Cisco Patches XXE, DoS, Code Execution Vulnerabilities
June 23, 2017
Shah Sheikh (1294 articles)

Cisco Patches XXE, DoS, Code Execution Vulnerabilities

Cisco patched three vulnerabilities in three products this week that if exploited, could have resulted in a denial of service, crash, and in some instances, arbitrary and remote code execution.

According to security advisories published Wednesday, each of the vulnerabilities are branded “high” severity by Cisco.

One of the issues, an XML External Entity (XXE) vulnerability, exists in versions 1.1 through 3.1.6 of Cisco’s Prime Infrastructure software. The vulnerability is dependent on an admin getting tricked into importing a malicious XML file. By doing so in the web-based user interface Cisco says an authenticated, remote attacker could achieve read and write access to data stored in vulnerable systems, or perform remote code execution.

Cisco stresses an attacker would have to have valid user credentials to carry out the attack but nonetheless is urging those running the software to patch.

The second issue affects Cisco’s WebEx Network Recording Player, an app that’s used in some setups to playback WebEx meeting recordings.

While the bug can’t be triggered during a live WebEx meeting, an attacker could trigger multiple buffer overflow vulnerabilities in the app if they tricked a user into opening a malicious ARF file. ARF files are uses specifically to play back and edit WebEx recording files. Cisco warns an attacker could send a malicious ARF file to a victim via email or URL and convince them to launch the file, something that could cause the player to crash and in some instances, allow arbitrary code execution on the system.

The last bug exists in Cisco’s Virtualized Packet Core−Distributed Instance (VPC−DI) Software. VPC is productized version of StarOS, the company’s virtualized software architecture.

Because of insufficient handling of user-supplied data, an attacker could send malicious USP packets to an affected system. This could cause an unhandled error condition, something that would cause control function (CF) instances and in turn, the entire Virtualized Packet Core (VPC) to reload, “resulting in the disconnection of all subscribers and a DoS condition on the affected system.”

Cisco says the vulnerability can only be exploited via IPv4 traffic and that only certain versions of its StarOS operating system are affected.

The vulnerabilities were three of 25 different security issues Cisco warned about on Wednesday. The company also warned about a slew of cross-site scripting, session hijacking, and information disclosure vulnerabilities across a variety of products on its Advisories and Alerts portal.

Source | threatpost