Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution

The vendor also issued a patch schedule for the still-unpatched bug in its Secure Boot trusted hardware environment, which affects most of its enterprise and SMB portfolio, amounting to millions of vulnerable devices.

Cisco is warning of critical remote code-execution (RCE) vulnerabilities in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network (EPN) Manager, which is used by telcos, mobile carriers, cable companies and ISPs to manage their hardware infrastructure.

The vendor also issued estimated bug-fix dates for an unpatched, high-severity Secure Boot flaw that was disclosed on Monday; and addressed a high-severity flaw that would allow arbitrary code-execution on WebEx for Windows, Cisco’s widely deployed web conferencing and collaboration software.

The newly disclosed critical issue consists of multiple vulnerabilities in the web-based management interface of the PI EPN manager, which could allow a remote attacker to execute arbitrary code with root privileges on the underlying operating system.

The manager controls the Cisco EPN, which brings software programmability and virtualization to the underlying physical hardware of a service provider network; its used to manage services, subscriber policies, bandwidth resources and more.

The most concerning of the issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface. The second and third issues, CVE-2019-1822 and CVE-2019-1823, require that an attacker have valid credentials to authenticate to the impacted administrative interface before exploitation can take place.

“These vulnerabilities exist because the software improperly validates user-supplied input,” Cisco explained in its advisory, issued Wednesday afternoon and updated Thursday. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface.”

Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1 are affected; Cisco has released patches, and admins are encouraged to update as soon as possible.

The same versions of the web-based management interface also have two high-severity bugs (CVE-2019-1824 and CVE-2019-1825), which could allow an authenticated, remote attacker to execute arbitrary SQL queries.

“These vulnerabilities exist because the software improperly validates user-supplied input in SQL queries,” Cisco said in the advisory, also issued Wednesday. “An attacker could exploit these vulnerabilities by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data.” A patch is available.

The patches are part of a larger group of fixes that Cisco dropped on Wednesday. Among them is an updated advisory for an unpatched bug announced earlier in the week, which is a high-severity flaw that impacts millions of devices across a huge swath of Cisco’s portfolio.

The unpatched bug (CVE-2019-1649) exists in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation. It could allow an authenticated, local attacker to write a modified firmware image, causing the device to become unusable (and require a hardware replacement) or, allowing tampering with the Secure Boot verification process.

In Cisco’s updated advisory, the vendor provided estimated dates for patches; network and content security devices can expect a fix this month sometime, but routing and switching gear patches won’t roll out until July and August, with some products slated for even later fixes, in October and November. Some exceptions in the routing gear segment will be patched in May, including Cisco 3000 Series Industrial Security Appliances, Cisco 809 Industrial Integrated Services Routers, Cisco 829 Industrial Integrated Services Routers and Cisco Catalyst 9800-40 Wireless Controllers.

Voice and video devices will get fixes in September.

Cisco also patched several other high-severity flaws, including a group (CVE-2019-1771, CVE-2019-1772 and CVE-2019-1773) in the Cisco Webex Network Recording Player and the Cisco Webex Player for Microsoft Windows, which could allow an attacker to remotely execute arbitrary code on an affected system.

The bug is rated high-severity instead of critical because exploitation requires user interaction, but admins should update as soon as possible given how widely deployed the software is.

“The vulnerabilities exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files,” Cisco said on Wednesday. “An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software on the local system.”

Other high-impact issues addressed in the Wednesday group of updates include a range of denial-of-service and information disclosure bugs; and the vendor released updates on several medium-severity vulnerabilities as well.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t missĀ our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles