13 high-risk vulnerabilities fixed in Cisco IOS and IOS XE

🔊 Listen to this post Now in English

Cisco has detailed security concerns related to the discovery of 13 high-impact vulnerabilities in its IOS and IOS XE operating systems for switches and routers.

13 high-risk vulnerabilities fixed in Cisco IOS and IOS XE
The equipment manufacturer Cisco has just revealed the existence of 13 vulnerabilities in its operating system IOS and IOS XE for switches and routers. These were detailed by the Californian supplier who classified them as having a high security impact. Patches must be installed quickly by users. The company clarified that these various flaws could allow an attacker to obtain elevated privileges or cause a denial of service for a targeted device.

Among the vulnerabilities identified by Cisco, there is in particular that which affects the implementation of Open Shortest Path version 3 (OSPFv3) in IOS and IOS XE allowing an attacker to force an affected terminal to reload. The vulnerability is due to improper handling of specific OSPFv3 packets which could allow an attacker to exploit this vulnerability via corrupted advertising links specially designed for a targeted device. A exploit could allow the attacker to reload an affected device and take advantage of the situation to launch a denial of service attack.

Another flaw to be corrected: that concerning the IPsec driver for several IOS XE software platforms and the ASA 5500-X adaptive security appliance which can also lead to a reloading of the device by a remote attacker. The vulnerability is caused due to improper processing of malformed IPsec Authentication (AH) or IPsec Security Payload Encapsulation (ESP) packets. An attacker could therefore exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device with all the risks that this implies in terms of reload and DoS.

Cisco also alerted to the existence of a flaw in the Web user interface of the IOS XE software allowing the dual-memory processing of specific HTTP requests or even another in the implementation of the cluster function of IOS and IOS XE with a bad validation of the entries in the management of messages CMP (Cluster Management Protocol). Result: an attacker could exploit this vulnerability by sending a malicious CMP message to an affected device, causing the switch to block – or reload – again causing a denial of service condition. If the switch hangs, it will not restart automatically and will need to be manually restarted to return to its original state.

WebEx Meetings not spared

A vulnerability in the folder permissions of the Webex Meetings client for Windows has also been found by Cisco. It could allow an authenticated local attacker to modify files stored locally and to execute code on a targeted device with the privilege level of the user. The vulnerability is caused due to folder permissions that grant a user permission to read, write, and execute files in Webex folders. An attacker could exploit this vulnerability to write malicious files to the directory of the Webex client, thereby affecting all other users of the targeted device. An exploit thus opens the way to the execution of commands with elevated privileges. Multi-user systems present a higher risk of exploitation because folder permissions have an impact on all users of a terminal. However, for an attacker to be able to successfully exploit this vulnerability, a second user must execute the locally installed malicious file to allow remote code execution.

According to Cisco, none of these vulnerabilities have been exploited, and all of them have software patches or updates that users can apply.

Other critical alerts issued by Cisco

Just before these new security alerts, Cisco had already released two “critical” warnings this week regarding a vulnerability in its Identity Services Engine (ISE) software. The first could allow an unauthenticated remote attacker to gain unauthorized access to an affected device until it was completely compromised. There was also one that concerned the functionality of arbitrary execution of ISE commands and support for downloads of ISE authentication. “These vulnerabilities are independent of each other; a version affected by one of the vulnerabilities may not be affected by the other. Successful exploitation of the ISE authenticated arbitrary command execution vulnerability can allow an authenticated remote attacker to execute arbitrary code on the underlying operating system. Successful exploitation of the vulnerability around bypassing authentication related to download of support information from Cisco ISE could allow an attacker to obtain sensitive information, in particular administrative credentials, “wrote Cisco.

In parallel with all these alerts, the network and telecom equipment manufacturer also detailed this week the potential impact of a Linux denial of service vulnerability on its products. Known as FragmentSmack, it could allow an attacker to send “specially modified packets in current TCP sessions, which could lead to processor saturation and a relatively low denial of service of incoming network traffic. In the worst case, an attacker can block an affected host or device with less than 2 kpps of attack traffic. Maintaining the denial of service condition requires continuous two-way TCP sessions to an accessible open port. IP addresses, “said Red Hat.

In the case of Cisco, this bug could affect more than 80 of its products using Linux Kernel version 3.9 (or higher), including its Tetration Analytics package, its vEdge 100-5000 series routers, its Nexus switches and its wireless products Aironet. Cisco has announced that it will update its opinion on this issue by evaluating its associated impacts and fixes.