Cisco has patched four critical security vulnerabilities surrounding a lack of authentication requirements in its Policy Suite for mobile carriers.
These would allow remote attackers to potentially exfiltrate information, compromise wireless subscriber account information, meddle with databases or change business logic in order to cover for other malicious activities.
The company’s Policy Suite provides real-time management of subscribers, applications and network resources based on service-provider-configured business rules. It hooks in with network routers and packet data gateways on the network side, as well as back-office and OSS functions, including billing.
The first vulnerability is an unauthenticated bypass bug (CVE-2018-0374) could allow a remote attacker to connect directly to the Policy Builder database to make changes and tamper with business rules without the need to log in or have credentials. Cisco Policy Suite releases prior to 18.2.0 are affected.
The second issue is a default password error in the Cluster Manager of Cisco Policy Suite (CVE-2018-0375). Because there are undocumented, static user credentials for the root account, an attacker could easily uncover what these are, and use them to log in and execute arbitrary commands as the root user. Versions of the software prior to 18.2.0 are vulnerable.
The third flaw (CVE-2018-0376), exists in the Policy Builder interface: there is no authentication measure on the module. A remote attacker could simply log onto the Policy Builder interface with no credentials required, and from there make changes to existing repositories (or create new repositories). Cisco Policy Suite versions prior to 18.2.0 are affected.
And finally, the fourth bug (CVE-2018-0377), affects the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite. Here too there is a lack of authentication within the OSGi interface, which permits attackers to directly connect and access any and all files, or modify any content they run across. This one impacts Policy Suite versions prior to 18.1.0.
All of the vulns have a CVSS base score of 9.8; Cisco has issued patches to address them and so far, no exploits have been seen in the wild, the vendor said.
Cisco has also pushed out fixes for its SD-WAN solution for business users, with seven high-severity advisories.
These include an arbitrary file overwrite vulnerability (CVE-2018-0349); a zero-touch provisioning denial-of-service (DoS) vulnerability (CVE-2018-0346); a configuration and management database remote code execution vulnerability (CVE-2018-0345); and four command injection vulnerabilities (CVE-2018-0351, CVE-2018-0348, CVE-2018-0350 and CVE-2018-0347).
The vendor has been on a roll lately with patches. Last week, Cisco issued advisories for bugs in Cisco IP Phone 6800, 7800 and 8800 Series, along with patches for three medium-security flaws in its network security offerings; and, it issued a fix for a high-severity bug in its platform for mobile operator routers, StarOS.