High-Severity Flaws in Cisco Secure Internet Gateway Service Patched
September 7, 2018
Seid Yassin (557 articles)
Share

High-Severity Flaws in Cisco Secure Internet Gateway Service Patched

Two high-severity vulnerabilities have been disclosed in Cisco’s security platform that could allow an attacker to gain administrative privileges – and take full control of the impacted machine.

The glitches, disclosed Wednesday, affect two parts of Cisco Umbrella, a secure internet gateway that acts as a cloud-delivered security service for corporate networks. Specifically, the Cisco Umbrella ERC and Cisco Umbrella Roaming Module are impacted.

The company said in an advisory released Wednesday: “An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.”

The vulnerabilities (CVE-2018-0437 and CVE-2018-0438) both stem from an improper implementation of file system permissions in the ERC, which could allow non-administrative users to place files within restricted directories. The glitches come with limits – an attacker would first need valid local user credentials to launch an attack, said Cisco’s advisory.

CVE-2018-0437 impacts Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella Roaming Module releases prior to 4.6.1098. Cisco has issued fixes in Cisco Umbrella ERC releases 2.1.118 and later; and Cisco Umbrella Roaming Module for Cisco AnyConnect releases 4.6.1098 and later. The vulnerability was first reported to Cisco by Quentin Rhoads, offensive security manager at Critical Start.

According to a Wednesday post by Rhoads with Critical Start, CVE-2018-0437 exists in a service named Umbrella_RC in Umbrella Roaming Client from Cisco OpenDNS.

The service, which is executed as SYSTEM on startup, consumes several files within the C:\ProgramData\OpenDNS\* directory which possess the user rights, Rhoads said.

“According to Microsoft, local users have the ability to write data to the above referenced directory which, by default, isn’t a security vulnerability,” Rhoads said. “However, what happens if the service requests files that don’t exist within this directory?”

Rhoads was able to perform a binary planting proof of concept where he placed a malicious file containing exploit code in C:\ProgramData\OpenDNS\ where the application would execute it. Essentially he generated two executables that would add a user and also add that user to the administrators group and then write a file to C:\.

Source | threatpost

Related articles

Turkish Hackers Hit Greek Government Websites and Local Stock Exchange

Turkish Hackers Hit Greek Government Websites and Local Stock Exchange

Data on 30,000 Cannabis Users Exposed in Cloud Leak

Data on 30,000 Cannabis Users Exposed in Cloud Leak

Third-Party Breach Exposed 31K Patient Records

Third-Party Breach Exposed 31K Patient Records