Telecommunications company Cisco rolled out three patches for multiple products yesterday, addressing vulnerabilities that could’ve led to a denial of service (DoS) attack or allowed an attacker to execute code and obtain sensitive information.
Per usual, Cisco’s Product Security Incident Respoinse Team (PSIRT) posted about the vulnerabilities yesterday on its Security Advisories, Responses and Notices page.
The first patch fixes a vulnerability that’s been plaguing at least four of Cisco’s products, including its Business Edition 3000, Identity Services Engine (ISE), Media Experience Engine (MXE) and Unified SIP Proxy (CUSP).
All of those products use a vulnerable version of Apache’s Struts 2 framework that could be exploited to let attackers execute arbitrary code on systems. All the attacker would have to do is send Object-Graph Navigation Language (OGNL) requests to the system. OGNL is a Java language that can let attackers access data objects and use them to create and inject server side code.
This issue was thought to have been fixed by Apache last month but didn’t wind up getting resolved until late last week when Apache released version 2.3.15.3 of Struts.
While Cisco’s ISE is vulnerable to the aforementioned Struts problem, it’s also vulnerable to two additional but separate issues. ISE, a policy control platform used by IT professionals for managing accounts, suffers from an authenticated arbitrary command execution vulnerability and a support information download authentication bypass vulnerability. Essentially both could allow an attacker to execute code on the platform and gain access to user credentials and other information from the system. Both issues were fixed by Cisco’s second patch yesterday.
Lastly, Cisco patched its IOS XR software to prevent a DoS condition that pops up when its route processor mishandles fragmented packets. IOS XR is an extensive infrastructure that’s used on routers across Cisco’s network. While only customers running a specific version of IOS XR (3.3.0 to 4.2.0) are at risk here, the condition can be triggered by an unauthenticated, remote attacker sending fragmented packets to an affected system.
Cisco’s patches address all of these issues, save for the Struts vulnerability in Business Edition 3000. It’s a little trickier for attackers to execute on this software because the attacker “must provide valid credentials or persuade a user with valid credentials to execute a malicious URL.” End users running that software are encouraged to contact their Cisco representative to see what their options are.
While Cisco’s PSIRT claims its unaware of any of these vulnerabilities being exploited, the proof of concept code for the Struts vulnerability has been circulating in the wild for a few weeks and is even published on the official Apache Struts 2 page. Since the vulnerability is publicly available, it may might make sense for end users to patch that hole first.