High-Severity Flaws in Cisco Secure Internet Gateway Service Patched
September 7, 2018
Seid Yassin (557 articles)

High-Severity Flaws in Cisco Secure Internet Gateway Service Patched

Two high-severity vulnerabilities have been disclosed in Cisco’s security platform that could allow an attacker to gain administrative privileges – and take full control of the impacted machine.

The glitches, disclosed Wednesday, affect two parts of Cisco Umbrella, a secure internet gateway that acts as a cloud-delivered security service for corporate networks. Specifically, the Cisco Umbrella ERC and Cisco Umbrella Roaming Module are impacted.

The company said in an advisory released Wednesday: “An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.”

The vulnerabilities (CVE-2018-0437 and CVE-2018-0438) both stem from an improper implementation of file system permissions in the ERC, which could allow non-administrative users to place files within restricted directories. The glitches come with limits – an attacker would first need valid local user credentials to launch an attack, said Cisco’s advisory.

CVE-2018-0437 impacts Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella Roaming Module releases prior to 4.6.1098. Cisco has issued fixes in Cisco Umbrella ERC releases 2.1.118 and later; and Cisco Umbrella Roaming Module for Cisco AnyConnect releases 4.6.1098 and later. The vulnerability was first reported to Cisco by Quentin Rhoads, offensive security manager at Critical Start.

According to a Wednesday post by Rhoads with Critical Start, CVE-2018-0437 exists in a service named Umbrella_RC in Umbrella Roaming Client from Cisco OpenDNS.

The service, which is executed as SYSTEM on startup, consumes several files within the C:\ProgramData\OpenDNS\* directory which possess the user rights, Rhoads said.

“According to Microsoft, local users have the ability to write data to the above referenced directory which, by default, isn’t a security vulnerability,” Rhoads said. “However, what happens if the service requests files that don’t exist within this directory?”

Rhoads was able to perform a binary planting proof of concept where he placed a malicious file containing exploit code in C:\ProgramData\OpenDNS\ where the application would execute it. Essentially he generated two executables that would add a user and also add that user to the administrators group and then write a file to C:\.

Source | threatpost