations to deploy Cisco and third-party network virtual services.
The vulnerability resides in the web console of the Cisco Cloud Services Platform (CSP) 2100 and could be exploited by a remote an authenticated attacker to interact maliciously with the services or virtual machines (VMs) on an affected CSP device.
“The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs’ URLs in Cisco CSP and viewing specific patterns that control the web application’s mechanisms for authentication control.” reads the security advisory. “An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system’s confidentiality, integrity, and availability.”
The vulnerability affects the Cloud Services Platform 2100 versions 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1 and 2.2.2. Cisco has addressed the vulnerability with the release of version 2.2.3.
According to Cisco, threat actors haven’t exploited the flaw in attacks in the wild.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.” continues the security advisory.
Cisco also notified customers of a high severity denial-of-service (DoS) vulnerability, tracked as CVE-2017-3883, that affects the authentication, authorization, and accounting (AAA) implementation of the FXOS and NX-OS software.
An attacker could exploit the vulnerability by powering a brute-force login attack against a device that is configured with AAA security services.
“A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload.” reads the security advisory.
The vulnerability affects Firepower appliances, Nexus and Multilayer Director switches, and some Unified Computing System products.
Cisco also addressed two DoS vulnerabilities affecting the Small Business IP phones.
The first flaw, tracked as CVE-2017-12260 affects the Session Initiation Protocol (SIP) functionality in Cisco Small Business SPA50x, SPA51x and SPA52x series IP phones, while the second one tracked as CVE-2017-12259, affects the same feature in only SPA51x series phones.
Both flaws could be exploited by an unauthenticated attacker to trigger a DoS condition by sending specially crafted SIP requests to the targeted device.
Let’s close with a mention to the recently disclosed KRACK vulnerability that affects many Cisco products, the tech giant is already rolling out security patches for vulnerable devices, many others are under investigation.
(Security Affairs – CISCO, hacking)